Otu esi echekwa sava FTP site na iji SSL/TLS maka mbufe faịlụ echekwara na CentOS 7
Site na nhazi mbụ ya, FTP (Protocol Transfer Protocol) adịghị echekwabara, nke pụtara na ọ naghị ezobe data na-ebufe n'etiti igwe abụọ, yana nzere onye ọrụ. Nke a na-ebute nnukwu ihe iyi egwu na data yana nchekwa nkesa.
N'ime nkuzi a, anyị ga-akọwa otu esi eji aka rụọ ọrụ nzuzo data na sava FTP na CentOS/RHEL 7 na Fedora; anyị ga-agafe usoro dị iche iche nke ichekwa ọrụ VSFTPD (Nanị Secure FTP Daemon) site na iji asambodo SSL/TLS.
- Ị ga-enwerịrịrịrị ma hazie sava FTP na CentOS 7
Tupu anyị amalite, rịba ama na iwu niile dị na nkuzi a ga-agba ọsọ dị ka mgbọrọgwụ, ma ọ bụghị ya, jiri iwu sudo nweta ikike mgbọrọgwụ ma ọ bụrụ na ị naghị achịkwa ihe nkesa site na iji akaụntụ mgbọrọgwụ.
Nzọụkwụ 1. Ịmepụta SSL/TLS Asambodo na Isi igodo
1. Anyị kwesịrị ịmalite site na ịmepụta subdirectory n'okpuru:
# mkdir /etc/ssl/private
2. Wee mee iwu dị n'okpuru ka ịmepụta asambodo na igodo maka vsftpd n'otu faịlụ, ebe a bụ nkọwa nke ọkọlọtọ ọ bụla ejiri.
- req – bụ iwu maka njikwa arịrịọ nnabata Asambodo X.509 (CSR).
- x509 – pụtara njikwa data asambodo X.509.
- ụbọchị – na-akọwa ọnụọgụ ụbọchị asambodo bara uru maka.
- key ọhụrụ – ezipụta ihe nhazi igodo akwụkwọ.
- rsa:2048 – RSA igodo processor, ga-ewepụta igodo nzuzo 2048.
- igodo - na-edozi faịlụ nchekwa igodo.
- out – na-edozi faịlụ nchekwa akwụkwọ, mara na a na-echekwa asambodo na igodo n'otu faịlụ: /etc/ssl/private/vsftpd.pem.
# openssl req -x509 -nodes -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem -days 365 -newkey rsa:2048
Iwu dị n'elu ga-ajụ gị ka ị zaa ajụjụ ndị dị n'okpuru, cheta iji ụkpụrụ na-emetụta ọnọdụ gị.
Country Name (2 letter code) [XX]:IN State or Province Name (full name) []:Lower Parel Locality Name (eg, city) [Default City]:Mumbai Organization Name (eg, company) [Default Company Ltd]:TecMint.com Organizational Unit Name (eg, section) []:Linux and Open Source Common Name (eg, your name or your server's hostname) []:tecmint Email Address []:[email
Nzọụkwụ 2. Ịhazi VSFTPD Iji SSL/TLS
3. Tupu anyị emee nhazi VSFTPD ọ bụla, ka anyị mepee ọdụ ụgbọ mmiri 990 na 40000-50000 iji kwe ka njikọ TLS na ọdụ ụgbọ mmiri nke ọdụ ụgbọ mmiri na-agafe agafe kọwaa na faịlụ nhazi VSFTPD n'otu n'otu:
# firewall-cmd --zone=public --permanent --add-port=990/tcp # firewall-cmd --zone=public --permanent --add-port=40000-50000/tcp # firewall-cmd --reload
4. Ugbu a, mepee faịlụ nhazi VSFTPD wee kọwaa nkọwa SSL na ya:
# vi /etc/vsftpd/vsftpd.conf
Chọọ maka nhọrọ ssl_enable wee tọọ uru ya na EE iji mee ka ojiji nke SSL rụọ ọrụ, na mgbakwunye, ebe TSL dị nchebe karịa SSL, anyị ga-amachibido VSFTPD ka ọ were TLS kama, na-eji nhọrọ ssl_tlsv1_2:
ssl_enable=YES ssl_tlsv1_2=YES ssl_sslv2=NO ssl_sslv3=NO
5. Mgbe ahụ, tinye ahịrị ndị dị n'okpuru iji kọwaa ebe akwụkwọ SSL na faịlụ igodo:
rsa_cert_file=/etc/ssl/private/vsftpd.pem rsa_private_key_file=/etc/ssl/private/vsftpd.pem
6. Ọzọ, anyị ga-egbochi ndị ọrụ na-amaghị aha iji SSL, wee manye ndị niile na-edebanye aha na-enweghị aha iji njikọ SSL echekwara maka ịnyefe data na izipu paswọọdụ n'oge nbanye:
allow_anon_ssl=NO force_local_data_ssl=YES force_local_logins_ssl=YES
7. Tụkwasị na nke ahụ, anyị nwere ike ịgbakwunye nhọrọ ndị dị n'okpuru iji kwalite nchekwa nchekwa FTP. Mgbe nhọrọ chọrọ_ssl_reuse ka atọrọ ka EE, mgbe ahụ, a chọrọ njikọ data SSL niile iji gosipụta ojiji nke oge SSL; na-egosi na ha maara otu ihe nzuzo nzuzo dị ka ọwa njikwa.
Ya mere, anyị ga-agbanyụ ya.
require_ssl_reuse=NO
Ọzọ, anyị kwesịrị ịhọrọ nke SSL ciphers VSFTPD ga-enye ohere maka njikọ SSL ezoro ezo na nhọrọ ssl_ciphers. Nke a nwere ike belata mbọ nke ndị na-awakpo ndị na-anwa ịmanye otu akara nke ha nwere ike chọpụta adịghị ike na:
ssl_ciphers=HIGH
8. Ugbu a, dozie ọdụ ụgbọ mmiri (min na max port) nke ọdụ ụgbọ mmiri na-agafe agafe.
pasv_min_port=40000 pasv_max_port=50000
9. Nhọrọ, hapụ SSL debugging, nke pụtara openSSL njikọ nchọpụta na-dere na VSFTPD log faịlụ na debug_ssl nhọrọ:
debug_ssl=YES
Chekwaa mgbanwe niile wee mechie faịlụ ahụ. Mgbe ahụ, ka anyị malitegharịa ọrụ VSFTPD:
# systemctl restart vsftpd
Kwụpụ 3: Na-anwale nkesa FTP na njikọ SSL/TLS
10. Mgbe ịmechara nhazi niile dị n'elu, nwalee ma ọ bụrụ na VSFTPD na-eji njikọ SSL/TLS site n'ịgbalị iji FTP site na akara iwu dị ka ndị a:
# ftp 192.168.56.10 Connected to 192.168.56.10 (192.168.56.10). 220 Welcome to TecMint.com FTP service. Name (192.168.56.10:root) : ravi 530 Non-anonymous sessions must use encryption. Login failed. 421 Service not available, remote server has closed connection ftp>
Site na nseta ihuenyo dị n'elu, anyị nwere ike ịhụ na enwere njehie na-agwa anyị na VSFTPD nwere ike ikwe ka onye ọrụ banye n'aka ndị ahịa na-akwado ọrụ nzuzo.
Ahịrị iwu anaghị enye ọrụ ezoro ezo wee wepụta njehie ahụ. Yabụ, iji jikọọ na sava ahụ nke ọma, anyị chọrọ onye ahịa FTP na-akwado njikọ SSL/TLS dị ka FileZilla.
Kwụpụ 4: Wụnye FileZilla ka ị jikọọ na nchekwa na sava FTP
11. FileZilla bụ onye ahịa FTP ọgbara ọhụrụ, ewu ewu na nke dị mkpa nke na-akwado njikọ SSL/TLS na ndabara.
Iji tinye FileZilla na Linux, mee iwu n'okpuru:
--------- On CentOS/RHEL/Fedora --------- # yum install epel-release filezilla --------- On Debian/Ubuntu --------- $ sudo apt-get install filezilla
12. Mgbe echichi mechara (ma ọ bụ ma ọ bụrụ na i tinyelarị ya), mepee ya wee gaa na File=>Sites Manager ma ọ bụ (pịa Ctrl + S) iji nweta interface njikwa saịtị n'okpuru.
Pịa bọtịnụ saịtị ọhụrụ ka ịgbakwunye nkọwa njikọ saịtị/ọbịa ọhụrụ.
13. Ọzọ, tọọ onye ọbịa/saịtị aha, tinye adreesị IP, kọwaa protocol iji, izo ya ezo na logon ụdị dị ka na nseta ihuenyo n'okpuru (jiri ụkpụrụ na-emetụta gị dịruru ná njọ):
Host: 192.168.56.10 Protocol: FTP – File Transfer Protocol Encryption: Require explicit FTP over #recommended Logon Type: Ask for password #recommended User: username
14. Wee pịa Jikọọ iji tinye paswọọdụ ọzọ, wee nyochaa akwụkwọ a na-eji maka njikọ SSL/TLS wee pịa OK ọzọ iji jikọọ na sava FTP:
N'oge a, anyị kwesịrị ịbanye nke ọma na sava FTP n'elu njikọ TLS, lelee ngalaba ọnọdụ njikọ maka ozi ndị ọzọ site na interface dị n'okpuru.
15. N'ikpeazụ ma ọ dịghị ihe ọzọ, gbalịa ịnyefe faịlụ site na igwe mpaghara gaa na FTP sever na nchekwa faịlụ, lee anya na njedebe dị ala nke FileZilla interface iji lelee akụkọ gbasara mbufe faịlụ.
Ọ gwụla! Na-eburu n'uche mgbe niile na FTP anaghị echekwa ya na ndabara, ọ gwụla ma anyị hazie ya ka ọ jiri njikọ SSL/TLS dịka anyị gosiri gị na nkuzi a. Kekọrịta echiche gị gbasara nkuzi/isiokwu a site na ụdị nzaghachi dị n'okpuru.