Ịtọlite Secure FTP Server iji SSL/TLS na Ubuntu

N'ime nkuzi a, anyị ga-akọwa otu esi echekwa sava FTP (VSFTPD na-anọchi anya FTP Daemon dị ezigbo nchebe) site na iji SSL/TLS na Ubuntu 16.04/16.10.

Ọ bụrụ na ị na-achọ ịtọlite sava FTP echekwara maka nkesa dabere na CentOS, ị nwere ike ịgụ - Chekwaa sava FTP site na iji SSL/TLS na CentOS.

Mgbe anyị gbasoro usoro dị iche iche dị na ntuziaka a, anyị ga-amụtala isi ihe na-enyere aka ọrụ nzuzo na sava FTP maka ịnyefe data echekwara dị oke mkpa.

  1. Ị ga-arụnye ma hazie sava FTP na Ubuntu

Tupu anyị aga n'ihu, jide n'aka na iwu niile dị n'isiokwu a ga-agba ọsọ dị ka mgbọrọgwụ ma ọ bụ akaụntụ sudo privileged.

Kwụpụ 1: Ịmepụta SSL/TLS Asambodo maka FTP na Ubuntu

1. Anyị ga-amalite site na ịmepụta subdirectory n'okpuru: /etc/ssl/ iji chekwaa SSL/TLS akwụkwọ na isi faịlụ ma ọ bụrụ na ọ dịghị:

$ sudo mkdir /etc/ssl/private

2. Ugbu a, ka anyị mepụta akwụkwọ na igodo n'otu faịlụ, site na ịme iwu dị n'okpuru.

$ sudo openssl req -x509 -nodes -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem -days 365 -newkey rsa:2048

Iwu dị n'elu ga-akpali gị ịza ajụjụ ndị dị n'okpuru, echefula itinye ụkpụrụ ndị dabara na ọnọdụ gị.

Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:Lower Parel
Locality Name (eg, city) [Default City]:Mumbai
Organization Name (eg, company) [Default Company Ltd]:TecMint.com
Organizational Unit Name (eg, section) []:Linux and Open Source
Common Name (eg, your name or your server's hostname) []:tecmint
Email Address []:[email 

Kwụpụ 2: Ịhazi VSFTPD iji SSL/TLS na Ubuntu

3. Tupu anyị emee nhazi VSFTPD ọ bụla, maka ndị nwere ọkụ ọkụ UFW, ị ga-emepe ọdụ ụgbọ mmiri 990 na 40000-50000 iji kwe ka njikọ TLS na ọdụ ụgbọ mmiri nke ọdụ ụgbọ mmiri na-agafe agafe ka ịtọ na faịlụ nhazi VSFTPD n'otu n'otu:

$ sudo ufw allow 990/tcp
$ sudo ufw allow 40000:50000/tcp
$ sudo ufw status

4. Ugbu a, mepee faịlụ nhazi VSFTPD ma kọwaa nkọwa SSL dị na ya:

$ sudo vi /etc/vsftpd/vsftpd.conf
OR
$ sudo nano /etc/vsftpd/vsftpd.conf

Mgbe ahụ, tinye ma ọ bụ chọta nhọrọ ssl_enable wee tọọ uru ya YES iji mee ka ojiji nke SSL rụọ ọrụ, ọzọ, n'ihi na TLS dị nchebe karịa SSL, anyị ga-amachibido VSFTPD iji TLS kama, site n'ịkwalite ssl_tlsv1 nhọrọ:

ssl_enable=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO

5. Ọzọ, jiri akara # kọwaa ahịrị ndị dị n'okpuru dị ka ndị a:

#rsa_cert_file=/etc/ssl/private/ssl-cert-snakeoil.pem
#rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key

E mesịa, tinye ahịrị ndị dị n'okpuru iji kọwaa ebe akwụkwọ SSL na faịlụ igodo dị:

rsa_cert_file=/etc/ssl/private/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem

6. Ugbu a, anyị ga-egbochi ndị ọrụ na-amaghị aha iji SSL, wee manye ndị niile na-amaghị aha logins iji njikọ SSL echekwara maka ịnyefe data na izipu paswọọdụ n'oge nbanye:

allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES

7. Ọzọkwa, anyị nwere ike iji nhọrọ dị n'okpuru ebe a iji gbakwunye atụmatụ nchekwa na sava FTP. Na nhọrọ require_ssl_reuse=YES, a chọrọ njikọ data SSL niile iji gosipụta ojiji ọzọ nke oge SSL; na-egosi na ha maara otu ihe nzuzo nzuzo dị ka ọwa njikwa. Yabụ, anyị kwesịrị gbanyụọ ya.

require_ssl_reuse=NO

Na mgbakwunye, anyị nwere ike ịtọ nke SSL ciphers VSFTPD ga-enye ohere maka njikọ SSL ezoro ezo na nhọrọ ssl_ciphers. Nke a ga-enyere aka imebi mbọ ọ bụla nke ndị na-awakpo na-anwa ịmanye otu akara nke ha nwere ike chọpụta adịghị ike na:

ssl_ciphers=HIGH

8. Mgbe ahụ, ka anyị kọwaa ọdụ ụgbọ mmiri (min na max port) nke ọdụ ụgbọ mmiri na-agafe agafe.

pasv_min_port=40000
pasv_max_port=50000

9. Iji mee ka SSL debugging, nke pụtara openSSL njikọ nchọpụta na-dekọrọ na VSFTPD log faịlụ, anyị nwere ike iji debug_ssl nhọrọ:

debug_ssl=YES

N'ikpeazụ chekwaa faịlụ ma mechie ya. Mgbe ahụ malitegharịa ọrụ VSFTPD:

$ systemctl restart vsftpd

Kwụpụ 3: Nyochaa FTP na njikọ SSL/TLS na Ubuntu

10. Mgbe ịmechara nhazi niile dị n'elu, nwalee ma ọ bụrụ na VSFTPD na-eji njikọ SSL/TLS ugbu a site n'ịgbalị iji FTP site na akara iwu dị n'okpuru.

Site na mmepụta dị n'okpuru, enwere ozi njehie na-agwa anyị VSFTPD nwere ike ikwe ka ndị ọrụ (na-enweghị aha) banye n'aka ndị ahịa nwere nchebe na-akwado ọrụ nzuzo.

$ ftp 192.168.56.10
Connected to 192.168.56.10  (192.168.56.10).
220 Welcome to TecMint.com FTP service.
Name (192.168.56.10:root) : ravi
530 Non-anonymous sessions must use encryption.
Login failed.
421 Service not available, remote server has closed connection
ftp>

Ahịrị iwu anaghị akwado ọrụ ezoro ezo wee bute njehie dị n'elu. Ya mere, iji jikọọ na nchekwa na sava FTP yana ọrụ ezoro ezo enyere, anyị chọrọ onye ahịa FTP nke na-akwado njikọ SSL/TLS na ndabara, dị ka FileZilla.

Kwụpụ 4: Wụnye FileZilla na ndị ahịa iji jikọọ FTP na nzuzo

FileZilla bụ onye ahịa FTP cross-platform dị ike, nke na-akwado FTP karịa SSL/TLS na ndị ọzọ. Iji tinye FileZilla na igwe ahịa Linux, jiri iwu na-esonụ.

--------- On Debian/Ubuntu ---------
$ sudo apt-get install filezilla   

--------- On CentOS/RHEL/Fedora --------- 
# yum install epel-release filezilla

--------- On Fedora 22+ --------- 
$ sudo dnf install filezilla

12. Ozugbo nrụnye ahụ mechara, mepee ya ma gaa na File=>Sites Manager ma ọ bụ (pịa Ctrl + S) iji nweta interface njikwa saịtị n'okpuru.

13. Ugbu a, kọwapụta aha onye ọbịa/saịtị, tinye adreesị IP, kọwapụta protocol iji, izo ya ezo na ụdị logon dị ka ọ dị na nseta ihuenyo dị n'okpuru (jiri ụkpụrụ na-emetụta ọnọdụ gị):

Pịa bọtịnụ saịtị ọhụrụ iji hazie njikọ saịtị/ọbịa ọhụrụ.

Host:  192.168.56.10
Protocol:  FTP – File Transfer Protocol
Encryption:  Require explicit FTP over   #recommended 
Logon Type: Ask for password	        #recommended 
User: username

14. Wee pịa Jikọọ site na interface dị n'elu iji tinye paswọọdụ, wee nyochaa akwụkwọ a na-eji maka njikọ SSL/TLS, wee pịa OK ọzọ iji jikọọ na sava FTP:

15. Ugbu a, ị kwesịrị ịbanye nke ọma na sava FTP n'elu njikọ TLS, lelee ngalaba ọnọdụ njikọ maka ozi ndị ọzọ site na interface dị n'okpuru.

16. N'ikpeazụ, ka anyị nyefee faịlụ site na igwe mpaghara gaa na ihe nkesa FTP na nchekwa faịlụ, lee anya na njedebe dị ala nke FileZilla interface iji lelee akụkọ gbasara ịnyefe faịlụ.

Ọ gwụla! Na-echeta mgbe niile na ịwụnye ihe nkesa FTP na-enweghị ike ọrụ ezoro ezo nwere ụfọdụ ihe nchekwa. Dịka anyị kọwara na nkuzi a, ị nwere ike hazie sava FTP ka ọ jiri njikọ SSL/TLS mejuputa nchekwa na Ubuntu 16.04/16.10.

Ọ bụrụ na ị na-eche nsogbu ọ bụla ihu na ịtọlite SSL/TLS na sava FTP, jiri ụdị nkọwa dị n'okpuru kesaa nsogbu gị ma ọ bụ echiche gị gbasara nkuzi/isiokwu a.