CentOS 7:安裝Proftpd〈提供 FTP、FTPs與SFTP〉
Profptd是「Professional FTP daemon」的縮寫,與vsFTPd 一樣,都是強調安全性的 FTP 伺服軟體,且Proftpd本身有支援SFTP的module,因此不需要另外使用SSHd的SFTP模組,在權限控管上比較靈活,在設定上也相對單純,且也支援chroot功能。
安裝EPEL Repository,可以參考本站的安裝EPEL Repository
安裝proftpd
確認selinux是關閉的狀態
設定proftpd
設定/etc/hosts,加入'192.168.10.7 proftpd'
設定ftps服務
設定sftp服務
修改權限
啟動proftpd
設定防火牆
測試
proftpd預設支援chroot
安裝EPEL Repository,可以參考本站的安裝EPEL Repository
安裝proftpd
[root@proftpd ~]# yum install -y proftpd
確認selinux是關閉的狀態
[root@proftpd ~]# getenforce
Disabled
Disabled
設定proftpd
[root@proftpd ~]# vim /etc/proftpd.conf
# line 77:編輯
ServerName "proftpd"
# line 81:新增
Port 21
PassivePorts 40000 45000
# line 77:編輯
ServerName "proftpd"
# line 81:新增
Port 21
PassivePorts 40000 45000
設定/etc/hosts,加入'192.168.10.7 proftpd'
[root@proftpd ~]# echo '192.168.10.7 proftpd' >> /etc/hosts
[root@proftpd ~]# tail /etc/hosts
192.168.10.7 proftpd
[root@proftpd ~]# tail /etc/hosts
192.168.10.7 proftpd
設定ftps服務
# 安裝openssl
[root@proftpd ~]# yum install -y openssl
# 建立certificate
[root@proftpd ~]# openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/pki/tls/certs/proftpd.pem -out /etc/pki/tls/certs/proftpd.pem
Generating a 2048 bit RSA private key
..+++
.......+++
writing new private key to '/etc/pki/tls/certs/proftpd.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:TW
State or Province Name (full name) []:Taiwan
Locality Name (eg, city) [Default City]:Hsinchu
Organization Name (eg, company) [Default Company Ltd]:coodie
Organizational Unit Name (eg, section) []:coodie
Common Name (eg, your name or your server's hostname) []:proftpd
Email Address []:xxx@nchc.narl.org.tw
# 修改設定檔
[root@proftpd ~]# vim /etc/proftpd.conf
# line 294 (附近):加上#並將on改為off
#<IfDefine TLS>
TLSEngine on
TLSRequired off #如果要強制使用FTPs則改為on
TLSRSACertificateFile /etc/pki/tls/certs/proftpd.pem
TLSRSACertificateKeyFile /etc/pki/tls/certs/proftpd.pem
TLSCipherSuite ALL:!ADH:!DES
TLSOptions NoCertRequest
TLSVerifyClient off
#TLSRenegotiate ctrl 3600 data 512000 required off timeout 300
TLSLog /var/log/proftpd/tls.log
# <IfModule mod_tls_shmcache.c>
# TLSSessionCache shm:/file=/var/run/proftpd/sesscache
# </IfModule>
#</IfDefine>
[root@proftpd ~]# yum install -y openssl
# 建立certificate
[root@proftpd ~]# openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/pki/tls/certs/proftpd.pem -out /etc/pki/tls/certs/proftpd.pem
Generating a 2048 bit RSA private key
..+++
.......+++
writing new private key to '/etc/pki/tls/certs/proftpd.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:TW
State or Province Name (full name) []:Taiwan
Locality Name (eg, city) [Default City]:Hsinchu
Organization Name (eg, company) [Default Company Ltd]:coodie
Organizational Unit Name (eg, section) []:coodie
Common Name (eg, your name or your server's hostname) []:proftpd
Email Address []:xxx@nchc.narl.org.tw
# 修改設定檔
[root@proftpd ~]# vim /etc/proftpd.conf
# line 294 (附近):加上#並將on改為off
#<IfDefine TLS>
TLSEngine on
TLSRequired off #如果要強制使用FTPs則改為on
TLSRSACertificateFile /etc/pki/tls/certs/proftpd.pem
TLSRSACertificateKeyFile /etc/pki/tls/certs/proftpd.pem
TLSCipherSuite ALL:!ADH:!DES
TLSOptions NoCertRequest
TLSVerifyClient off
#TLSRenegotiate ctrl 3600 data 512000 required off timeout 300
TLSLog /var/log/proftpd/tls.log
# <IfModule mod_tls_shmcache.c>
# TLSSessionCache shm:/file=/var/run/proftpd/sesscache
# </IfModule>
#</IfDefine>
設定sftp服務
[root@proftpd ~]# vim /etc/proftpd.conf
# line 210 (附近):去除#
LoadModule mod_sftp.c
# line 214 (附近):去除#
LoadModule mod_sftp_pam.c
# line 429 (附近):新增
<VirtualHost 0.0.0.0>
Port 2221
<IfModule mod_sftp.c>
SFTPEngine on
SFTPLog /var/log/proftpd/sftp.log
SFTPHostKey /etc/ssh/ssh_host_rsa_key #權限必須為600,否則會出現錯誤
SFTPCompression delayed
</IfModule>
</VirtualHost>
# line 210 (附近):去除#
LoadModule mod_sftp.c
# line 214 (附近):去除#
LoadModule mod_sftp_pam.c
# line 429 (附近):新增
<VirtualHost 0.0.0.0>
Port 2221
<IfModule mod_sftp.c>
SFTPEngine on
SFTPLog /var/log/proftpd/sftp.log
SFTPHostKey /etc/ssh/ssh_host_rsa_key #權限必須為600,否則會出現錯誤
SFTPCompression delayed
</IfModule>
</VirtualHost>
修改權限
[root@proftpd ~]# chmod 600 /etc/ssh/ssh_host_rsa_key
啟動proftpd
[root@proftpd ~]# systemctl restart proftpd.service
[root@proftpd ~]# systemctl enable proftpd.service
ln -s '/usr/lib/systemd/system/proftpd.service' '/etc/systemd/system/multi-user.target.wants/proftpd.service'
[root@proftpd ~]# systemctl enable proftpd.service
ln -s '/usr/lib/systemd/system/proftpd.service' '/etc/systemd/system/multi-user.target.wants/proftpd.service'
設定防火牆
# 關閉firewalld
[root@proftpd ~]# systemctl stop firewalld
[root@proftpd ~]# systemctl disable firewalld
# 安裝iptables
[root@proftpd ~]# yum -y install iptables-services
# 載入ftp模組
[root@proftpd ~]# vim /etc/sysconfig/iptables-config
# line 6:新增模組
IPTABLES_MODULES="ip_nat_ftp ip_conntrack_ftp"
# 啟動iptables
[root@proftpd ~]# systemctl start iptables
[root@proftpd ~]# systemctl enable iptables
# 導入iptables規則
[root@proftpd ~]# vim iptables.sh #寫一個script將規則導入,省得一筆一筆打
# add
iptables -F
iptables -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 2221 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp -m multiport --dports 40000:45000 -j ACCEPT
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
iptables-save > /etc/sysconfig/iptables
# 執行iptables.sh
[root@proftpd ~]# sh iptables.sh
# 重啟iptables
[root@proftpd ~]# systemctl restart iptables
[root@proftpd ~]# systemctl stop firewalld
[root@proftpd ~]# systemctl disable firewalld
# 安裝iptables
[root@proftpd ~]# yum -y install iptables-services
# 載入ftp模組
[root@proftpd ~]# vim /etc/sysconfig/iptables-config
# line 6:新增模組
IPTABLES_MODULES="ip_nat_ftp ip_conntrack_ftp"
# 啟動iptables
[root@proftpd ~]# systemctl start iptables
[root@proftpd ~]# systemctl enable iptables
# 導入iptables規則
[root@proftpd ~]# vim iptables.sh #寫一個script將規則導入,省得一筆一筆打
# add
iptables -F
iptables -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 2221 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp -m multiport --dports 40000:45000 -j ACCEPT
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
iptables-save > /etc/sysconfig/iptables
# 執行iptables.sh
[root@proftpd ~]# sh iptables.sh
# 重啟iptables
[root@proftpd ~]# systemctl restart iptables
測試
# 建立使用者
[root@proftpd ~]# useradd ftpuser -s /sbin/nologin # 因為只使用ftp服務不需登入shell,故設定nologin
[root@proftpd ~]# echo 'ftpuser' | passwd --stdin ftpuser # 更改使用者密碼
# 建立測試檔案
[root@proftpd ~]# touch ftptest
# 測試FTP與SFTP
[root@proftpd ~]# yum install -y ftp sftp
[root@proftpd ~]# ftp proftpd 21
Connected to proftpd (192.168.10.7).
220 FTP Server ready.
Name (proftpd:root): ftpuser
331 Password required for ftpuser
Password:
230 User ftpuser logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> put ftptest
local: ftptest remote: ftptest
227 Entering Passive Mode (192,168,10,7,172,197).
150 Opening BINARY mode data connection for ftptest
226 Transfer complete
ftp> ls
227 Entering Passive Mode (192,168,10,7,175,70).
150 Opening ASCII mode data connection for file list
-rw-r--r-- 1 ftpuser ftpuser 0 Sep 28 05:33 ftptest
226 Transfer complete
ftp> quit
221 Goodbye.
[root@proftpd ~]# sftp -P 2221 ftpuser@proftpd
Password:
Connected to proftpd.
sftp> ls
ftptest #確定不同服務看到的檔案都一樣
sftp> quit
[root@proftpd ~]# useradd ftpuser -s /sbin/nologin # 因為只使用ftp服務不需登入shell,故設定nologin
[root@proftpd ~]# echo 'ftpuser' | passwd --stdin ftpuser # 更改使用者密碼
# 建立測試檔案
[root@proftpd ~]# touch ftptest
# 測試FTP與SFTP
[root@proftpd ~]# yum install -y ftp sftp
[root@proftpd ~]# ftp proftpd 21
Connected to proftpd (192.168.10.7).
220 FTP Server ready.
Name (proftpd:root): ftpuser
331 Password required for ftpuser
Password:
230 User ftpuser logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> put ftptest
local: ftptest remote: ftptest
227 Entering Passive Mode (192,168,10,7,172,197).
150 Opening BINARY mode data connection for ftptest
226 Transfer complete
ftp> ls
227 Entering Passive Mode (192,168,10,7,175,70).
150 Opening ASCII mode data connection for file list
-rw-r--r-- 1 ftpuser ftpuser 0 Sep 28 05:33 ftptest
226 Transfer complete
ftp> quit
221 Goodbye.
[root@proftpd ~]# sftp -P 2221 ftpuser@proftpd
Password:
Connected to proftpd.
sftp> ls
ftptest #確定不同服務看到的檔案都一樣
sftp> quit
proftpd預設支援chroot
[root@proftp ~]# cat /etc/proftpd.conf | grep -B 2 'DefaultRoot'
# Cause every FTP user except adm to be chrooted into their home directory
DefaultRoot ~ !adm # 此行的意思是指除了adm這個群組外,所有人只能在家目錄
# Cause every FTP user except adm to be chrooted into their home directory
DefaultRoot ~ !adm # 此行的意思是指除了adm這個群組外,所有人只能在家目錄
留言
張貼留言