Amintaccen Haɗin ProFTPD Ta Amfani da TLS/SSL Protocol akan RHEL/CentOS 7


Ta hanyar dabi'ar ta FTP an tsara ƙa'idar a matsayin ƙa'idar da ba ta da tsaro kuma ana canja duk bayanai da kalmomin shiga cikin rubutu a sarari, wanda ke sa aikin wani ɓangare na uku ya zama mai sauƙi don kutse duk ma'amalar abokin ciniki da uwar garken FTP, musamman sunayen masu amfani da masu amfani. kalmomin shiga da aka yi amfani da su wajen tantancewa.

  1. Shigar da Sabar ProFTPD akan RHEL/CentOS 7
  2. Kaddamar da Asusu mara suna don Proftpd Server a RHEL/CentOS 7

Wannan koyawa za ta jagorance ku kan yadda zaku iya ɓoyewa da ɓoye FTP sadarwa akan ProFTPd Server a cikin CentOS/RHEL 7 , ta amfani da TLS (Transport Layer Security) tare da tsawaita FTPS (tunani a FTPS a matsayin abin da HTTPS yake don HTTP Protocol).

Mataki 1: Ƙirƙiri Fayil Kanfigareshan Module na Proftpd TLS

1. Kamar yadda aka tattauna a baya koyawa na Proftpd game da Anonymous account, wannan jagorar kuma za ta yi amfani da hanya iri ɗaya akan sarrafa fayilolin daidaitawar Proftpd a matsayin kayayyaki, tare da taimakon enabled_mod da disabled_mod kundayen adireshi, waɗanda za su ɗauki nauyin duk ƙarfin ƙarfin uwar garken.

Don haka, ƙirƙiri sabon fayil tare da editan rubutu da kuka fi so mai suna tls.conf a cikin disabled_mod hanyar Proftpd kuma ƙara waɗannan umarni masu zuwa.

# nano /etc/proftpd/disabled_mod/tls.conf

Ƙara ɓangarorin tsarin fayil na TLS mai zuwa.

<IfModule mod_tls.c>
TLSEngine                               on
TLSLog                                  /var/log/proftpd/tls.log
TLSProtocol                             SSLv23
 
TLSRSACertificateFile                   /etc/ssl/certs/proftpd.crt
TLSRSACertificateKeyFile                /etc/ssl/private/proftpd.key

#TLSCACertificateFile                                     /etc/ssl/certs/CA.pem
TLSOptions                      NoCertRequest EnableDiags NoSessionReuseRequired
TLSVerifyClient                         off
TLSRequired                             on
TLSRenegotiate                          required on
</IfModule>

2. Idan kuna amfani da browsers ko Abokan ciniki na FTP waɗanda basa goyan bayan haɗin TLS, yi sharhi kan layi TLSRequired on don ba da damar haɗin TLS da waɗanda ba TLS ba lokaci guda kuma ku guje wa saƙon kuskure kamar a cikin hoton da ke ƙasa.

Mataki 2: Ƙirƙiri Fayilolin Takaddun shaida na SSL don TLS

3. Bayan ka ƙirƙiri TLS module sanyi fayil. wanda zai ba da damar FTP akan TLS akan Proftpd, kuna buƙatar ƙirƙirar SSL Certificate da Maɓalli don amfani da amintaccen sadarwa akan ProFTPD Server tare da taimakon kunshin OpenSSL.

# yum install openssl

Kuna iya amfani da dogon umarni guda ɗaya don samar da SSL Certificate da Maɓallai Maɓalli, amma don sauƙaƙe abubuwa zaku iya ƙirƙirar rubutun bash mai sauƙi wanda zai samar da nau'i-nau'i na SSL tare da sunan da kuke so kuma sanya madaidaicin izini don fayil ɗin Maɓalli.

Ƙirƙiri fayil ɗin bash mai suna proftpd_gen_ssl akan /usr/local/bin/ ko kuma akan kowace hanyar tsarin aiwatarwa (wanda aka bayyana ta PATH m).

# nano /usr/local/bin/proftpd_gen_ssl

Ƙara abun ciki mai zuwa gare shi.

#!/bin/bash
echo -e "\nPlease enter a name for your SSL Certificate and Key pairs:"
read name
 openssl req -x509 -newkey rsa:1024 \
          -keyout /etc/ssl/private/$name.key -out /etc/ssl/certs/$name.crt \
          -nodes -days 365\

 chmod 0600 /etc/ssl/private/$name.key

4. Bayan kun ƙirƙiri fayil ɗin da ke sama, sanya shi tare da izinin aiwatarwa, tabbatar da cewa /etc/ssl/private directory ya wanzu kuma gudanar da rubutun don ƙirƙirar SSL Certificate da Maɓallan Maɓalli.

# chmod +x /usr/local/bin/proftpd_gen_ssl
# mkdir -p /etc/ssl/private
# proftpd_gen_ssl

Ba da Takaddun shaida na SSL tare da bayanan da ake buƙata wanda ke bayyana kansa, amma kula da Sunan gama gari don dacewa da mai masaukin ku Cikakken Sunan Domain CancantaFQDN b>.

Mataki 3: Kunna TLS akan Sabar ProFTPD

5. Kamar yadda fayil ɗin Kanfigareshan TLS da aka ƙirƙira a baya ya riga ya nuna dama ga Takaddun shaida na SSL da Maɓallin Maɓalli abin da ya rage kawai shine kunna tsarin TLS ta hanyar ƙirƙirar hanyar alama na tls.conf > fayil zuwa enabled-mod directory da sake farawa ProFTPD daemon don aiwatar da canje-canje.

# ln -s /etc/proftpd/disabled_mod/tls.conf  /etc/proftpd/enabled_mod/
# systemctl restart proftpd

6. Don musaki tsarin TLS kawai cire tls.conf symlink daga enabled_mod directory kuma sake kunna sabar ProFTPD don aiwatar da canje-canje.

# rm /etc/proftpd/enabled_mod/tls.conf
# systemctl restart proftpd

Mataki 4: Buɗe Firewall don ba da damar FTP akan Sadarwar TLS

7. Domin abokan ciniki su sami dama ga ProFTPD da amintattun fayilolin canja wuri a cikin Passive Mode dole ne ku buɗe iyakar tashar jiragen ruwa tsakanin 1024 da 65534 akan RHEL /CentOS Firewall, ta amfani da umarni masu zuwa.

# firewall-cmd --add-port=1024-65534/tcp  
# firewall-cmd --add-port=1024-65534/tcp --permanent
# firewall-cmd --list-ports
# firewall-cmd --list-services
# firewall-cmd --reload

Shi ke nan. Yanzu tsarin ku yana shirye don karɓar sadarwar FTP akan TLS daga ɓangaren Abokin ciniki.

Mataki 5: Samun damar ProFTPD akan TLS daga Abokan ciniki

8. Masu bincike na gidan yanar gizo yawanci ba su da wani ginanniyar tallafi don FTP akan ka'idar TLS, don haka duk ma'amala ana isar da su ta hanyar FTP da ba a ɓoye ba. Ɗaya daga cikin mafi kyawun Abokan ciniki na FTP shine FileZilla, wanda gaba ɗaya Buɗewa ne kuma yana iya aiki akan kusan dukkanin manyan Tsarukan Aiki.

Don samun damar FTP akan TLS daga FileZilla buɗe Mai sarrafa Yanar Gizo, zaɓi FTP akan Protocol kuma Na buƙatar FTP bayyane akan TLS akan Encryption menu na ƙasa, zaɓi ku Nau'in Logon a matsayin Na al'ada, shigar da bayanan FTP ɗin ku kuma danna Haɗa don sadarwa tare da uwar garken.

9. Idan shine karo na farko da kuka haɗa zuwa uwar garken ProFTPD, buɗewa tare da sabon Takaddun shaida yakamata ya bayyana, duba akwatin wanda ke cewa Koyaushe amince da satifiket don zaman gaba kuma buga. akan Ok don karɓar Takaddun shaida da kuma tabbatar da sabar ProFTPD.

Idan kuna shirin amfani da wasu abokan ciniki fiye da FileZilla don samun dama ga albarkatun FTP amintacce ku tabbata cewa suna goyan bayan FTP akan ka'idar TLS. Wasu kyawawan misalai ga abokan cinikin FTP waɗanda ke iya magana da FTPS sune gFTP ko LFTP (layin umarni) na NIX.