Yadda ake Shigar, Sanya da Amintaccen Sabar FTP a cikin CentOS 7 - [Mai cikakken Jagora]

FTP (Ka'idar Canja wurin Fayil) daidaitaccen kayan aiki ne na gargajiya kuma ana amfani da shi sosai don canja wurin fayiloli tsakanin uwar garken da abokan ciniki ta hanyar hanyar sadarwa, musamman ma inda babu wani tabbaci (yana ba da izinin masu amfani da ba a san su ba don haɗawa da sabar). Dole ne mu fahimci cewa FTP ba shi da tsaro ta tsohuwa, saboda yana watsa bayanan mai amfani da bayanai ba tare da ɓoyewa ba.

A cikin wannan jagorar, za mu bayyana matakan shigarwa, daidaitawa da amintaccen uwar garken FTP (VSFTPD yana nufin Very Secure FTP Daemon) a cikin CentOS/RHEL 7 da Fedora rabawa.

Lura cewa duk umarnin da ke cikin wannan jagorar za a gudanar da su azaman tushen, idan ba ku aiki da sabar tare da tushen asusun, yi amfani da umarnin sudo don samun gata na tushen.

Mataki 1: Shigar da FTP Server

1. Shigar da uwar garken vsftpd kai tsaye gaba, kawai gudanar da umarni mai zuwa a cikin tashar.

# yum install vsftpd

2. Bayan an gama shigarwa, sabis ɗin zai ƙare da farko, don haka muna buƙatar fara shi da hannu na ɗan lokaci kuma mu ba shi damar farawa ta atomatik daga boot ɗin tsarin na gaba kuma:

# systemctl start vsftpd
# systemctl enable vsftpd

3. Bayan haka, don ba da damar samun damar yin amfani da sabis na FTP daga tsarin waje, dole ne mu buɗe tashar jiragen ruwa 21, inda FTP daemons ke saurare kamar haka:

# firewall-cmd --zone=public --permanent --add-port=21/tcp
# firewall-cmd --zone=public --permanent --add-service=ftp
# firewall-cmd --reload

Mataki 2: Saita FTP Server

4. Yanzu za mu matsa don yin ƴan jeri don saitin da amintaccen uwar garken FTP ɗin mu, bari mu fara da yin ajiyar ainihin fayil ɗin daidaitawa /etc/vsftpd/vsftpd.conf:

# cp /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf.orig

Na gaba, buɗe fayil ɗin saitin da ke sama kuma saita zaɓuɓɓuka masu zuwa tare da waɗannan madaidaitan dabi'u:

anonymous_enable=NO             # disable  anonymous login
local_enable=YES		# permit local logins
write_enable=YES		# enable FTP commands which change the filesystem
local_umask=022		        # value of umask for file creation for local users
dirmessage_enable=YES	        # enable showing of messages when users first enter a new directory
xferlog_enable=YES		# a log file will be maintained detailing uploads and downloads
connect_from_port_20=YES        # use port 20 (ftp-data) on the server machine for PORT style connections
xferlog_std_format=YES          # keep standard log file format
listen=NO   			# prevent vsftpd from running in standalone mode
listen_ipv6=YES		        # vsftpd will listen on an IPv6 socket instead of an IPv4 one
pam_service_name=vsftpd         # name of the PAM service vsftpd will use
userlist_enable=YES  	        # enable vsftpd to load a list of usernames
tcp_wrappers=YES  		# turn on tcp wrappers

5. Yanzu saita FTP don ƙyale/hana damar FTP ga masu amfani dangane da fayil ɗin jerin masu amfani /etc/vsftpd.userlist.

Ta hanyar tsoho, masu amfani da aka jera a cikin userlist_file=/etc/vsftpd.userlist an hana su shiga tare da zaɓin mai amfani_deny saita zuwa YES, idan userlist_enable=YES.

Koyaya, userlist_deny=NO yana canza saitin, ma'ana masu amfani kawai da aka jera su a fili a userlist_file=/etc/vsftpd.userlist za a ba su izinin shiga.

userlist_enable=YES                   # vsftpd will load a list of usernames, from the filename given by userlist_file
userlist_file=/etc/vsftpd.userlist    # stores usernames.
userlist_deny=NO   

Wannan ba duka ba ne, lokacin da masu amfani suka shiga uwar garken FTP, ana sanya su a cikin kurkukun chroot'ed, wannan shine tushen tushen gida wanda zai zama jagorar gidansu don zaman FTP kawai.

Na gaba, za mu duba yiwuwar yanayi guda biyu na yadda ake chroot masu amfani da FTP zuwa kundin adireshi na gida (tushen gida) ga masu amfani da FTP, kamar yadda aka bayyana a ƙasa.

6. Yanzu ƙara waɗannan zaɓuɓɓuka guda biyu masu zuwa don taƙaita masu amfani da FTP zuwa kundin adireshi na Gida.

chroot_local_user=YES
allow_writeable_chroot=YES

chroot_local_user=YES yana nufin za'a sanya masu amfani da gida a cikin gidan yarin chroot, tarihin gidansu bayan shiga ta saitunan tsoho.

Hakanan kuma ta tsohuwa, vsftpd baya barin tarihin gidan yarin chroot ya zama abin rubutawa saboda dalilai na tsaro, duk da haka, zamu iya amfani da zaɓi allow_writeable_chroot=YES don soke wannan saitin.

Ajiye fayil ɗin kuma rufe shi.

Tabbatar da Sabar FTP tare da SELinux

7. Yanzu, bari mu saita SELinux boolean da ke ƙasa don ba da damar FTP don karanta fayiloli a cikin littafin gida na mai amfani. Lura cewa an fara yin wannan ta amfani da umarnin:

# setsebool -P ftp_home_dir on

Koyaya, an kashe umarnin ftp_home_dir ta tsohuwa kamar yadda aka bayyana a cikin wannan rahoton bug: https://bugzilla.redhat.com/show_bug.cgi?id=1097775.

Yanzu za mu yi amfani da umarnin semanage don saita tsarin SELinux don ba da damar FTP don karantawa/rubuta littafin gidan mai amfani.

# semanage boolean -m ftpd_full_access --on

A wannan gaba, dole ne mu sake kunna vsftpd don aiwatar da duk canje-canjen da muka yi a sama:

# systemctl restart vsftpd

Mataki 4: Gwada FTP Server

8. Yanzu za mu gwada uwar garken FTP ta hanyar ƙirƙirar mai amfani da FTP tare da umarnin useradd.

# useradd -m -c “Ravi Saive, CEO” -s /bin/bash ravi
# passwd ravi

Bayan haka, dole ne mu ƙara mai amfani ravi zuwa fayil /etc/vsftpd.userlist ta amfani da umarnin echo kamar haka:

# echo "ravi" | tee -a /etc/vsftpd.userlist
# cat /etc/vsftpd.userlist

9. Yanzu lokaci ya yi da za a gwada idan saitunan mu a sama suna aiki daidai. Bari mu fara da gwada shigar da ba a san su ba, za mu iya gani daga hoton allo da ke ƙasa cewa ba a ba da izinin shiga ba tare da suna ba:

# ftp 192.168.56.10
Connected to 192.168.56.10  (192.168.56.10).
220 Welcome to TecMint.com FTP service.
Name (192.168.56.10:root) : anonymous
530 Permission denied.
Login failed.
ftp>

10. Bari mu gwada idan mai amfani da ba a jera shi a cikin fayil ɗin /etc/vsftpd.userlist za a ba shi izinin shiga, wanda ba haka lamarin yake ba kamar yadda yake a cikin hoton da ke ƙasa:

# ftp 192.168.56.10
Connected to 192.168.56.10  (192.168.56.10).
220 Welcome to TecMint.com FTP service.
Name (192.168.56.10:root) : aaronkilik
530 Permission denied.
Login failed.
ftp>

11. Yanzu yi bincike na ƙarshe idan mai amfani da aka jera a cikin fayil /etc/vsftpd.userlist, an sanya shi a cikin kundin adireshin gidansa bayan shiga:

# ftp 192.168.56.10
Connected to 192.168.56.10  (192.168.56.10).
220 Welcome to TecMint.com FTP service.
Name (192.168.56.10:root) : ravi
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls

Kunna wannan zaɓi kawai idan kun san ainihin abin da kuke yi. Yana da mahimmanci a lura cewa waɗannan abubuwan tsaro ba ƙayyadaddun vsftpd ba ne, suna amfani da duk daemon FTP waɗanda ke ba da damar sanya masu amfani da gida a cikin gidan yarin chroot suma.

Don haka, za mu kalli ingantacciyar hanya ta saita tsarin tushen tushen gida daban wanda ba a iya rubuta shi ba a sashe na gaba.

Mataki na 5: Sanya kundayen adireshi na gida na FTP daban-daban

12. Buɗe fayil ɗin sanyi na vsftpd kuma fara da yin sharhi zaɓi mara tsaro a ƙasa:

#allow_writeable_chroot=YES

Sannan ƙirƙirar madadin tushen tushen gida don mai amfani (ravi, naku mai yiwuwa ya bambanta) kuma cire izinin rubutawa ga duk masu amfani zuwa wannan kundin adireshin:

# mkdir /home/ravi/ftp
# chown nobody:nobody /home/ravi/ftp
# chmod a-w /home/ravi/ftp

13. Na gaba, ƙirƙirar kundin adireshi a ƙarƙashin tushen gida inda mai amfani zai adana fayilolinsa:

# mkdir /home/ravi/ftp/files
# chown ravi:ravi  /home/ravi/ftp/files
# chmod 0700 /home/ravi/ftp/files/

Sannan ƙara/gyara waɗannan zaɓuɓɓuka masu zuwa a cikin fayil ɗin daidaitawar vsftpd tare da waɗannan ƙimar:

user_sub_token=$USER         # inserts the username in the local root directory 
local_root=/home/$USER/ftp   # defines any users local root directory

Ajiye fayil ɗin kuma rufe shi. Har yanzu, bari mu sake kunna sabis ɗin tare da sabbin saitunan:

# systemctl restart vsftpd

14. Yanzu sake gwada gwaji na ƙarshe kuma ku ga cewa masu amfani da tushen tushen gida shine directory ɗin FTP da muka ƙirƙira a cikin littafin gida.

# ftp 192.168.56.10
Connected to 192.168.56.10  (192.168.56.10).
220 Welcome to TecMint.com FTP service.
Name (192.168.56.10:root) : ravi
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls

Shi ke nan! A cikin wannan labarin, mun bayyana yadda ake shigarwa, daidaitawa da kuma amintaccen uwar garken FTP a cikin CentOS 7, yi amfani da sashin sharhin da ke ƙasa don rubuta mana game da wannan jagorar/raba duk wani bayani mai amfani game da wannan batu.

A cikin labarin na gaba, za mu kuma nuna muku yadda ake amintar uwar garken FTP ta amfani da haɗin SSL/TLS a cikin CentOS 7, har sai, ku kasance da haɗin kai zuwa TecMint.