Yadda Ake Tsare Sabar FTP Ta Amfani da SSL/TLS don Amintaccen Canja wurin Fayil a CentOS 7
Ta hanyar ƙirarsa ta asali, FTP (Ka'idar Canja wurin Fayil) ba ta da tsaro, ma'ana baya ɓoye bayanan da ake watsawa tsakanin injuna biyu, tare da takaddun shaidar mai amfani. Wannan yana haifar da babbar barazana ga bayanai da kuma tsaron uwar garken.
A cikin wannan koyawa, za mu yi bayanin yadda ake kunna ayyukan ɓoye bayanai da hannu a cikin sabar FTP a cikin CentOS/RHEL 7 da Fedora; za mu bi matakai daban-daban na tabbatar da ayyukan VSFTPD (Very Secure FTP Daemon) ta amfani da takaddun shaida na SSL/TLS.
- Dole ne ka shigar kuma ka saita sabar FTP a cikin CentOS 7
Kafin mu fara, lura cewa duk umarnin da ke cikin wannan koyawa za a gudanar da su azaman tushen, in ba haka ba, yi amfani da umarnin sudo don samun gata mai tushe idan ba ku sarrafa uwar garken ta amfani da tushen asusun.
Mataki 1. Samar da Takaddun SSL/TLS da Maɓallin Keɓaɓɓen
1. Muna bukatar mu fara da ƙirƙirar subdirectory karkashin: /etc/ssl/inda za mu adana da SSL/TLS takardar shaidar da key fayiloli:
# mkdir /etc/ssl/private
2. Sa'an nan kuma gudanar da umurnin da ke ƙasa don ƙirƙirar takaddun shaida da maɓalli na vsftpd a cikin fayil guda ɗaya, ga bayanin kowane tuta da aka yi amfani da shi.
- req – umarni ne don Gudanar da Buƙatun Sa hannu na Takaddun Shaida (CSR) na X.509.
- x509 - yana nufin sarrafa bayanan satifiket X.509.
- kwanaki - yana bayyana adadin kwanakin satifiket yana aiki don.
- sabon maɓalli – yana ƙayyadad da mai sarrafa maɓallin takardar shaida.
- rsa:2048 – RSA key processor, zai samar da maɓalli na sirri na 2048.
- Maɓalli - yana saita fayil ɗin ma'ajiyar maɓalli.
- out - yana saita fayil ɗin ajiyar takaddun shaida, lura cewa duka takaddun shaida da maɓalli ana adana su a cikin fayil ɗaya: /etc/ssl/private/vsftpd.pem.
# openssl req -x509 -nodes -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem -days 365 -newkey rsa:2048
Umurnin da ke sama zai tambaye ku don amsa tambayoyin da ke ƙasa, ku tuna amfani da ƙimar da ta shafi yanayin ku.
Country Name (2 letter code) [XX]:IN State or Province Name (full name) []:Lower Parel Locality Name (eg, city) [Default City]:Mumbai Organization Name (eg, company) [Default Company Ltd]:TecMint.com Organizational Unit Name (eg, section) []:Linux and Open Source Common Name (eg, your name or your server's hostname) []:tecmint Email Address []:[email
Mataki 2. Saita VSFTPD Don Amfani da SSL/TLS
3. Kafin mu yi kowane saitin VSFTPD, bari mu buɗe tashoshin jiragen ruwa 990 da 40000-50000 don ba da damar haɗin TLS da kewayon tashar tashar jiragen ruwa na mashigai don ayyana cikin fayil ɗin sanyi na VSFTPD bi da bi:
# firewall-cmd --zone=public --permanent --add-port=990/tcp # firewall-cmd --zone=public --permanent --add-port=40000-50000/tcp # firewall-cmd --reload
4. Yanzu, buɗe fayil ɗin daidaitawa na VSFTPD kuma saka bayanan SSL a ciki:
# vi /etc/vsftpd/vsftpd.conf
Nemo zaɓin ssl_enable kuma saita ƙimarsa zuwa YES don kunna amfani da SSL, ƙari, tunda TSL ya fi aminci fiye da SSL, za mu ƙuntata VSFTPD don amfani da TLS maimakon, ta amfani da zaɓi na ssl_tlsv1_2:
ssl_enable=YES ssl_tlsv1_2=YES ssl_sslv2=NO ssl_sslv3=NO
5. Sannan, ƙara layin da ke ƙasa don ayyana wurin takardar shaidar SSL da fayil ɗin maɓalli:
rsa_cert_file=/etc/ssl/private/vsftpd.pem rsa_private_key_file=/etc/ssl/private/vsftpd.pem
6. Na gaba, dole ne mu hana masu amfani da ba a san su ba daga yin amfani da SSL, sannan tilasta duk masu shiga da ba a san su ba don amfani da amintacciyar hanyar SSL don canja wurin bayanai da aika kalmar wucewa yayin shiga:
allow_anon_ssl=NO force_local_data_ssl=YES force_local_logins_ssl=YES
7. Bugu da ƙari, za mu iya ƙara zaɓuɓɓukan da ke ƙasa don haɓaka tsaro na uwar garken FTP. Lokacin da zaɓin buƙatar_ssl_reuse aka saita zuwa YES, to, ana buƙatar duk haɗin bayanan SSL don nuna sake amfani da zaman SSL; yana tabbatar da cewa sun san sirrin maigida ɗaya kamar tashar sarrafawa.
Don haka, dole ne mu kashe shi.
require_ssl_reuse=NO
Bugu da ƙari, muna buƙatar zaɓar waɗanne ma'aunin SSL VSFTPD za su ba da izini don rufaffen haɗin yanar gizo na SSL tare da zaɓi na ssl_ciphers. Wannan na iya iyakance ƙoƙarin maharan da ke ƙoƙarin tilasta wani takamaiman abin da ƙila suka gano lahani a cikin:
ssl_ciphers=HIGH
8. Yanzu, saita kewayon tashar jiragen ruwa (min da max tashar jiragen ruwa) na mashigai masu wucewa.
pasv_min_port=40000 pasv_max_port=50000
9. Ba da zaɓi ba, ba da izinin gyara kuskuren SSL, ma'ana buɗe alamun haɗin haɗin SSL ana yin rikodin zuwa fayil ɗin log ɗin VSFTPD tare da zaɓi na debug_ssl:
debug_ssl=YES
Ajiye duk canje-canje kuma rufe fayil ɗin. Sannan bari mu sake farawa sabis na VSFTPD:
# systemctl restart vsftpd
Mataki 3: Gwajin uwar garken FTP Tare da Haɗin SSL/TLS
10. Bayan yin duk saitunan da ke sama, gwada idan VSFTPD yana amfani da haɗin SSL/TLS ta hanyar ƙoƙarin amfani da FTP daga layin umarni kamar haka:
# ftp 192.168.56.10 Connected to 192.168.56.10 (192.168.56.10). 220 Welcome to TecMint.com FTP service. Name (192.168.56.10:root) : ravi 530 Non-anonymous sessions must use encryption. Login failed. 421 Service not available, remote server has closed connection ftp>
Daga hoton allo na sama, zamu iya ganin cewa akwai kuskuren sanar da mu cewa VSFTPD zai iya barin mai amfani kawai ya shiga daga abokan ciniki waɗanda ke goyan bayan ayyukan ɓoyewa.
Layin umarni baya bayar da sabis na ɓoyewa don haka yana haifar da kuskure. Don haka, don haɗawa ta amintaccen sabar, muna buƙatar abokin ciniki na FTP wanda ke goyan bayan haɗin SSL/TLS kamar FileZilla.
Mataki 4: Shigar FileZilla zuwa Haɗin Aminci zuwa Sabar FTP
11. FileZilla wani zamani ne, mashahuri kuma mai mahimmanci abokin ciniki na FTP wanda ke goyan bayan haɗin SSL/TLS ta tsohuwa.
Don shigar da FileZilla a cikin Linux, gudanar da umarnin da ke ƙasa:
--------- On CentOS/RHEL/Fedora --------- # yum install epel-release filezilla --------- On Debian/Ubuntu --------- $ sudo apt-get install filezilla
12. Lokacin da shigarwa ya kammala (ko kuma idan kun riga kun shigar), bude shi kuma je zuwa File=>Sites Manager ko (latsa Ctrl+S) don samun Interface Manager na ƙasa.
Danna Maɓallin Sabon Gidan Yanar Gizo don ƙara sabon bayanan haɗin yanar gizo/mai masaukin baki.
13. Na gaba, saita sunan mai watsa shiri/rukunin yanar gizon, ƙara adireshin IP, ayyana ƙa'idar don amfani, ɓoyewa da nau'in tambarin kamar yadda yake cikin hoton allo da ke ƙasa (amfani da ƙimar da ta shafi yanayin ku):
Host: 192.168.56.10 Protocol: FTP – File Transfer Protocol Encryption: Require explicit FTP over #recommended Logon Type: Ask for password #recommended User: username
14. Sannan danna Connect don sake shigar da kalmar wucewa, sannan tabbatar da takaddun da ake amfani da shi don haɗin SSL/TLS kuma danna Ok sau ɗaya don haɗawa zuwa uwar garken FTP:
A wannan matakin, yakamata mu shiga cikin nasara cikin sabar FTP akan haɗin TLS, duba sashin matsayin haɗin don ƙarin bayani daga mahaɗan da ke ƙasa.
15. A ƙarshe amma ba kalla ba, gwada canja wurin fayiloli daga na'ura na gida zuwa uwar garken FTP a cikin babban fayil ɗin fayiloli, duba ƙananan ƙarshen FileZilla don duba rahotanni game da canja wurin fayil.
Shi ke nan! Koyaushe ku tuna cewa FTP ba ta da tsaro ta tsohuwa, sai dai idan mun saita ta don amfani da haɗin SSL/TLS kamar yadda muka nuna muku a cikin wannan koyawa. Yi raba ra'ayoyinku game da wannan koyawa/batun ta hanyar amsawar da ke ƙasa.