Jerin RHCSA: Shigarwa, Tsara da Tsare Gidan Yanar Gizo da Sabar FTP - Sashe na 9


Sabar gidan yanar gizo (kuma aka sani da uwar garken HTTP) sabis ne da ke sarrafa abun ciki (mafi yawan shafukan yanar gizo, amma sauran nau'ikan takardu kuma) zuwa ga abokin ciniki a cikin hanyar sadarwa.

Sabar FTP ɗaya ce mafi tsufa kuma mafi yawan albarkatun da ake amfani da ita (har zuwa yau) don samar da fayiloli ga abokan ciniki akan hanyar sadarwa a lokuta da ba a tabbatar da su ba tunda FTP tana amfani da sunan mai amfani da kalmar sirri ba tare da ɓoyewa ba.

Sabar gidan yanar gizo da ke cikin RHEL 7 sigar 2.4 ce ta Apache HTTP Server. Game da uwar garken FTP, za mu yi amfani da Sosai Secure Ftp Daemon (aka vsftpd) don kafa haɗin gwiwa ta TLS.

A cikin wannan labarin za mu yi bayanin yadda ake shigarwa, daidaitawa, da amintaccen sabar gidan yanar gizo da sabar FTP a cikin RHEL 7.

Shigar da Apache da FTP Server

A cikin wannan jagorar za mu yi amfani da sabar RHEL 7 tare da adireshin IP na tsaye na 192.168.0.18/24. Don shigar Apache da VSFTPD, gudanar da umarni mai zuwa:

# yum update && yum install httpd vsftpd

Lokacin da shigarwa ya kammala, za a kashe duk ayyukan biyu da farko, don haka muna buƙatar fara su da hannu na ɗan lokaci kuma mu ba su damar farawa ta atomatik tare da taya na gaba:

# systemctl start httpd
# systemctl enable httpd
# systemctl start vsftpd
# systemctl enable vsftpd

Bugu da kari, dole ne mu bude tashoshin jiragen ruwa 80 da 21, inda gidan yanar gizo da ftp daemons ke sauraro, bi da bi, don ba da damar shiga waɗannan ayyukan daga waje:

# firewall-cmd --zone=public --add-port=80/tcp --permanent
# firewall-cmd --zone=public --add-service=ftp --permanent
# firewall-cmd --reload

Don tabbatar da cewa sabar gidan yanar gizo tana aiki yadda ya kamata, kunna burauzarka kuma shigar da IP na uwar garken. Ya kamata ku ga shafin gwaji:

Game da uwar garken ftp, dole ne mu sake saita shi, wanda za mu yi a cikin minti daya, kafin mu tabbatar da cewa yana aiki kamar yadda aka sa ran.

Haɗawa da Tsare Sabar Yanar Gizo na Apache

Babban fayil ɗin sanyi na Apache yana cikin /etc/httpd/conf/httpd.conf, amma yana iya dogara ga wasu fayilolin da ke cikin /etc/httpd/conf.d >.

Kodayake saitin tsoho ya kamata ya isa ga mafi yawan lokuta, yana da kyau a san duk zaɓuɓɓukan da ake da su kamar yadda aka bayyana a cikin takaddun hukuma.

Kamar koyaushe, yi kwafin babban fayil ɗin daidaitawa kafin gyara shi:

# cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.$(date +%Y%m%d)

Sannan bude shi tare da editan rubutu da kuka fi so kuma ku nemo masu canji masu zuwa:

  1. ServerRoot: directory inda ake adana tsarin uwar garken, kuskure, da fayilolin log.
  2. Saurara: yana ba da umarnin Apache don sauraron takamaiman adireshin IP da/ko tashar jiragen ruwa.
  3. Haɗa: yana ba da damar haɗa wasu fayilolin daidaitawa, waɗanda dole ne su wanzu. In ba haka ba, uwar garken zai gaza, sabanin umarnin Haɗa Zaɓuɓɓuka, wanda aka yi watsi da shi shiru idan ƙayyadadden fayilolin daidaitawa ba su wanzu.
  4. Mai amfani da Ƙungiya: sunan mai amfani/ƙungiyar don gudanar da sabis ɗin httpd kamar.
  5. Root: Littafin jagora wanda Apache zai yi amfani da takaddun ku. Ta hanyar tsoho, ana ɗaukar duk buƙatun daga wannan jagorar, amma ana iya amfani da hanyoyin haɗin kai da laƙabi don nunawa wasu wurare.
  6. ServerName: wannan umarnin yana saita sunan mai masauki (ko adireshin IP) da tashar tashar da uwar garken ke amfani da ita don gane kanta.

Ma'aunin tsaro na farko zai ƙunshi ƙirƙirar keɓaɓɓen mai amfani da ƙungiya (watau tecmint/tecmint) don gudanar da sabar gidan yanar gizo kamar yadda kuma canza tsohuwar tashar jiragen ruwa zuwa mafi girma (9000 a wannan yanayin):

ServerRoot "/etc/httpd"
Listen 192.168.0.18:9000
User tecmint
Group tecmint
DocumentRoot "/var/www/html"
ServerName 192.168.0.18:9000

Kuna iya gwada fayil ɗin sanyi da.

# apachectl configtest

kuma idan komai yayi daidai, to sai a sake kunna sabar gidan yanar gizo.

# systemctl restart httpd

kuma kar a manta don kunna sabuwar tashar jiragen ruwa (kuma a kashe tsohuwar) a cikin Tacewar zaɓi:

# firewall-cmd --zone=public --remove-port=80/tcp --permanent
# firewall-cmd --zone=public --add-port=9000/tcp --permanent
# firewall-cmd --reload

Lura cewa, saboda manufofin SELinux, zaku iya amfani da tashar jiragen ruwa kawai da aka dawo dasu

# semanage port -l | grep -w '^http_port_t'

don uwar garken gidan yanar gizo.

Idan kuna son amfani da wata tashar jiragen ruwa (watau tashar TCP 8100), dole ne ku ƙara shi zuwa mahallin tashar tashar SELinux don sabis ɗin httpd:

# semanage port -a -t http_port_t -p tcp 8100

Don ƙarin amintaccen shigarwa na Apache, bi waɗannan matakan:

1. Mai amfani Apache yana gudana kamar yadda bai kamata ya sami damar yin amfani da harsashi ba:

# usermod -s /sbin/nologin tecmint

2. Kashe lissafin adireshi don hana mai binciken daga nuna abubuwan da ke cikin kundin adireshi idan babu index.html da ke cikin wannan littafin.

Shirya /etc/httpd/conf/httpd.conf (da fayilolin sanyi don runduna kama-da-wane, idan akwai) kuma tabbatar da cewa an saita umarnin Zaɓuɓɓuka, duka a saman da a matakan toshe Directory, zuwa Babu:

Options None

3. Boye bayanai game da sabar gidan yanar gizo da tsarin aiki a cikin martanin HTTP. Gyara /etc/httpd/conf/httpd.conf kamar haka:

ServerTokens Prod 
ServerSignature Off

Yanzu kun shirya don fara ba da abun ciki daga littafin ku /var/www/html.

Yana daidaitawa da Tsare Sabar FTP

Kamar yadda yake a cikin Apache, babban fayil ɗin daidaitawa na Vsftpd (/etc/vsftpd/vsftpd.conf) yana da kyau sharhi kuma yayin da tsohowar saitin ya isa ga yawancin aikace-aikacen, ya kamata ku saba da takardun shaida da shafin mutum (man vsftpd.conf)domin sarrafa sabar ftp da inganci (Ba zan iya jaddada hakan ba!).

A cikin yanayinmu, waɗannan sune umarnin da aka yi amfani da su:

anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
chroot_local_user=YES
allow_writeable_chroot=YES
listen=NO
listen_ipv6=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES

Ta amfani da chroot_local_user=YES, za a sanya masu amfani na gida (ta tsohuwa) a cikin gidan yari na chroot'ed a cikin kundin adireshin gidansu bayan shiga. Wannan yana nufin cewa masu amfani da gida ba za su iya samun dama ga kowane fayiloli a waje da kundayen adireshi na gida masu kama da su ba.

A ƙarshe, don ba da damar ftp don karanta fayiloli a cikin gidan gidan mai amfani, saita SELinux boolean mai zuwa:

# setsebool -P ftp_home_dir on

Yanzu zaku iya haɗawa zuwa uwar garken ftp ta amfani da abokin ciniki kamar Filezilla:

Lura cewa /var/log/xferlog log yana rubuta abubuwan zazzagewa da lodawa, waɗanda suka dace da lissafin jagora na sama:

Takaitawa

A cikin wannan koyawa mun yi bayanin yadda ake kafa gidan yanar gizo da uwar garken ftp. Saboda girman batun, ba zai yiwu a rufe dukkan bangarorin waɗannan batutuwa ba (watau ma'aikatan gidan yanar gizo na kama-da-wane). Don haka, ina ba da shawarar ku kuma duba wasu kyawawan labarai a cikin wannan rukunin yanar gizon game da Apache.