Saita Amintaccen FTP fayil Canja wurin Amfani da SSL/TLS a cikin RHEL 8


A cikin labarinmu na ƙarshe, munyi bayani dalla-dalla akan yadda ake girka da saita sabar FTP a cikin RHEL 8 Linux. A cikin wannan labarin, zamuyi bayanin yadda za'a amintar da sabar FTP ta amfani da SSL/TLS don kunna sabis ɗin ɓoye bayanai don amintaccen canja wurin fayil tsakanin tsarin.

Muna fatan kun riga kun sanya sabar FTP da aiki yadda yakamata. Idan ba haka ba, da fatan za a yi amfani da jagorar mai zuwa don shigar da shi akan tsarinku.

  1. Yadda ake Shigar, Sanya da kuma Amintar da FTP Server a cikin RHEL 8

Mataki 1. Samar da SSL/TLS Certificate da Keɓaɓɓen Maɓalli

1. Createirƙiri shugabanci mai zuwa don adana takardar shaidar SSL/TLS da fayilolin maɓalli.

# mkdir -p /etc/ssl/vsftpd

2. Na gaba, samar da takardar shaidar SSL/TLS mai sanya hannu kai tsaye da maɓallin keɓaɓɓu ta amfani da umarni mai zuwa.

# openssl req -x509 -nodes -keyout /etc/ssl/vsftpd/vsftpd.pem -out /etc/ssl/vsftpd/vsftpd.pem -days 365 -newkey rsa:2048

Mai zuwa bayanin kowane tuta da aka yi amfani da shi a cikin umarnin da ke sama.

  1. req - umarni ne don gudanar da Neman Shiga Takaddun Shaida (CSR) na X.509.
  2. x509 - yana nufin gudanar da bayanan takaddun shaida na X.509.
  3. kwanaki - yana bayyana takaddun kwanan wata da yawa yana aiki don.
  4. newkey - yana ƙayyade makullin maɓallin takardar shaidar.
  5. rsa: 2048 - Mai sarrafa maɓallin RSA, zai samar da maɓallin keɓaɓɓen maɓallin 2048.
  6. keyout - saita fayil ɗin maɓallin kewayawa.
  7. fita - saita fayil din takaddar takaddar, ka lura cewa duka takaddun shaida da mabuɗan suna adana a cikin fayil ɗaya: /etc/ssl/vsftpd/vsftpd.pem.

Umurnin da ke sama zai sa ku amsa tambayoyin da ke ƙasa, ku tuna amfani da ƙimomin da suka shafi yanayinku.

Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:Lower Parel
Locality Name (eg, city) [Default City]:Mumbai
Organization Name (eg, company) [Default Company Ltd]:TecMint.com
Organizational Unit Name (eg, section) []:Linux and Open Source
Common Name (eg, your name or your server's hostname) []:tecmint
Email Address []:[email 

Mataki 2. Harhadawa VSFTPD Don Amfani da SSL/TLS

3. Buɗe fayil ɗin sanyi na VSFTPD don yin gyara ta amfani da editan layin umarni da kuka fi so.

# vi /etc/vsftpd/vsftpd.conf

Parametersara sigogin daidaitawa masu zuwa don kunna SSL, sannan zaɓi sigar SSL da TLS don amfani, a ƙarshen fayil ɗin.

ssl_enable=YES
ssl_tlsv1_2=YES
ssl_sslv2=NO
ssl_sslv3=NO

4. Next, ƙara rsa_cert_file da rsa_private_key_file za optionsu to toukan don saka da wuri na SSL takardar shaidar da key fayil bi da bi.

rsa_cert_file=/etc/ssl/vsftpd/vsftpd.pem
rsa_private_key_file=/etc/ssl/vsftpd/vsftpd.pem

5. Yanzu ƙara waɗannan sigogin don musanya haɗin haɗin da ba a sani ba daga amfani da SSL kuma tilasta duk haɗin da ba a san su ba akan SSL.

allow_anon_ssl=NO			# disable anonymous users from using SSL
force_local_data_ssl=YES		# force all non-anonymous logins to use a secure SSL connection for data transfer
force_local_logins_ssl=YES		# force all non-anonymous logins  to send the password over SSL

6. Na gaba, ƙara waɗannan zaɓin don musaki duk sake amfani da haɗin bayanan SSL kuma saita SSL ciphers HIGH don bada izinin ɓoyayyen haɗin SSL.

require_ssl_reuse=NO
ssl_ciphers=HIGH

7. Har ila yau, dole ne ku tantance kewayon tashar (min da max max) na tashar jiragen ruwa masu saurin amfani da vsftpd don amintaccen haɗi, ta amfani da pasv_min_port da pasv_max_port sigogin bi da bi. Kari akan haka, zaku iya zabar debugging SSL ba da son rai ba saboda dalilai na matsala, ta amfani da zabin debug_ssl

pasv_min_port=40000
pasv_max_port=50000
debug_ssl=YES

8. A ƙarshe, adana fayil ɗin kuma sake kunna sabis na vsftpd don canje-canje na sama don aiwatarwa.

# systemctl restart vsftpd

9. Wani aiki mafi mahimmanci da zaka aiwatar kafin ka sami damar shiga cikin sabar FTP a amince shine bude mashigai 990 da 40000-50000 a cikin Firewall din tsarin. Wannan zai ba da damar haɗin TLS zuwa sabis na vsftpd kuma buɗe zangon tashar tashar jiragen ruwa masu wucewa waɗanda aka bayyana a cikin fayil ɗin daidaitawar VSFTPD, kamar haka.

# firewall-cmd --zone=public --permanent –add-port=990/tcp
# firewall-cmd --zone=public --permanent –add-port=40000-50000/tcp
# firewall-cmd --reload

Mataki na 3: Shigar da FileZilla don Amintaccen Haɗa zuwa FTP Server

10. Don amintacce haɗi zuwa uwar garken FTP, kuna buƙatar abokin ciniki na FTP wanda ke goyan bayan haɗin SSL/TLS kamar FileZilla - shine tushen buɗewa, ana amfani dashi sosai, dandamali na dandamali FTP, SFTP, da abokin ciniki FTPS waɗanda ke goyan bayan haɗin SSL/TLS ta tsohuwa.

Shigar da FileZilla a cikin Linux ta amfani da tsoffin mai sarrafa kunshin kamar haka:

$ sudo apt-get install filezilla   		#Debian/Ubuntu
# yum install epel-release filezilla		#On CentOS/RHEL
# dnf install filezilla			        #Fedora 22+
$ sudo zypper install filezilla			#openSUSE

11. Bayan an shigar da kunshin Filezilla, bincika shi a cikin tsarin menu kuma buɗe shi. Don hanzarta haɗa uwar garken FTP mai nisa, daga babban abin dubawa, samar da adireshin IP Mai watsa shiri, Sunan mai amfani, da Kalmar wucewa mai amfani. Sannan danna QuickConnect.

12. To aikace-aikacen zasu neme ka da ka bada izinin hadaka ta hanyar amfani da takardar shedar da aka sa hannu kai tsaye. Danna Ya yi don ci gaba.

Idan daidaitawar a sabar tana da kyau, haɗin haɗin ya zama mai nasara kamar yadda aka nuna a cikin hoton da ke tafe.

13. A ƙarshe, gwada yanayin haɗin FTP amintacce ta hanyar ƙoƙarin loda fayiloli daga mashin ɗinka zuwa sabar kamar yadda aka nuna a cikin hoto na gaba.

Shi ke nan! A cikin wannan labarin, mun nuna yadda za mu amintar da uwar garken FTP ta amfani da SSL/TLS don amintar da fayil a cikin RHEL 8. Wannan shi ne kashi na biyu na babban jagorarmu don girka, daidaitawa da amintar da sabar FTP a RHEL 8. Don raba duk wata tambaya ko tunani, yi amfani da fom din da ke ƙasa.