我正在参与创作者训练营第5期,点击了解活动概况
1. 概述
本文描述了,在Ubuntu操作体系下,装置开启TLS加密的安全FTP服务器的装置装备攻略。
环境描述:
- 操作体系:Ubuntu-20.04
2. 装置OpenSSL
2.1 下载
在装置之前先检查体系的openssl版本,防止运转时呈现编译版本和运转版本不一致的问题。
openssl version
- 检查当时openssl途径
which openssl
- 下载
wget -c https://github.com/openssl/openssl/archive/refs/tags/openssl_1_1_1f.tar.gz
2.2 编译
编译参阅文档:github.com/openssl/ope…
tar zxvf OpenSSL_1_1_1f.tar.gz
cd openssl-OpenSSL_1_1_1q
$ ./config --prefix=/usr/local/ssl --openssldir=/usr/local/ssl '-Wl,-rpath,$(LIBRPATH)'
make
sudo make install
执行完毕后,openssl被装置到/usr/local/ssl目录下。
3. 装置proftpd
3.1. 下载
github库房:github.com/proftpd
下载地址:github.com/proftpd/pro…
3.2. 编译装置
编译参阅文档:www.proftpd.org/docs/howto/…
tar zxvf v1.3.8rc4.tar.gz
cd proftpd-1.3.8rc4
./configure --prefix=/usr/local/proftpd --sysconfdir=/etc --enable-autoshadow --localstatedir=/var/run --enable-ctrls --with-modules=mod_tls -enable-nls --with-includes=/usr/local/ssl/include --with-libraries=/usr/local/ssl/lib
make
sudo make install
注意事项:假如犯错,编译时记住先make clean再make
3.3. 增加虚拟用户
- 创立虚拟用户根目录
mkdir /home/ftproot/
# 装备根目录权限
chown 2001:200 /home/ftproot/
- 创立虚拟用户ftptest
# 创立ftp虚拟用户
/usr/local/proftpd/bin/ftpasswd --file=/etc/proftpd/ftpd.passwd --home=/home/ftproot --shell=/bin/false --name=ftptest --uid=2001 --gid=200 --passwd
# 装备ftp用户组,装备里会仅限组用户登录
/usr/local/proftpd/bin/ftpasswd --group --file=/etc/proftpd/ftpd.group --gid=200 --name=ftpman --member=ftptest
3.4 生成证书
cd /usr/local/proftpd/
cp /usr/local/ssl/openssl.cnf .
# 仅Common Name需求输入,且应该与拜访地址一致
openssl req -new -x509 -nodes -config openssl.cnf -out proftpd.crt -keyout proftpd.key
取得proftpd.crt 、proftpd.key两个秘钥文件,放到/etc/proftpd/目录下
mkdir /etc/proftpd
cp proftpd.crt proftpd.key /etc/proftpd/
3.5. 装备
# This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use. It establishes a single server
# and a single anonymous login. It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.
ServerName "ProFTPD Default Installation"
ServerType standalone
DefaultServer on
# Port 21 is the standard FTP port.
Port 21
# Don't use IPv6 support by default.
UseIPv6 off
# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask 022
# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd).
MaxInstances 30
# Set the user and group under which the server will run.
User nobody
Group nogroup
# To cause every FTP user to be "jailed" (chrooted) into their home
# directory, uncomment this line.
DefaultRoot ~
# 有必要翻开,将用户限定在自己的目录中
DefaultRoot ~
# 由于虚拟用户是没有 shell 的,所以要翻开这个设定
RequireValidShell off
# 用 mod_auth_file.c 验证登录用户名和密码
AuthOrder mod_auth_file.c
# 寄存用户名和密码的文件
AuthUserFile /etc/proftpd/ftpd.passwd
AuthGroupFile /etc/proftpd/ftpd.group
# 答应下载时断点续传
AllowRetrieveRestart on
# 答应上传时断点续传
AllowStoreRestart on
# 客户端登录时不显现服务器信息
ServerIdent off
# Normally, we want files to be overwriteable.
AllowOverwrite on
TimeoutLogin 120
TimeoutNoTransfer 900
MaxClientsPerHost 5
PassivePorts 55000 56000
#关闭DNS反向查询,节省连接时间
UseReverseDNS off
TransferLog /var/log/xferlog
SystemLog /var/log/proftpd.log
MaxClients 100
#IdentLookups off
UseReverseDNS off
DeleteAbortedStores on
DirFakeGroup on
DirFakeUser on
DirFakeMode 0600
RequireValidShell off
LangOptions PreferServerEncoding #在编译时参加 --enable-nls才干用
UseEncoding utf8 gbk #在编译时参加 --enable-nls才干用
# Normally, we want files to be overwriteable.
<Directory />
AllowOverwrite on
</Directory>
<Limit LOGIN>
AllowGroup ftpman
DenyAll
</Limit>
#########################ssl/tls############################
# MOD_TLS SETTING
<IfModule mod_tls.c>
TLSEngine on
TLSLog /var/log/proftpd-tls.log
TLSProtocol SSLv23
# Are clients required to use FTP over TLS when talking to this server?
TLSRequired ctrl
# Server's certificate
TLSRSACertificateFile /etc/proftpd/proftpd.crt
TLSRSACertificateKeyFile /etc/proftpd/proftpd.key
# Authenticate clients that want to use FTP over TLS
TLSVerifyClient off
#########################ssl/tls############################
<Directory /home/ftproot/down>
<Limit WRITE>
DenyGroup ftpman
</Limit>
# TransferRate RETR 150 group ftpman
</Directory>
<Directory /home/ftproot/upload>
<Limit RMD RNFR DELE RETR>
DenyGroup ftpman
</Limit>
# TransferRate STOR 150 group ftpman
</Directory>
# Bar use of SITE CHMOD by default
<Limit SITE_CHMOD>
DenyAll
</Limit>
3.6 发动proftpd测验
sudo /usr/local/proftpd/sbin/proftpd
4. 装备开机发动
Ubuntu20.04现已将systemctrl作为首选的装备项发动工具,这儿也采用引荐的方法。
proftpd的源代码目录下现已包含了发动脚本,翻开proftpd-1.3.8rc4/contrib/dist/rpm/proftpd.service文件,修改后的信息如下:
[Unit]
Description = ProFTPD FTP Server
Wants=network-online.target
After=network-online.target nss-lookup.target local-fs.target remote-fs.target
[Service]
Type = simple
Environment = PROFTPD_OPTIONS=
EnvironmentFile = /etc/proftpd.conf
ExecStartPre = /usr/local/proftpd/sbin/proftpd --configtest
ExecStart = /usr/local/proftpd/sbin/proftpd --nodaemon $PROFTPD_OPTIONS
ExecReload = /bin/kill -HUP $MAINPID
PIDFile = /run/proftpd/proftpd.pid
[Install]
WantedBy = multi-user.target
将发动脚本放到体系发动脚本目录下
sudo cp proftpd.service /etc/systemd/system/.
注册发动脚本
cd /etc/systemd/system/
zhoushimin@zsm:system$ sudo systemctl enable proftpd.service
Created symlink /etc/systemd/system/multi-user.target.wants/proftpd.service → /etc/systemd/system/proftpd.service.
发动服务:
sudo systemctl start proftpd.service
停止服务:
sudo systemctl stop proftpd.service
检查服务运转日志:
zhoushimin@zsm:rpm$ systemctl status proftpd.service
● proftpd.service - ProFTPD FTP Server
Loaded: loaded (/etc/systemd/system/proftpd.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2022-08-01 17:03:12 CST; 6min ago
Process: 418310 ExecStartPre=/usr/local/proftpd/sbin/proftpd --configtest (code=exited, status=0/SUCCESS)
Main PID: 418311 (proftpd)
Tasks: 2 (limit: 18967)
Memory: 2.3M
CGroup: /system.slice/proftpd.service
├─418311 proftpd: (accepting connections)
└─421778 proftpd: ftptest - 127.0.0.1: IDLE
8月 01 17:03:12 zsm systemd[1]: Starting ProFTPD FTP Server...
8月 01 17:03:12 zsm proftpd[418310]: Checking syntax of configuration file
8月 01 17:03:12 zsm systemd[1]: Started ProFTPD FTP Server.
8月 01 17:03:12 zsm proftpd[418311]: 2022-08-01 17:03:12,569 zsm proftpd[418311] 127.0.1.1: ProFTPD 1.3.8rc4 (devel) (built Thu Jul 28 2022 20:03:21 CST) standalone mode STARTUP
8月 01 17:05:43 zsm proftpd[421778]: 2022-08-01 17:05:43,613 zsm proftpd[421778] 127.0.1.1 (127.0.0.1[127.0.0.1]): FTP session opened.
8月 01 17:05:43 zsm proftpd[421778]: 2022-08-01 17:05:43,628 zsm proftpd[421778] 127.0.1.1 (127.0.0.1[127.0.0.1]): USER ftptest: Login successful.
5 总结
基本上把建立安全FTP服务器的流程都跑了一遍,将来扩展的事项有:
- 进一步装备证书秘钥,使客户端需求证书才干拜访FTP服务器。
- 将来还会装备selinux权限,进一步实现最小权限原则。
- 在嵌入式Linux上实现安全proftpd
参阅文献:
- developer.aliyun.com/article/527…
- www.proftpd.org/docs/howto/…