profptd | Записки системного администратора

Записи с меткой ‘profptd’

Установка и настройка безопасного ProFTPD-сервера TLS/SSL на Centos 6/7

Февраль 4th, 2015

Evgeniy Kamenev

1.Настройка небезопасного ProFTPD -сервера

# yum install proftpd proftpd-utils

1	# yum install proftpd proftpd-utils

# cp /etc/proftpd.conf /etc/proftpd.conf~

1	# cp /etc/proftpd.conf /etc/proftpd.conf~

# nano /etc/proftpd.conf

1	# nano /etc/proftpd.conf

ServerName                     "My FTP server"
ServerIdent                     off
ServerAdmin                     root@localhost
DefaultServer                   on
DefaultRoot                     ~ !adm
AuthPAMConfig                   proftpd
AuthOrder                       mod_auth_pam.c* mod_auth_unix.c
UseReverseDNS                   off
UseIPv6                         off
IdentLookups                    off
User                           nobody
Group                           nobody
TimeoutNoTransfer 600
TimeoutStalled 600
TimeoutIdle 1200
MaxInstances                   20
MaxClientsPerHost 5
MaxClientsPerUser 5
MaxHostsPerUser 5
MaxLoginAttempts 3
UseSendfile                     off
LogFormat                       default "%h %l %u %t \"%r\" %s %b"
LogFormat                      auth   "%v [%P] %h %t \"%r\" %s"
SystemLog                       /var/log/proftpd/proftpd.log
TransferLog                     /var/log/proftpd/xfer.log
ExtendedLog                     /var/log/proftpd/auth.log AUTH auth

<Global>
Umask                        022
AllowOverwrite               yes
<Limit ALL SITE_CHMOD>

AllowAll

</Limit>
</Global>

ServerName "My FTP server"

ServerIdent off

ServerAdmin root@localhost

DefaultServer on

DefaultRoot ~ !adm

AuthPAMConfig proftpd

AuthOrder mod_auth_pam.c* mod_auth_unix.c

UseReverseDNS off

UseIPv6 off

IdentLookups off

User nobody

Group nobody

TimeoutNoTransfer 600

TimeoutStalled 600

TimeoutIdle 1200

MaxInstances 20

MaxClientsPerHost 5

MaxClientsPerUser 5

MaxHostsPerUser 5

MaxLoginAttempts 3

UseSendfile off

LogFormat default "%h %l %u %t \"%r\" %s %b"

LogFormat auth "%v [%P] %h %t \"%r\" %s"

SystemLog /var/log/proftpd/proftpd.log

TransferLog /var/log/proftpd/xfer.log

ExtendedLog /var/log/proftpd/auth.log AUTH auth

Umask 022

AllowOverwrite yes

AllowAll

</Limit>

</Global>

# proftpd –t

1	# proftpd –t

Centos 6

# chkconfig --level 2345 proftpd on

1	# chkconfig --level 2345 proftpd on

# /etc/init.d/proftpd start

1	# /etc/init.d/proftpd start

Centos 7

# systemctl enable proftpd

1	# systemctl enable proftpd

# systemctl start proftpd

1	# systemctl start proftpd

Настройка firewall Iptables

# iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

1	# iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# iptables -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT

1	# iptables -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT

# nano /etc/sysconfig/iptables-config

1	# nano /etc/sysconfig/iptables-config

IPTABLES_MODULES="ip_conntrack_ftp"

1	IPTABLES_MODULES="ip_conntrack_ftp"

# /etc/init.d/iptables save

1	# /etc/init.d/iptables save

Firewalld

# firewall-cmd --permanent --add-port=21/tcp

1	# firewall-cmd --permanent --add-port=21/tcp

# firewall-cmd --reload

1	# firewall-cmd --reload

2.Настройка ProFTPD на использование TLS/SSL протокола

# mkdir /etc/ssl/proftpd

1	# mkdir /etc/ssl/proftpd

# openssl req -x509 -days 3650 -nodes -newkey rsa:1024 -keyout /etc/ssl/proftpd/proftpd.key -out /etc/ssl/proftpd/proftpd.crt

1	# openssl req -x509 -days 3650 -nodes -newkey rsa:1024 -keyout /etc/ssl/proftpd/proftpd.key -out /etc/ssl/proftpd/proftpd.crt

# chmod 600 /etc/ssl/proftpd/proftpd.key

1	# chmod 600 /etc/ssl/proftpd/proftpd.key

# nano /etc/proftpd.conf

1	# nano /etc/proftpd.conf

PassivePorts 49152 65534

1	PassivePorts 49152 65534

<IfDefine TLS>

TLSEngine                     on
#TLSRequired                 on
TLSRSACertificateFile         /etc/ssl/proftpd/proftpd.crt
TLSRSACertificateKeyFile     /etc/ssl/proftpd/proftpd.key
TLSCipherSuite               ALL:!ADH:!DES
TLSOptions                   NoCertRequest
TLSVerifyClient               off
#TLSRenegotiate               ctrl 3600 data 512000 required off timeout 300
TLSLog                       /var/log/proftpd/tls.log

<IfModule mod_tls_shmcache.c>
TLSSessionCache             shm:/file=/var/run/proftpd/sesscache

</IfModule>
</IfDefine>

TLSEngine on

#TLSRequired on

TLSRSACertificateFile /etc/ssl/proftpd/proftpd.crt

TLSRSACertificateKeyFile /etc/ssl/proftpd/proftpd.key

TLSCipherSuite ALL:!ADH:!DES

TLSOptions NoCertRequest

TLSVerifyClient off

#TLSRenegotiate ctrl 3600 data 512000 required off timeout 300

TLSLog /var/log/proftpd/tls.log

TLSSessionCache shm:/file=/var/run/proftpd/sesscache

</IfModule>

</IfDefine>

Если расскоментировать опцию #TLSRequired on ,тогда только TLS/SSL соединения будут разрешены. Чтобы […]

Опубликовано в рубрике Centos, FTP

Метки: centos 7, profptd, SSL, TLS

Комментарии отключены

Записи с меткой ‘profptd’

Установка и настройка безопасного ProFTPD-сервера TLS/SSL на Centos 6/7

Страницы

Свежие записи

Архивы

Рубрики

Админ-панель