- Server同時提供FTP、FTPs與SFTP的服務。
- 支援chroot。
- 同一個使用者登入不同的服務,所看到的檔案資料都要相同。
ProFTPd是「Professional FTP daemon」的縮寫,與vsFTPd 一樣都是強調安全性的 FTP 伺服軟體,vsFTPd是目前最常用的FTP軟體,那為什麼不用vsFTPd就好了呢?
原因在於vsFTPd不支援SFTP服務,因此要另外使用SSHd的SFTP模組,但SSHd的SFTP模組如果要支援chroot功能,所有SFTP使用者都必須加到同一個群組,且chroot的資料夾擁有者一定要是root,因此在權限設定上有一定的限制。
ProFTPd的設定方式與網頁伺服器Apache非常類似,一樣有VirtualHost與module的概念,ProFTPd本身就有支援SFTP的module,因此不需要另外使用SSHd的SFTP模組,也不像它有權限與群組上的限制,在權限控管上比較靈活,另外因為不需要同時設定兩個不同的軟體(vsFTPd與SSHd),在設定上也相對單純。
安裝
在安裝proftpd之前,要先安裝EPEL Repository,安裝步驟請參考這篇文章:
[root@proftpd1 ~]# yum install proftpd -y
[root@proftpd1 ~]# getenforce #確認SELinux是關閉狀態
Disabled
[root@proftpd1 ~]# getenforce #確認SELinux是關閉狀態
Disabled
設定FTP服務
/etc/proftpd.conf 是ProFTPd的主要設定檔。
[root@proftpd1 ~]# vim /etc/proftpd.conf
#line 77 modify
ServerName "proftpd1" #記得要將proftpd1加到/etc/hosts中,否則會出現錯誤!!
#line 81 add
Port 21
PassivePorts 40000 45000 #因為需要設定防火牆,所以使用Passive Mode
#line 77 modify
ServerName "proftpd1" #記得要將proftpd1加到/etc/hosts中,否則會出現錯誤!!
#line 81 add
Port 21
PassivePorts 40000 45000 #因為需要設定防火牆,所以使用Passive Mode
設定FTPs服務
#建立Self-Signed certificate
[root@proftpd1 ~]# openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/pki/tls/certs/proftpd.pem -out /etc/pki/tls/certs/proftpd.pem
Generating a 2048 bit RSA private key
..+++
.......+++
writing new private key to '/etc/pki/tls/certs/proftpd.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:TW
State or Province Name (full name) []:Taiwan
Locality Name (eg, city) [Default City]:Hsinchu
Organization Name (eg, company) [Default Company Ltd]:JYC
Organizational Unit Name (eg, section) []:JYC
Common Name (eg, your name or your server's hostname) []:proftpd1
Email Address []:fishgo65@gmail.com
#修改設定檔
[root@proftpd1 ~]# vim /etc/proftpd.conf
[root@proftpd1 ~]# openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/pki/tls/certs/proftpd.pem -out /etc/pki/tls/certs/proftpd.pem
Generating a 2048 bit RSA private key
..+++
.......+++
writing new private key to '/etc/pki/tls/certs/proftpd.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:TW
State or Province Name (full name) []:Taiwan
Locality Name (eg, city) [Default City]:Hsinchu
Organization Name (eg, company) [Default Company Ltd]:JYC
Organizational Unit Name (eg, section) []:JYC
Common Name (eg, your name or your server's hostname) []:proftpd1
Email Address []:fishgo65@gmail.com
#修改設定檔
[root@proftpd1 ~]# vim /etc/proftpd.conf
# near line 294 modify
#<IfDefine TLS>
TLSEngine on
TLSRequired off #如果要強制使用FTPs則改為on
TLSRSACertificateFile /etc/pki/tls/certs/proftpd.pem
TLSRSACertificateKeyFile /etc/pki/tls/certs/proftpd.pem
TLSCipherSuite ALL:!ADH:!DES
TLSOptions NoCertRequest
TLSVerifyClient off
#TLSRenegotiate ctrl 3600 data 512000 required off timeout 300
TLSLog /var/log/proftpd/tls.log
# <IfModule mod_tls_shmcache.c>
# TLSSessionCache shm:/file=/var/run/proftpd/sesscache
# </IfModule>
#</IfDefine>
設定SFTP服務
[root@proftpd1 ~]# vim /etc/proftpd.conf
#near line 210 uncomment
LoadModule mod_sftp.c
#near line 429 add
<VirtualHost 0.0.0.0>
Port 2221
<IfModule mod_sftp.c>
SFTPEngine on
SFTPLog /var/log/proftpd/sftp.log
SFTPHostKey /etc/ssh/ssh_host_rsa_key #權限必須為600,否則會出現錯誤
SFTPCompression delayed
</IfModule>
</VirtualHost>
#near line 210 uncomment
LoadModule mod_sftp.c
#near line 214 uncomment
LoadModule mod_sftp_pam.c#near line 429 add
<VirtualHost 0.0.0.0>
Port 2221
<IfModule mod_sftp.c>
SFTPEngine on
SFTPLog /var/log/proftpd/sftp.log
SFTPHostKey /etc/ssh/ssh_host_rsa_key #權限必須為600,否則會出現錯誤
SFTPCompression delayed
</IfModule>
</VirtualHost>
#修改權限
[root@proftpd1 ~]# chmod 600 /etc/ssh/ssh_host_rsa_key
[root@proftpd1 ~]# chmod 600 /etc/ssh/ssh_host_rsa_key
啟動ProFTPd
[root@proftpd1 ~]# systemctl restart proftpd.service
[root@proftpd1 ~]# systemctl enable proftpd.service
ln -s '/usr/lib/systemd/system/proftpd.service' '/etc/systemd/system/multi-user.target.wants/proftpd.service'
[root@proftpd1 ~]# systemctl enable proftpd.service
ln -s '/usr/lib/systemd/system/proftpd.service' '/etc/systemd/system/multi-user.target.wants/proftpd.service'
設定防火牆
#確認firewalld為Stop的狀態
[root@proftpd1 ~]# systemctl status firewalld
firewalld.service
Loaded: masked (/dev/null)
Active: inactive (dead) since Thu 2015-06-11 17:02:09 CST; 2 weeks 6 days ago
Main PID: 1218 (code=exited, status=0/SUCCESS)
Jun 05 13:38:50 proftpd1 systemd[1]: Started firewalld - dynamic firewall daemon.
Jun 11 17:02:08 proftpd1 systemd[1]: Stopping firewalld.service...
Jun 11 17:02:09 proftpd1 systemd[1]: Stopped firewalld.service.
Hint: Some lines were ellipsized, use -l to show in full.
#讓iptables載入ftp模組
[root@proftpd1 ~]# vim /etc/sysconfig/iptables-config
#line 6 modify
IPTABLES_MODULES="ip_nat_ftp ip_conntrack_ftp"
#啟動iptables
[root@proftpd1 ~]# systemctl start iptables
[root@proftpd1 ~]# systemctl enable iptables
[root@proftpd1 ~]# vim iptables.sh
# add
iptables -F
iptables -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 2221 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp -m multiport --dports 40000:45000 -j ACCEPT
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
iptables-save > /etc/sysconfig/iptables
[root@proftpd1 ~]# sh iptables.sh
[root@proftpd1 ~]# systemctl restart iptables
[root@proftpd1 ~]# systemctl status firewalld
firewalld.service
Loaded: masked (/dev/null)
Active: inactive (dead) since Thu 2015-06-11 17:02:09 CST; 2 weeks 6 days ago
Main PID: 1218 (code=exited, status=0/SUCCESS)
Jun 05 13:38:50 proftpd1 systemd[1]: Started firewalld - dynamic firewall daemon.
Jun 11 17:02:08 proftpd1 systemd[1]: Stopping firewalld.service...
Jun 11 17:02:09 proftpd1 systemd[1]: Stopped firewalld.service.
Hint: Some lines were ellipsized, use -l to show in full.
#讓iptables載入ftp模組
[root@proftpd1 ~]# vim /etc/sysconfig/iptables-config
#line 6 modify
IPTABLES_MODULES="ip_nat_ftp ip_conntrack_ftp"
#啟動iptables
[root@proftpd1 ~]# systemctl start iptables
[root@proftpd1 ~]# systemctl enable iptables
[root@proftpd1 ~]# vim iptables.sh
# add
iptables -F
iptables -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 2221 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp -m multiport --dports 40000:45000 -j ACCEPT
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
iptables-save > /etc/sysconfig/iptables
[root@proftpd1 ~]# sh iptables.sh
[root@proftpd1 ~]# systemctl restart iptables
測試服務
#建立使用者
[root@proftpd1 ~]# useradd ftpuser -s /sbin/nologin
[root@proftpd1 ~]# echo 'ftpuser' | passwd --stdin ftpuser
更改使用者 ftpuser 的密碼。
passwd:所有驗證 token 都已成功更新。
#建立測試檔案
[root@proftpd1 ~]# touch ftptest
#測試FTP與SFTP
[root@proftpd1 ~]# yum install ftp sftp -y
[root@proftpd1 ~]# ftp proftpd1 21
ftp proftpd1 21
Connected to proftpd1 (127.0.0.1).
220 FTP Server ready.
Name (proftpd1:root): ftpuser
331 Password required for ftpuser
Password: ftpuser
230 User ftpuser logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> put ftptest
[root@proftpd1 ~]# useradd ftpuser -s /sbin/nologin
[root@proftpd1 ~]# echo 'ftpuser' | passwd --stdin ftpuser
更改使用者 ftpuser 的密碼。
passwd:所有驗證 token 都已成功更新。
#建立測試檔案
[root@proftpd1 ~]# touch ftptest
#測試FTP與SFTP
[root@proftpd1 ~]# yum install ftp sftp -y
[root@proftpd1 ~]# ftp proftpd1 21
ftp proftpd1 21
Connected to proftpd1 (127.0.0.1).
220 FTP Server ready.
Name (proftpd1:root): ftpuser
331 Password required for ftpuser
Password: ftpuser
230 User ftpuser logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> put ftptest
local: ftptest remote: ftptest
227 Entering Passive Mode (127,0,0,1,175,71).
150 Opening BINARY mode data connection for ftptest
226 Transfer complete
ftp> ls
227 Entering Passive Mode (127,0,0,1,174,242).
150 Opening ASCII mode data connection for file list
-rw-r--r-- 1 ftpuser ftpuser 0 Jul 1 12:24 ftptest
226 Transfer complete
ftp> quit
[root@proftpd1 ~]# sftp -P 2221 ftpuser@proftpd1
The authenticity of host '[proftpd1]:2221 ([127.0.0.1]:2221)' can't be established.
RSA key fingerprint is 20:ef:e8:1a:89:1f:22:27:8c:f5:46:8e:2b:da:81:fc.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[proftpd1]:2221' (RSA) to the list of known hosts.
Password: ftpuser
Connected to proftpd1.
sftp> ls
ftptest #確定不同服務看到的檔案資料都相同
sftp> quit
可能會遇到的錯誤
#沒有將/etc/ssh/ssh_host_rsa_key的權限修改為600
[root@proftpd1 ~]# systemctl status proftpd.service -l
proftpd.service - ProFTPD FTP Server
Loaded: loaded (/usr/lib/systemd/system/proftpd.service; enabled)
Active: failed (Result: exit-code) since 四 2015-07-02 14:15:45 CST; 12s ago
Process: 3876 ExecStart=/usr/sbin/proftpd $PROFTPD_OPTIONS (code=exited, status=1/FAILURE)
Main PID: 1073 (code=exited, status=0/SUCCESS)
7月 02 14:15:45 proftpd1 systemd[1]: Starting ProFTPD FTP Server...
7月 02 14:15:45 proftpd1 proftpd[3876]: 2015-07-02 14:15:45,412 proftpd1 proftpd[3876]: fatal: SFTPHostKey: unable to use '/etc/ssh/ssh_host_rsa_key' as host key, as it is group- or world-accessible on line 434 of '/etc/proftpd.conf'
7月 02 14:15:45 proftpd1 systemd[1]: proftpd.service: control process exited, code=exited status=1
7月 02 14:15:45 proftpd1 systemd[1]: Failed to start ProFTPD FTP Server.
7月 02 14:15:45 proftpd1 systemd[1]: Unit proftpd.service entered failed state.
#解決方式
[root@proftpd1 ~]# chmod 600 /etc/ssh/ssh_host_rsa_key
[root@proftpd1 ~]# systemctl status proftpd.service -l
proftpd.service - ProFTPD FTP Server
Loaded: loaded (/usr/lib/systemd/system/proftpd.service; enabled)
Active: failed (Result: exit-code) since 四 2015-07-02 14:15:45 CST; 12s ago
Process: 3876 ExecStart=/usr/sbin/proftpd $PROFTPD_OPTIONS (code=exited, status=1/FAILURE)
Main PID: 1073 (code=exited, status=0/SUCCESS)
7月 02 14:15:45 proftpd1 systemd[1]: Starting ProFTPD FTP Server...
7月 02 14:15:45 proftpd1 proftpd[3876]: 2015-07-02 14:15:45,412 proftpd1 proftpd[3876]: fatal: SFTPHostKey: unable to use '/etc/ssh/ssh_host_rsa_key' as host key, as it is group- or world-accessible on line 434 of '/etc/proftpd.conf'
7月 02 14:15:45 proftpd1 systemd[1]: proftpd.service: control process exited, code=exited status=1
7月 02 14:15:45 proftpd1 systemd[1]: Failed to start ProFTPD FTP Server.
7月 02 14:15:45 proftpd1 systemd[1]: Unit proftpd.service entered failed state.
#解決方式
[root@proftpd1 ~]# chmod 600 /etc/ssh/ssh_host_rsa_key
成功使用FTP , 感謝教學 !!
回覆刪除