1.FTP Server
1. 1 vsftpd installation
|
1 |
# pacman -S vsftpd |
1.2 vsftpd configuration
①Editing Configuration Files
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
# vim /etc/vsftpd.conf ●Line 12 : No anonymous login (confirmed) anonymous_enable=NO ●Line 15 : Uncomment local_enable=YES ●Line 18 : Uncomment write_enable=YES ●Line 22 : Uncomment local_umask=022 ●Line 38:Log transfer records (confirmation) xferlog_enable=YES ●Line 80,81 : Uncomment (Allow transfer in ASCII mode ) ascii_upload_enable=YES ascii_download_enable=YES ●Line 98,99:Uncomment (chroot enabled ) chroot_local_user=YES chroot_list_enable=YES ●Line 101 : Uncomment (chroot list file specification) chroot_list_file=/etc/vsftpd.chroot_list ●Line 107 : Uncomment (Enable batch transfer by directory) ls_recurse_enable=YES ###Add to last line ### # Use local time use_localtime=YES seccomp_sandbox=NO allow_writeable_chroot=YES |
②Add users to allow directory access to upper level
|
1 2 |
# echo "huong" >> /etc/vsftpd.chroot_list In my case I wrote huong. |
③ Specify IP addresses to allow connections in /etc/hosts.allow
|
1 2 |
# echo "vsftpd:192.168.11.0/24" >> /etc/hosts.allow 192.168.11.0/24 is the setting that allows all local IP addresses in my environment. |
④Write vsftpd:ALL (deny all connections) in /etc/hosts.deny
|
1 |
# echo "vsftpd:ALL" >> /etc/hosts.deny |
This setting overrides hosts.allow. That is, everything is denied, and IP addresses specified in hosts.allow are allowed.
⑤Enable vsftpd autostart and start it
|
1 2 |
# systemctl enable vsftpd Created symlink /etc/systemd/system/multi-user.target.wants/vsftpd.service → /usr/lib/systemd/system/vsftpd.service |
|
1 |
# systemctl start vsftpd |
⑥From windows side, check if you can connect with FileZilla.
Open ftp port in UFW before connecting
|
1 2 |
# ufw allow ftp # ufw reload |
Start FileZilla and select "Site Manager" from the "File" menu.
Click on "New site"
Enter the following settings for each item and click "Connect"
Protocol : FTP-File Transfer Protocol
Host : Server IP Address
Port : can be blank
Encryption : Use expllict FTP ocver TLS if available
Logon Type : Ask for password
User : General user name (server login user)
Set the password for the login user in "Password" and click "OK.
If the connection is successful, the server directory is displayed on the right and the Windows directory on the left.
2. vsftpd SSL/TLS
Configure Vsftpd to use SSL/TLS
2.1 Create self-signed certificates
This step is not necessary if you are using a trusted, legitimate certificate such as Let's Encrypt.
The information you enter is meaningless and will only be used for encryption.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
# cd /etc/ssl/certs # openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout vsftpd.pem -out vsftpd.pem Generating a RSA private key ........................+++++ ..................+++++ You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:JP State or Province Name (full name) [Some-State]:Osaka Locality Name (eg, city) []:Sakai Organization Name (eg, company) [Internet Widgits Pty Ltd]:private Organizational Unit Name (eg, section) []:Admin Common Name (e.g. server FQDN or YOUR name) []:Lepard Email Address []:Administrator's email address |
|
1 |
# chmod 600 vsftpd.pem |
2.2 Vsftpd Configuration
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
# vim /etc/vsftpd.conf #Add to last line ssl_enable=YES #choose what you like, if you accept anonymous connections, you may want to enable this # allow_anon_ssl=NO #by default all non anonymous logins and forced to use SSL to send and receive password and data, set to NO to allow non secure connections force_local_logins_ssl=YES force_local_data_ssl=YES #you should at least enable TLS v1 if you enable SSL ssl_tlsv1=YES #give the correct path to your .pem file rsa_cert_file=/etc/ssl/certs/vsftpd.pem #the .pem file also contains the private key rsa_private_key_file=/etc/ssl/certs/vsftpd.pem |
|
1 |
# systemctl restart vsftpd |
When connecting to FileZilla, the following screen appears, check the box and click "OK" to connect as described above.
3. File server installation with Samba
Build a file server with access rights that requires user authentication with Samba.
Installation Procedure
(1) Create a shared folder with access rights that requires user authentication.
(2) Create a group with access rights
(3)Create users belonging to groups that can be accessed
(4)Edit configuration file
3.1 Install samba
|
1 |
# pacman -Syu samba |
|
1 |
# mkdir /home/smbshare |
3.3 Accessible group (smbgroup) creation
|
1 2 3 |
# groupadd smbgroup # chgrp smbgroup /home/smbshare # chmod 770 /home/smbshare |
3.4 Configuration File Editing
Create a new smb.conf
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
# vim /etc/samba/smb.conf unix charset = UTF-8 dos charset = CP932 workgroup = SAMBA security = user hosts allow = 127. 192.168.11. # Arbitrary shared name setting [Smbshare] # Specify a shared folder path = /home/smbshare # Allow Write writable = yes # Do not allow guest users guest ok = no # [smbgroup] Grant access only to groups valid users = @smbgroup # Set [smbgroup] as the group for file creation force group = smbgroup # Set file creation permissions to [770]. force create mode = 770 # Set permissions to [770] when creating folders force directory mode = 770 # Inherit permissions of upper folders inherit permissions = yes |
3.5 SMB Restart
|
1 2 3 4 |
# systemctl enable smb Created symlink /etc/systemd/system/multi-user.target.wants/smb.service → /usr/lib/systemd/system/smb.service. # systemctl start smb |
3.6 User (smbuser) registration, password setting, group registration
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
# useradd smbuser # pdbedit -a -u smbuser new password: retype new password: Unix username: smbuser NT username: Account Flags: [U ] User SID: S-1-5-21-549841349-3995831062-4113077058-1000 Primary Group SID: S-1-5-21-549841349-3995831062-4113077058-513 Full Name: Home Directory: \\LEPARD\smbuser HomeDir Drive: Logon Script: Profile Path: \\LEPARD\smbuser\profile Domain: LEPARD Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: Thu, 07 Feb 2036 00:06:39 JST Kickoff time: Thu, 07 Feb 2036 00:06:39 JST Password last set: Sat, 16 Dec 2023 13:39:14 JST Password can change: Sat, 16 Dec 2023 13:39:14 JST Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF # usermod -aG smbgroup smbuser |
3.7 UFW to allow Samba services
Open TCP ports 137, 138, 139, and 445
|
1 2 3 |
# ufw allow 137:139/tcp # ufw allow 445/tcp # ufw reload |
Connecting from Windows File Explorer
Open Explorer and enter "\\[Server IP Address ]" in the address field (in this case 192.168.11.83) to access the server.
You will be asked to enter your authentication information
User name : User name created in "3.6 User (smbuser) Registration, Password Setting, Group Registration
Password: Password for the above user
Enter the following and click "OK".
Confirm that files and folders are newly created when the shared directory information is displayed.
