1.FTP Server Installation
1. 1 Vsftpd Install
|
1 |
# dnf install vsftpd |
version check
|
1 2 |
# vsftpd -v vsftpd: version 3.0.5 |
1.2 Configuring vsftpd
Save the unedited vsftpd.conf with .bak
|
1 |
# cp /etc/vsftpd/vsftpd.conf /home/huong/vsftpd.conf.bak |
①Edit the configuration file
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
# vi /etc/vsftpd/vsftpd.conf ●Line 12: Anonymous login prohibited anonymous_enable=NO ●Line 39: Log the transfer record. xferlog_enable=NO ●Lines 82, 83 Uncomment (allow transfer in ASCII mode) ascii_upload_enable=YES ascii_download_enable=YES ●Lines 100 and 101: uncomment ( chroot enabled ) chroot_local_user=YES chroot_list_enable=YES ●Line 103, uncomment (specify chroot list file) chroot_list_file=/etc/vsftpd/chroot_list ●Line 109 Uncomment (enable bulk transfer for each directory) ls_recurse_enable=YES ●Line 114, Change ( Enable IPv4 ) listen=YES ●Line 123, Change ( disable IPv6 ) listen_ipv6=NO ●### Add to last line ### # Use local time. use_localtime=YES |
②Add a user to allow access to the directory to the upper level.
|
1 |
# echo "huong" >> /etc/vsftpd/chroot_list |
In my case, I wrote huong.
③ Specify the IP address to allow connections in /etc/hosts.allow
|
1 |
# echo "vsftpd:192.168.11.0/24" >> /etc/hosts.allow |
192.168.11.0/24 is the setting that allows all local IP addresses in my environment.
Write vsftpd:ALL (deny all connections) in /etc/hosts.deny
|
1 |
# echo "vsftpd:ALL" >> /etc/hosts.deny |
This setting takes precedence over hosts.allow.
This means that everything will be rejected and the IP address specified in hosts.allow will be allowed
④Enable and start vsftpd with auto-start enabled
|
1 2 |
# systemctl enable vsftpd Created symlink /etc/systemd/system/multi-user.target.wants/vsftpd.service → /usr/lib/systemd/system/vsftpd.service. |
|
1 |
# systemctl start vsftpd |
⑤From the windows side, check if you can connect with FileZilla.
Open the ftp port with firewall before connecting
|
1 2 |
# firewall-cmd --permanent --add-service=ftp # firewall-cmd --reload |
Launch FileZilla and select "Site Manager" from the "File" menu.
Click "New Site"
fill in the fields as follows, and click "Connect".
Protocol : FTP-File Transfer Protocol
Host : IP address of the server
Poer : <blank space>
logon Type : Ask for password
User : General user name (server login user)
Set the login user's password in the "Password" field and click "OK".
If the connection is successful, the server directory will be displayed on the right side and the Windows directory on the left side.
2. vsftpd SSL/TLS
Configure Vsftpd to work with SSL/TLS
2.1 Create a self-signed certificate.
This step is not necessary if you use a trusted, legitimate certificate such as Let's Encrypt.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
# cd /etc/pki/tls/certs # openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/pki/tls/certs/vsftpd.pem -out /etc/pki/tls/certs/vsftpd.pem Generating a RSA private key ........................+++++ ..................+++++ writing new private key to '/etc/pki/tls/certs/vsftpd.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:JP # Country Code State or Province Name (full name) []:Osaka # Region (Prefecture Locality Name (eg, city) [Default City]:Sakai # City Organization Name (eg, company) [Default Company Ltd]:private # Organization Name Organizational Unit Name (eg, section) []:Admin # Department name of the organization Common Name (eg, your name or your server's hostname) [] Lepard # Hostname of the server Email Address []: # Administrator email address |
|
1 |
# chmod 600 vsftpd.pem |
2.2 Configure Vsftpd
|
1 2 3 4 5 6 7 8 9 10 11 12 |
# vi /etc/vsftpd/vsftpd.conf ● Add to last line: Enable SSL/TLS rsa_cert_file=/etc/pki/tls/certs/vsftpd.pem ssl_enable=YES force_local_data_ssl=YES force_local_logins_ssl=YES ● Add to last line # Fix passive ports at any range of ports pasv_enable=YES pasv_min_port=60000 pasv_max_port=60100 |
|
1 |
# systemctl restart vsftpd |
If Firewalld is enabled, allow passive ports
|
1 2 3 4 |
# firewall-cmd --add-port=60000-60100/tcp --permanent success # firewall-cmd --reload success |
When you connect to FileZilla, the following screen will appear, check the box and click "OK" to connect as before
3.Samba : File Server
Build a file server with access rights that requires user authentication with Samba.
Installation Procedure
①Create shared folders with access rights that require user authentication
②Accessible group creation
③Creation of users belonging to accessible groups
④Configuration File Edit
3.1 samba install
|
1 |
# dnf install samba samba-client samba-common -y |
|
1 |
# mkdir /home/smbshare |
3.3 Accessible group (smbgroup) creation
|
1 2 3 |
# groupadd smbgroup # chgrp smbgroup /home/smbshare # chmod 770 /home/smbshare |
3.4 Configuration File Edit
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 |
# vi /etc/samba/smb.conf # Line 11-12 : unix charset = UTF-8 # Add dos charset = CP932 # Add workgroup = SAMBA security = user # Add (Allow access only from the inside) hosts allow = 127. 192.168.11. # Add to the last line # Set an arbitrary share name [Smbshare] # Specify shared folder path = /home/smbshare # Allow Write writable = yes # Do not allow guest users guest ok = no # [smbgroup] Grant access only to groups valid users = @smbgroup # Set [smbgroup] as the group for file creation force group = smbgroup # Set file creation permissions to [770]. force create mode = 770 # Set permissions to [770] when creating folders force directory mode = 770 # Inherit permissions of upper folders inherit permissions = yes |
3.5 SMB Restart
|
1 2 3 4 |
# systemctl enable smb Created symlink /etc/systemd/system/multi-user.target.wants/smb.service → /usr/lib/systemd/system/smb.service. # systemctl start smb |
3.6 User (smbuser) registration, password setting, group registration
|
1 2 3 4 5 6 7 |
# useradd smbuser # smbpasswd -a smbuser New SMB password: # Password Setting Retype new SMB password: Added user smbuser. # usermod -aG smbgroup smbuser |
3.7 Firewalld allows Samba services
|
1 2 3 4 |
# firewall-cmd --add-service=samba --permanent success # firewall-cmd --reload success |
Open File Explorer and enter "\\<server IP address>" (in this case 192.168.11.83) in the address field.
Access the server.
Enter authentication information
User name : User name created in "3.6 User (smbuser) Registration, Password Setting, Group Registration
Password : Password for the above user
Click "OK"
Shared directory information is displayed.
