FTP Server di CentOS 6 dengan VSFTPD Chroot List Ditulis oleh Tutor TKJ CLUB Rabu, 30 Mei 2012 08:42 -
Kita akan mengalihkan posisi directory default yang berada pada /var/ftp/pub yang dimana kita akan membuat directory sesuai dengan nama user yang akan kita buat. 1 1 2 3 Konfigurasi vsftpd 001 002 003 004 005 006 007 008 009 010 011 012 013 014 015 016 017 018 019 020 021 022 023 024 025 026 027 028 029 030 031 032 033 034 035
Instalasi packet vsftpd [zizzu@localhost ~]$ su Password: [root@localhost zizzu]# yum install vsftpd
[root@localhost zizzu]# cd /etc/vsftpd/ [root@localhost vsftpd]# ls ftpusers user_list vsftpd.conf vsftpd_conf_migrate.sh [root@localhost vsftpd]# cp vsftpd.conf vsftpd.conf.ori [root@localhost vsftpd]#nano /etc/vsftpd.conf # Example config file /etc/vsftpd/vsftpd.conf # # The default compiled in settings are fairly paranoid. This sample fi # loosens things up a bit, to make the ftp daemon more usable. # Please see vsftpd.conf.5 for all compiled in defaults. # # READ THIS: This example file is NOT an exhaustive list of vsftpd # Please read the vsftpd.conf.5 manual page to get a full idea of vsft # capabilities. # # Allow anonymous FTP? (Beware - allowed by default if you comm anonymous_enable=YES # # Uncomment this to allow local users to log in. local_enable=YES # # Uncomment this to enable any form of FTP write command. write_enable=YES # # Default umask for local users is 077. You may wish to change this # if your users expect that (022 is used by most other ftpd's) local_umask=022 # # Uncomment this to allow the anonymous FTP user to upload files. # has an effect if the above global write enable is activated. Also, yo # obviously need to create a directory writable by the FTP user. #anon_upload_enable=YES # # Uncomment this if you want the anonymous FTP user to be able to
1/6
FTP Server di CentOS 6 dengan VSFTPD Chroot List Ditulis oleh Tutor TKJ CLUB Rabu, 30 Mei 2012 08:42 -
036 037 038 039 040 041 042 043 044 045 046 047 048 049 050 051 052 053 054 055 056 057 058 059 060 061 062 063 064 065 066 067 068 069 070 071 072 073 074 075 076 077 078 079 080 081
# new directories. #anon_mkdir_write_enable=YES # # Activate directory messages - messages given to remote users wh # go into a certain directory. dirmessage_enable=YES # # Activate logging of uploads/downloads. xferlog_enable=YES # # Make sure PORT transfer connections originate from port 20 (ftp-d connect_from_port_20=YES # # If you want, you can arrange for uploaded anonymous files to be o # a different user. Note! Using "root" for uploaded files is not # recommended! #chown_uploads=YES # # You may override where the log file goes if you like. The default is # below. #xferlog_file=/var/log/vsftpd.log # # If you want, you can have your log file in standard ftpd xferlog form # Note that the default log file location is /var/log/xferlog in thiscase. xferlog_std_format=YES # You may change the default value for timing out an idle session. #idle_session_timeout=600 # # You may change the default value for timing out a data connection #data_connection_timeout=120 # # It is recommended that you define on your system a unique user w # ftp server can use as a totally isolated and unprivileged user. #nopriv_user=ftpsecure # # Enable this and the server will recognise asynchronous ABOR req # recommended for security (the code is non-trivial). Not enabling it, # however, may confuse older FTP clients. #async_abor_enable=YES # # By default the server will pretend to allow ASCII mode but in fact ig # the request. Turn on the below options to have the server actually # mangling on files when in ASCII mode. # Beware that on some FTP servers, ASCII support allows a denial # attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftp # predicted this attack and has always been safe, reporting the size
2/6
FTP Server di CentOS 6 dengan VSFTPD Chroot List Ditulis oleh Tutor TKJ CLUB Rabu, 30 Mei 2012 08:42 -
082 # raw file. 083 # ASCII mangling is a horrible feature of the protocol. 084 #ascii_upload_enable=YES 085 #ascii_download_enable=YES 086 # 087 # You may fully customise the login banner string: 088 #ftpd_banner=Welcome to blah FTP service. 089 # 090 # You may specify a file of disallowed anonymous e-mail addresses 091 # useful for combatting certain DoS attacks. 092 #deny_email_enable=YES 093 # (default follows) 094 #banned_email_file=/etc/vsftpd/banned_emails 095 # 096 # You may specify an explicit list of local users to chroot() to their ho 097 # directory. If chroot_local_user is YES, then this list becomes a list 098 # users to NOT chroot(). 099 #chroot_local_user=YES 100 #chroot_list_enable=YES 101 # (default follows) 102 #chroot_list_file=/etc/vsftpd/chroot_list 103 # 104 # You may activate the "-R" option to the builtin ls. This is disabled b 105 # default to avoid remote users being able to cause excessive I/O on 106 # sites. However, some broken FTP clients such as "ncftp" and "mirr 107 # the presence of the "-R" option, so there is a strong case forenabli 108 #ls_recurse_enable=YES 109 # 110 # When "listen" directive is enabled, vsftpd runs in standalone mode 111 # listens on IPv4 sockets. This directive cannot be used in conjunctio 112 # with the listen_ipv6 directive. 113 listen=YES 114 # 115 # This directive enables listening on IPv6 sockets. To listen on IPv4 116 # sockets, you must run two copies of vsftpd with two configuration f 117 # Make sure, that one of the listen options is commented !! 118 #listen_ipv6=YES 119 120 pam_service_name=vsftpd 121 userlist_enable=YES 122 tcp_wrappers=YES Hapus atau kosongkan teks di atas kemudian ganti dengan yang di bawah ini. 01 # Example config file /etc/vsftpd/vsftpd.conf 02 # 03 anonymous_enable=NO 04
3/6
FTP Server di CentOS 6 dengan VSFTPD Chroot List Ditulis oleh Tutor TKJ CLUB Rabu, 30 Mei 2012 08:42 -
05 local_enable=YES 06 07 write_enable=YES 08 09 local_umask=022 10 11 dirmessage_enable=YES 12 13 xferlog_enable=YES 14 15 connect_from_port_20=YES 16 17 xferlog_std_format=YES 18 19 ascii_upload_enable=YES 20 21 ascii_download_enable=YES 22 23 ftpd_banner=Welcome to FTP Server K-Place. 24 25 chroot_list_enable=YES 26 27 chroot_list_file=/etc/vsftpd/chroot_list 28 29 listen=YES simpan dan keluar kemudian buat file chroot_list yang nama usernya zidan 1 [root@localhost vsftpd]# nano chroot_list 2 zidan simpan dan keluar selanjutnya buat user dan password seperti contoh di bawah ini . 1 [root@localhost vsftpd]# adduser zidan 2 [root@localhost vsftpd]# passwd zidan 3 Changing password for user zidan. 4 New password: ( ketik zidan ) 5 BAD PASSWORD: it is too short 6 BAD PASSWORD: is too simple 7 Retype new password: ( ketik zidan ) 8 passwd: all authentication tokens updated successfully. 9 [root@localhost vsftpd]# Restart FTP Server dengan perintah sebagai berikut : 1 [root@localhost vsftpd]# /etc/init.d/vsftpd restart 2 Shutting down vsftpd: [ OK ] 3 Starting vsftpd for vsftpd: [ OK ] 4 5 [root@localhost vsftpd]# chkconfig --levels 235 vsftpd on Sampai pada tahap ini disable SELinux dengan perintah 01 [root@localhost vsftpd]# nano /etc/sysconfig/selinux
4/6
FTP Server di CentOS 6 dengan VSFTPD Chroot List Ditulis oleh Tutor TKJ CLUB Rabu, 30 Mei 2012 08:42 -
02 03 04 05 06 07 08 09 10 11
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # mls - Multi Level Security protection. SELINUXTYPE=targeted
01 # This file controls the state of SELinux on the system. 02 # SELINUX= can take one of these three values: 03 # enforcing - SELinux security policy is enforced. 04 # permissive - SELinux prints warnings instead of enforcing. 05 # disabled - No SELinux policy is loaded. 06 SELINUX=disable 07 # SELINUXTYPE= can take one of these two values: 08 # targeted - Targeted processes are protected, 09 # mls - Multi Level Security protection. 10 SELINUXTYPE=targeted Sekarang cek konfigurasi FTP dengan mengetikkan perintah 01 [root@localhost zizzu]# getsebool -a | grep ftp 02 allow_ftpd_anon_write --> off 03 allow_ftpd_full_access --> off 04 allow_ftpd_use_cifs --> off 05 allow_ftpd_use_nfs --> off 06 ftp_home_dir --> off 07 ftpd_connect_db --> off 08 httpd_enable_ftp_server --> off 09 sftpd_anon_write --> off 10 sftpd_enable_homedirs --> off 11 sftpd_full_access --> off 12 sftpd_write_ssh_home --> off 13 tftp_anon_write --> off maka ftp_home_dir masih off, untuk itu aktifkan ftp_home_dir dengan perintah berikut : 1 [root@localhost zizzu]# setsebool -P ftp_home kemudian cek lagi dengan perintah yang tadi 01 [root@localhost zizzu]# getsebool -a | grep ftp 02 allow_ftpd_anon_write --> off 03 allow_ftpd_full_access --> off 04 allow_ftpd_use_cifs --> off 05 allow_ftpd_use_nfs --> off 06 ftp_home_dir --> on 07 ftpd_connect_db --> off 08 httpd_enable_ftp_server --> off
5/6
FTP Server di CentOS 6 dengan VSFTPD Chroot List Ditulis oleh Tutor TKJ CLUB Rabu, 30 Mei 2012 08:42 -
09 sftpd_anon_write --> off 10 sftpd_enable_homedirs --> off 11 sftpd_full_access --> off 12 sftpd_write_ssh_home --> off 13 tftp_anon_write --> off Setelah ftp_home_dir on maka Settingan yang terakhir yaitu untuk merubah folder default FTP Server yang berada pada /var/ftp/pub ke directory user yang telah di buat tadi ikuti langkah nya sebagai berikut : 1 [zizzu@localhost ~]$ su 2 Password: 3 [root@localhost zizzu]# nano /etc/passwd kemudian cari baris ini zidan:x:501:501::/home/zidan:/bin/bash edit menjadi seperti inizidan:x:501:501::/home/zidan:/sbin/nologin simpan dan keluar lalui restart pc Sumber : http://vthink.web.id/
6/6
