next up previous contents
Next: SSL 設定 Up: FTP Server Previous: FTP server 架設   Contents

安全機制

  1. 防火牆設定-任何網域皆可使用 ftp
    [root@kvm8 ~]# vim /etc/sysconfig/iptables
    
    *filter
    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    -A INPUT -p icmp -j ACCEPT
    -A INPUT -i lo -j ACCEPT
    ######################################################
    -A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
    -A INPUT -m state --state NEW -m tcp -p tcp --dport 5000:5005 -j ACCEPT
    ######################################################
    -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
    -A INPUT -j REJECT --reject-with icmp-host-prohibited
    -A FORWARD -j REJECT --reject-with icmp-host-prohibited
    COMMIT
    

  2. 防火牆設定-只有 192.168.122.0/24 網域可使用 ftp
    [root@kvm8 ~]# vim /etc/sysconfig/iptables
    
    ######################################################
    -A INPUT -m state --state NEW -m tcp -p tcp --dport 21 ! -s 192.168.122.0/24 -j REJECT
    -A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
    -A INPUT -m state --state NEW -m tcp -p tcp --dport 5000:5005 -j ACCEPT
    ######################################################
    

  3. 防火牆重新啟動
    [root@kvm8 ~]# /etc/init.d/iptables restart
    

  4. 開機啟動防火牆
    [root@kvm8 ~]# chkconfig iptables on
    

  5. SELinux 有關 ftp 的設定:如果要讓用戶可以上傳及下載,必須開啟 allow_ftpd_full_access
    [root@kvm8 ~]# getsebool -a | grep ftp
    allow_ftpd_anon_write --> off
    allow_ftpd_full_access --> off
    allow_ftpd_use_cifs --> off
    allow_ftpd_use_nfs --> off
    ftp_home_dir --> off
    ftpd_connect_db --> off
    httpd_enable_ftp_server --> off
    tftp_anon_write --> off
    



2018-01-11