差分

このページの2つのバージョン間の差分を表示します。

--- mae3xx_tips:setup_vsftpd:start [2014/05/12 13:46] – admin
+++ mae3xx_tips:setup_vsftpd:start [2014/05/12 14:02] (現在) – admin
@@ 行 1: / 行 1: @@
+====== FTPサーバの導入 ======
+MA-E3xx では、sshd がインストールされていますので、セキュアなファイル転送として SFTP プロトコルが利用できます。\\
+組み込み機器などで、どうしても FTP プロトコルしか使用できないというような場合のため、FTPサーバを導入方法を紹介します。
+\\
+===== セットアップ =====
+==== 導入可能なFTPサーバ ====
+Ubuntu Linux に用意されている、FTPサーバのパッケージを検索してみます。
+<code>
+user1@plum:~$ sudo apt-cache search ftpd
+[sudo] password for user1:
+tftpd-hpa - HPA's tftp server
+vsftpd - lightweight, efficient FTP server written for security
+atftpd - advanced TFTP server
+auth2db-filters - Auth2db defaults filters pack
+ccze - A robust, modular log coloriser
+fail2ban - ban hosts that cause multiple authentication errors
+ftp-ssl - The FTP client with SSL or TLS encryption support
+ftpd - File Transfer Protocol (FTP) server
+ftpd-ssl - FTP server with SSL encryption support
+gadmin-proftpd - GTK+ configuration tool for proftpd
+gadmin-proftpd-dbg - GTK+ configuration tool for proftpd debug package
+gadmintools - GTK+ server administration tools (meta-package)
+gosa-plugin-pureftpd - pureftpd plugin for GOsa?
+gosa-plugin-pureftpd-schema - LDAP schema for GOsa? pureftpd plugin
+heimdal-servers - Heimdal Kerberos - server programs
+inetutils-ftpd - File Transfer Protocol server
+libnet-tftpd-perl - Perl extension for Trivial File Transfer Protocol Server
+muddleftpd - A flexible and efficient FTP daemon
+mysqmail-pure-ftpd-logger - real-time logging system in MySQL - Pure-FTPd traffic-logger
+nordugrid-arc-gridftpd - ARC GridFTP server
+owftpd - FTP daemon providing access to 1-Wire networks
+prelude-lml - Security Information Management System [ Log Agent ]
+proftpd-basic - Versatile, virtual-hosting FTP daemon - binaries
+proftpd-dev - Versatile, virtual-hosting FTP daemon - development files
+proftpd-doc - Versatile, virtual-hosting FTP daemon - documentation
+proftpd-mod-autohost - ProFTPD module mod_autohost
+proftpd-mod-case - ProFTPD module mod_case
+proftpd-mod-clamav - ProFTPD module mod_clamav
+proftpd-mod-dnsbl - ProFTPD module mod_dnsbl
+proftpd-mod-fsync - ProFTPD module mod_fsync
+proftpd-mod-geoip - Versatile, virtual-hosting FTP daemon - GeoIP module
+proftpd-mod-ldap - Versatile, virtual-hosting FTP daemon - LDAP module
+proftpd-mod-msg - ProFTPD module mod_msg
+proftpd-mod-mysql - Versatile, virtual-hosting FTP daemon - MySQL module
+proftpd-mod-odbc - Versatile, virtual-hosting FTP daemon - ODBC module
+proftpd-mod-pgsql - Versatile, virtual-hosting FTP daemon - PostgreSQL module
+proftpd-mod-sqlite - Versatile, virtual-hosting FTP daemon - SQLite3 module
+proftpd-mod-tar - ProFTPD module mod_tar
+proftpd-mod-vroot - ProFTPD module mod_vroot
+pure-ftpd - Secure and efficient FTP server
+pure-ftpd-common - Pure-FTPd FTP server (Common Files)
+pure-ftpd-ldap - Secure and efficient FTP server with LDAP user authentication
+pure-ftpd-mysql - Secure and efficient FTP server with MySQL user authentication
+pure-ftpd-postgresql - Secure and efficient FTP server with PostgreSQL user authentication
+pureadmin - Gtk graphic front-end for PureFTPd
+pyftpd - ftp daemon with advanced features
+python-pyftpdlib - Python FTP server library
+tcllib - Standard Tcl Library
+tftpd - Trivial file transfer protocol server
+twoftpd - a simple secure efficient FTP server (programs)
+twoftpd-run - a simple secure efficient FTP server
+uec-provisioning-tftpd - the UEC Provisioning TFTP server
+yasat - simple stupid audit tool
+user1@plum:~$
+</code>
+TFTP(([[http://ja.wikipedia.org/wiki/Trivial_File_Transfer_Protocol]]))も検索されてしまっていますが、
+有名なFTPサーバとして、下記が導入できるようです。
+  * [[http://www.proftpd.org/|ProFTPD]] - Highly configurable GPL-licensed FTP server software
+  * [[http://www.pureftpd.org/project/pure-ftpd|Pure-FTPd]] - Secure and efficient FTP server
+  * [[https://security.appspot.com/vsftpd.html|vsftpd]] - Probably the most secure and fastest FTP server for UNIX-like systems.
+"the most secure", "fastest" という謳い文句が魅力的なので、vsftpd を導入してみます。
+\\
+==== vsftpd の導入 ====
+apt-get コマンドでインストールします。
+<code>
+user1@plum:~$ sudo apt-get install vsftpd
+[sudo] password for user1:
+Reading package lists... Done
+Building dependency tree
+Reading state information... Done
+The following NEW packages will be installed:
+  vsftpd
+upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
+Need to get 99.8 kB of archives.
+After this operation, 298 kB of additional disk space will be used.
+Get:1 http://ports.ubuntu.com/ubuntu-ports/ trusty-updates/main vsftpd armhf 3.0.2-1ubuntu2.14.04.1 [99.8 kB]
+Fetched 99.8 kB in 1s (53.9 kB/s)
+Preconfiguring packages ...
+Selecting previously unselected package vsftpd.
+(Reading database ... 17590 files and directories currently installed.)
+Preparing to unpack .../vsftpd_3.0.2-1ubuntu2.14.04.1_armhf.deb ...
+Unpacking vsftpd (3.0.2-1ubuntu2.14.04.1) ...
+Processing triggers for ureadahead (0.100.0-16) ...
+Setting up vsftpd (3.0.2-1ubuntu2.14.04.1) ...
+vsftpd start/running, process 1398
+Processing triggers for ureadahead (0.100.0-16) ...
+localepurge: Disk space freed in /usr/share/locale: 0 KiB
+localepurge: Disk space freed in /usr/share/man: 0 KiB
+Total disk space freed by localepurge: 0 KiB
+user1@plum:~$
+</code>
+これでインストールできました。
+プロセスが立ち上がっているか確認してみます。
+<code>
+user1@plum:~$ ps ax|grep vsftp
+?        Ss     0:00 /usr/sbin/vsftpd
+pts/1    S+     0:00 grep --color=auto vsftp
+user1@plum:~$
+</code>
+どのポートでlistenしているか確認してみます。
+<code>
+user1@plum:~$ netstat -l -4 -t
+Active Internet connections (only servers)
+Proto Recv-Q Send-Q Local Address           Foreign Address         State
+tcp        0      0 *:ftp                   *:*                     LISTEN
+tcp        0      0 *:domain                *:*                     LISTEN
+tcp        0      0 *:ssh                   *:*                     LISTEN
+tcp        0      0 *:50040                 *:*                     LISTEN
+tcp        0      0 *:sunrpc                *:*                     LISTEN
+tcp        0      0 *:http                  *:*                     LISTEN
+user1@plum:~$
+</code>
+"ftp" (TCP/21) で listen していることがわかります。
+\\
+==== 接続確認 ====
+別の機器から、FTPで接続してみます。
+<code>
+user1@plum:~$ ftp 192.168.253.35
+Connected to 192.168.253.35.
+(vsFTPd 3.0.2)
+Name (192.168.253.35:user1): user1
+Please specify the password.
+Password:
+Login successful.
+Remote system type is UNIX.
+Using binary mode to transfer files.
+ftp> quit
+Goodbye.
+user1@plum:~$
+</code>
+接続できることが確認できました。
+\\
+===== 設定 =====
+apt-get コマンドで導入することで、とりあえず使用することができるようになりました。\\
+しかし、このままですと、インターネットに接続した場合、世界中のどこからでもアクセスできるようになってしまい、\\
+セキュリティ上問題があります。\\
+インターネットに接続して利用する場合、Firewall を設定し、アドレスなどで接続を制限することを **強く** お勧めします。
+\\
+==== vsftpd の設定 ====
+Ubuntu の vsftpd の設定ファイルは、/etc/vsftpd.conf です。\\
+内容についてのドキュメントは、[[http://manpages.ubuntu.com/manpages/trusty/en/man5/vsftpd.conf.5.html]] になります。
+デフォルトでは、下記のように設定されています。
+<code>
+# Example config file /etc/vsftpd.conf
+#
+# The default compiled in settings are fairly paranoid. This sample file
+# loosens things up a bit, to make the ftp daemon more usable.
+# Please see vsftpd.conf.5 for all compiled in defaults.
+#
+# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
+# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
+# capabilities.
+#
+#
+# Run standalone?  vsftpd can run either from an inetd or as a standalone
+# daemon started from an initscript.
+listen=YES
+#
+# Run standalone with IPv6?
+# Like the listen parameter, except vsftpd will listen on an IPv6 socket
+# instead of an IPv4 one. This parameter and the listen parameter are mutually
+# exclusive.
+#listen_ipv6=YES
+#
+# Allow anonymous FTP? (Disabled by default)
+anonymous_enable=NO
+#
+# Uncomment this to allow local users to log in.
+local_enable=YES
+#
+# Uncomment this to enable any form of FTP write command.
+#write_enable=YES
+#
+# Default umask for local users is 077. You may wish to change this to 022,
+# if your users expect that (022 is used by most other ftpd's)
+#local_umask=022
+#
+# Uncomment this to allow the anonymous FTP user to upload files. This only
+# has an effect if the above global write enable is activated. Also, you will
+# obviously need to create a directory writable by the FTP user.
+#anon_upload_enable=YES
+#
+# Uncomment this if you want the anonymous FTP user to be able to create
+# new directories.
+#anon_mkdir_write_enable=YES
+#
+# Activate directory messages - messages given to remote users when they
+# go into a certain directory.
+dirmessage_enable=YES
+#
+# If enabled, vsftpd will display directory listings with the time
+# in  your  local  time  zone.  The default is to display GMT. The
+# times returned by the MDTM FTP command are also affected by this
+# option.
+use_localtime=YES
+#
+# Activate logging of uploads/downloads.
+xferlog_enable=YES
+#
+# Make sure PORT transfer connections originate from port 20 (ftp-data).
+connect_from_port_20=YES
+#
+# If you want, you can arrange for uploaded anonymous files to be owned by
+# a different user. Note! Using "root" for uploaded files is not
+# recommended!
+#chown_uploads=YES
+#chown_username=whoever
+#
+# You may override where the log file goes if you like. The default is shown
+# below.
+#xferlog_file=/var/log/vsftpd.log
+#
+# If you want, you can have your log file in standard ftpd xferlog format.
+# Note that the default log file location is /var/log/xferlog in this case.
+#xferlog_std_format=YES
+#
+# You may change the default value for timing out an idle session.
+#idle_session_timeout=600
+#
+# You may change the default value for timing out a data connection.
+#data_connection_timeout=120
+#
+# It is recommended that you define on your system a unique user which the
+# ftp server can use as a totally isolated and unprivileged user.
+#nopriv_user=ftpsecure
+#
+# Enable this and the server will recognise asynchronous ABOR requests. Not
+# recommended for security (the code is non-trivial). Not enabling it,
+# however, may confuse older FTP clients.
+#async_abor_enable=YES
+#
+# By default the server will pretend to allow ASCII mode but in fact ignore
+# the request. Turn on the below options to have the server actually do ASCII
+# mangling on files when in ASCII mode.
+# Beware that on some FTP servers, ASCII support allows a denial of service
+# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
+# predicted this attack and has always been safe, reporting the size of the
+# raw file.
+# ASCII mangling is a horrible feature of the protocol.
+#ascii_upload_enable=YES
+#ascii_download_enable=YES
+#
+# You may fully customise the login banner string:
+#ftpd_banner=Welcome to blah FTP service.
+#
+# You may specify a file of disallowed anonymous e-mail addresses. Apparently
+# useful for combatting certain DoS attacks.
+#deny_email_enable=YES
+# (default follows)
+#banned_email_file=/etc/vsftpd.banned_emails
+#
+# You may restrict local users to their home directories.  See the FAQ for
+# the possible risks in this before using chroot_local_user or
+# chroot_list_enable below.
+#chroot_local_user=YES
+#
+# You may specify an explicit list of local users to chroot() to their home
+# directory. If chroot_local_user is YES, then this list becomes a list of
+# users to NOT chroot().
+# (Warning! chroot'ing can be very dangerous. If using chroot, make sure that
+# the user does not have write access to the top level directory within the
+# chroot)
+#chroot_local_user=YES
+#chroot_list_enable=YES
+# (default follows)
+#chroot_list_file=/etc/vsftpd.chroot_list
+#
+# You may activate the "-R" option to the builtin ls. This is disabled by
+# default to avoid remote users being able to cause excessive I/O on large
+# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
+# the presence of the "-R" option, so there is a strong case for enabling it.
+#ls_recurse_enable=YES
+#
+# Customization
+#
+# Some of vsftpd's settings don't fit the filesystem layout by
+# default.
+#
+# This option should be the name of a directory which is empty.  Also, the
+# directory should not be writable by the ftp user. This directory is used
+# as a secure chroot() jail at times vsftpd does not require filesystem
+# access.
+secure_chroot_dir=/var/run/vsftpd/empty
+#
+# This string is the name of the PAM service vsftpd will use.
+pam_service_name=vsftpd
+#
+# This option specifies the location of the RSA certificate to use for SSL
+# encrypted connections.
+rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
+# This option specifies the location of the RSA key to use for SSL
+# encrypted connections.
+rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
+</code>
+\\

MA-X/MA-S/MA-E/IP-K Developers' WiKi

ユーザ用ツール

サイト用ツール

差分

ページ用ツール