AlmaLinux9 FTP サーバー ProFTPD over SSL/TLSの設定方法

環境
AlmaLinux release 9.2 (Turquoise Kodkod)

概要
ProFTPD を SSL/TLS で利用できるように設定します。

操作方法
1.自己署名の証明書を作成します。
# cd /etc/pki/tls/certs
# openssl req -x509 -nodes -newkey rsa:2048 -keyout proftpd.pem -out proftpd.pem -days 3650

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
Generating a RSA private key
.....+++++
................+++++
writing new private key to 'proftpd.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP # 国コード
State or Province Name (full name) []:Yokohama # 地域 (県)
Locality Name (eg, city) [Default City]:Yokohama # 都市
Organization Name (eg, company) [Default Company Ltd]:GTS # 組織名
Organizational Unit Name (eg, section) []:Server World # 組織の部門名
Common Name (eg, your name or your server's hostname) []:www.arkgame.com # サーバーの FQDN
Email Address []:root@arkgame.com # 管理者アドレス
Generating a RSA private key .....+++++ ................+++++ writing new private key to 'proftpd.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:JP # 国コード State or Province Name (full name) []:Yokohama # 地域 (県) Locality Name (eg, city) [Default City]:Yokohama # 都市 Organization Name (eg, company) [Default Company Ltd]:GTS # 組織名 Organizational Unit Name (eg, section) []:Server World # 組織の部門名 Common Name (eg, your name or your server's hostname) []:www.arkgame.com # サーバーの FQDN Email Address []:root@arkgame.com # 管理者アドレス
Generating a RSA private key
.....+++++
................+++++
writing new private key to 'proftpd.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP                                    # 国コード
State or Province Name (full name) []:Yokohama                         # 地域 (県)
Locality Name (eg, city) [Default City]:Yokohama                       # 都市
Organization Name (eg, company) [Default Company Ltd]:GTS               # 組織名
Organizational Unit Name (eg, section) []:Server World                  # 組織の部門名
Common Name (eg, your name or your server's hostname) []:www.arkgame.com  # サーバーの FQDN
Email Address []:root@arkgame.com                                         # 管理者アドレス

3.権限を付与します

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
# chmod 600 proftpd.pem
# chmod 600 proftpd.pem
# chmod 600 proftpd.pem

4.ProFTPD の基本設定を行います
# vi /etc/sysconfig/proftpd

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
# TLS オプション追記
PROFTPD_OPTIONS="-DTLS"
[root@www ~]# vi /etc/proftpd/mod_tls.conf
<IfModule mod_tls.c>
TLSEngine on
# TLS 接続必須とする場合は変更
TLSRequired on
# コメント化
#TLSCertificateChainFile /etc/pki/tls/certs/proftpd-chain.pem
# 作成した証明書に変更
TLSRSACertificateFile /etc/pki/tls/certs/proftpd.pem
TLSRSACertificateKeyFile /etc/pki/tls/certs/proftpd.pem
TLSCipherSuite PROFILE=SYSTEM
# Relax the requirement that the SSL session be re-used for data transfers
TLSOptions NoSessionReuseRequired
TLSLog /var/log/proftpd/tls.log
<IfModule mod_tls_shmcache.c>
TLSSessionCache shm:/file=/run/proftpd/sesscache
</IfModule>
</IfModule>
# TLS オプション追記 PROFTPD_OPTIONS="-DTLS" [root@www ~]# vi /etc/proftpd/mod_tls.conf <IfModule mod_tls.c> TLSEngine on # TLS 接続必須とする場合は変更 TLSRequired on # コメント化 #TLSCertificateChainFile /etc/pki/tls/certs/proftpd-chain.pem # 作成した証明書に変更 TLSRSACertificateFile /etc/pki/tls/certs/proftpd.pem TLSRSACertificateKeyFile /etc/pki/tls/certs/proftpd.pem TLSCipherSuite PROFILE=SYSTEM # Relax the requirement that the SSL session be re-used for data transfers TLSOptions NoSessionReuseRequired TLSLog /var/log/proftpd/tls.log <IfModule mod_tls_shmcache.c> TLSSessionCache shm:/file=/run/proftpd/sesscache </IfModule> </IfModule>
# TLS オプション追記
PROFTPD_OPTIONS="-DTLS"
[root@www ~]# vi /etc/proftpd/mod_tls.conf
<IfModule mod_tls.c>
  TLSEngine                     on
  # TLS 接続必須とする場合は変更
  TLSRequired                   on
  # コメント化
  #TLSCertificateChainFile       /etc/pki/tls/certs/proftpd-chain.pem
  # 作成した証明書に変更
  TLSRSACertificateFile         /etc/pki/tls/certs/proftpd.pem
  TLSRSACertificateKeyFile      /etc/pki/tls/certs/proftpd.pem
  TLSCipherSuite                PROFILE=SYSTEM
  # Relax the requirement that the SSL session be re-used for data transfers
  TLSOptions                    NoSessionReuseRequired
  TLSLog                        /var/log/proftpd/tls.log
  <IfModule mod_tls_shmcache.c>
    TLSSessionCache             shm:/file=/run/proftpd/sesscache
  </IfModule>
</IfModule>

proftpdを再起動する

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
# systemctl restart proftpd
# systemctl restart proftpd
# systemctl restart proftpd

5.Firewalld を有効にしている場合は、パッシブポートの許可が必要です。
# vi /etc/proftpd.conf

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
# 最終行に追記
# 任意の範囲のポートでパッシブポートを固定
PassivePorts 60000 60100
# 最終行に追記 # 任意の範囲のポートでパッシブポートを固定 PassivePorts 60000 60100
# 最終行に追記
# 任意の範囲のポートでパッシブポートを固定
PassivePorts 60000 60100

# systemctl restart proftpd
# 固定したパッシブポートを許可

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
# firewall-cmd --add-port=60000-60100/tcp
# firewall-cmd --runtime-to-permanent
# firewall-cmd --add-port=60000-60100/tcp # firewall-cmd --runtime-to-permanent
# firewall-cmd --add-port=60000-60100/tcp
# firewall-cmd --runtime-to-permanent

 

AlmaLinux 9

Posted by arkgame