Kufizimi perdoruesve FTP


Te lejojme vetem nje liste paraprake perdoruesish te aksesojne Serverin FTP


Udhezues
Ky udhezues ilustron me nje shembull hap pas hapi se si te kufizohet hyrja ne serverin vsftp vetem per nje liste paraprake perdoruesish.


Si rregull te gjithe perdoruesit e sistemit me perjashtim te atyre qe ndodhen ne skedarin ftp_user kane access ne serverin ftp.
Perdoruesit  pozicionohen ne dosjen e tyre home ne momentin qe lidhen me serverin.

Ekspozimi i dosjeve te perdoruesve te sistemit nepermjet ftp jo gjithmone eshte i kerkuar.

Per te kontrolluar cilet perdorues mund te lidhen me dosjet e tyre nepermjet ftp mund te perdorim parametrat ekonfigurimit ne skedarin /etc/vstftpd/vsftpd.conf:


userlist_enable (YES/NO)

YES: filtro perdoruesit sipas userlist_deny dhe userlist_file
NO : mos i filtro perdoruesit sipas userlist_deny dhe userlist_file

userlist_deny (YES/NO)

YES: perdoruesit qe listohen ne userlist_file nuk do te lejohen te aksesojne serverin ftp
NO : vetem perdoruesit qe kistohen ne userlist_file do te lejohen te aksesojne serverin

userlist_file
skedar me username e perdoruesve sejcili ne rresht te ri.
Ky skedar duhet krijuar.


Te lejojme vetem disa perdorues qe te lidhen me serverin ftp


Per kete ushtrim:

1
Do te krijojme fillimisht tre perdorues me emrin dhe fjalekalimin is me poshte

 Emri  Fjalekalimi Shenime
 perdorues1 perdorues1 Do te lejohet te hyje ne server FTP
 perdorues2        perdorues2 Do te lejohet te hyje ne server FTP
 perdorues3 perdorues3Nuk do te lekohet te hyje ne serverin FTP. 
Perfaqeson te gjithe perdoruesit e tjere te sistemit



[root@localhost student]# useradd perdorues1
[root@localhost student]# useradd perdorues2
[root@localhost student]# useradd perdorues3
[root@localhost student]# 

te vendosim fjalekalimet perkatese per sejcilin nga perdoruesit

[root@localhost student]# passwd perdorues1
Changing password for user perdorues1.
New password: 
Retype new password: 
passwd: all authentication tokens updated successfully.
[root@localhost student]# passwd perdorues2
Changing password for user perdorues2.
New password: 
Retype new password: 
passwd: all authentication tokens updated successfully.
[root@localhost student]# passwd perdorues3
Changing password for user perdorues3.
New password: 
Retype new password: 
passwd: all authentication tokens updated successfully.
[root@localhost student]# 


2
Do te verifikojme qe sejcili nga perdoruesit lidhet me serverin ftp

Pedoruesi 1

[root@localhost student]# ftp 127.0.0.1 
Connected to 127.0.0.1 (127.0.0.1).
220 (vsFTPd 2.2.2)
Name (127.0.0.1:student): perdorues1
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (127,0,0,1,152,72).
150 Here comes the directory listing.
drwxr-xr-x    2 517      517          4096 Nov 27 17:04 database
drwxr-xr-x    2 517      517          4096 Nov 27 15:53 mail
drwxr-xr-x    2 517      517          4096 Dec 03 14:35 public_html
drwxr-xr-x    2 517      517          4096 Nov 27 15:52 web
226 Directory send OK.
ftp> 


Perdoruesi 2

[root@localhost student]# ftp 127.0.0.1 
Connected to 127.0.0.1 (127.0.0.1).
220 (vsFTPd 2.2.2)
Name (127.0.0.1:student): perdorues2
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (127,0,0,1,60,227).
150 Here comes the directory listing.
drwxr-xr-x    2 518      518          4096 Nov 27 17:04 database
drwxr-xr-x    2 518      518          4096 Nov 27 15:53 mail
drwxr-xr-x    2 518      518          4096 Dec 03 14:35 public_html
drwxr-xr-x    2 518      518          4096 Nov 27 15:52 web
226 Directory send OK.
ftp> 



Perdoruesi 3

[root@localhost student]# ftp 127.0.0.1 
Connected to 127.0.0.1 (127.0.0.1).
220 (vsFTPd 2.2.2)
Name (127.0.0.1:student): perdorues3
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (127,0,0,1,124,202).
150 Here comes the directory listing.
drwxr-xr-x    2 519      519          4096 Nov 27 17:04 database
drwxr-xr-x    2 519      519          4096 Nov 27 15:53 mail
drwxr-xr-x    2 519      519          4096 Dec 03 14:35 public_html
drwxr-xr-x    2 519      519          4096 Nov 27 15:52 web
226 Directory send OK.
ftp> 



3
Te krijojme nje skedar ne dosjen /etc/vsftpd me emrin usr_list

[root@localhost student]# cat > /etc/vsftpd/usr_list
perdorues1
perdorues2
^Z
[1]+  Stopped                 cat > /etc/vsftpd/usr_list
[root@localhost student]#


Te verifikojme permbajtjen e skedarit

[root@localhost student]# cat  /etc/vsftpd/usr_list
perdorues1
perdorues2
[root@localhost student]# 


Sic duket ne skedar ndodhen vetem perdoruesit me emrin perdorues1 dhe perdorues2 ku sejcili ndodhet ne nje rresht me vehte pa shenja pikesimi si presje pikepresje etj.

4
Ne skedarin /etc/vsftpd/vsftpd.conf:
Te aktivizojme opsionin userlist_enable si me poshte:

userlist_enable=YES
userlist_deny=NO 
userlist_file=/etc/vsftpd/usr_list


5
Te ristartojme sherbimin vsftpd

[root@localhost student]# service vsftpd restart
Shutting down vsftpd:                                      [  OK  ]
Starting vsftpd for vsftpd:                                [  OK  ]
[root@localhost student]# 


Ne kete hap te vetmit perdorues qe lejohen te hyjne ne serverin ftp jane perdorues1 dhe perdorues2

6
Te verifikojme qe perdorues1 dhe perdorues2 mund te hyjne ne server dhe asnje perdorues tjeter (per shembull perdorues3) nuk mund te hyje ne serverin ftp. 

Perdoruesi 1

[root@localhost student]# ftp 127.0.0.1
Connected to 127.0.0.1 (127.0.0.1).
220 (vsFTPd 2.2.2)
Name (127.0.0.1:student): perdorues1
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (127,0,0,1,202,203).
150 Here comes the directory listing.
drwxr-xr-x    2 517      517          4096 Nov 27 17:04 database
drwxr-xr-x    2 517      517          4096 Nov 27 15:53 mail
drwxr-xr-x    2 517      517          4096 Dec 03 14:35 public_html
drwxr-xr-x    2 517      517          4096 Nov 27 15:52 web
226 Directory send OK.
ftp> 

Perdoruesi 2

[root@localhost student]# ftp 127.0.0.1
Connected to 127.0.0.1 (127.0.0.1).
220 (vsFTPd 2.2.2)
Name (127.0.0.1:student): perdorues2
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (127,0,0,1,40,229).
150 Here comes the directory listing.
drwxr-xr-x    2 518      518          4096 Nov 27 17:04 database
drwxr-xr-x    2 518      518          4096 Nov 27 15:53 mail
drwxr-xr-x    2 518      518          4096 Dec 03 14:35 public_html
drwxr-xr-x    2 518      518          4096 Nov 27 15:52 web
226 Directory send OK.
ftp> 

Perdoruesi 3

[root@localhost student]# ftp 127.0.0.1
Connected to 127.0.0.1 (127.0.0.1).
220 (vsFTPd 2.2.2)
Name (127.0.0.1:student): perdorues3
530 Permission denied.
Login failed.
ftp> 


Sic duke perdorues3 nuk i lejohet te hyje ne serverin ftp. Per me teper ne momentin autentikimit sapo perdoruesi vendos username verifikohet ne server paraprakisht nese ai ndodhet ne listen e perdoruesve qe ndodhen ne skedarin/etc/vsftpd/usr_list apo jo.
Duke qene se perdorues3 nuk ndodhet ne kete skedar atehere njoftohet menjehere perdoruesi qe nuk mund te kete access ne server dhe mbyllet sesioni i autentikimit.

530 Permission denied.
Login failed.
ftp> 


Ky process nuk i kerkon perdoruesit te vendose fjalekalim pasi paraprakisht eshte verifikuar qe ky perdorues nuk mund te hyje ne serverin ftp. Kjo konsiderohet si nje mase sigurie ne vsftp.


7
Se fundi do te provojme te shtojme perdoruesin 3 ne skedarin usr_list , do te ristartojme vsftpd dhe do te provojme te hyjme serish ne serverin vsftp me username perdorues3

[root@localhost student]# cat >> /etc/vsftpd/usr_list 
perdorues3
^Z
[2]+  Stopped                 cat >> /etc/vsftpd/usr_list
[root@localhost student]# cat  /etc/vsftpd/usr_list 
perdorues1
perdorues2
perdorues3
[root@localhost student]# 


Sugjerim
Ndonese mund te perdorim shume editore teksti per te shtuar nje rresht ne skedarin /etc/vsftpd/usr_list, ne kete shembull eshte perdorur komanda cat duke ridrejtuar output me >>. Ridrejtimi i output ne kete menyre e shton tekstin ne fund te skedarit ekzistues (append) pa mbivendosur permbajten ekzistuese.
Kjo mund te jete nje praktike e mire nese perdoren skripte per te automatizuar aksesin e perdoruesve ne serverin vsftp.


Te ristartojme sherbimin

[root@localhost student]# service vsftpd restart
Shutting down vsftpd:                                      [  OK  ]
Starting vsftpd for vsftpd:                                [  OK  ]
[root@localhost student]# 

Te verifikojme qe tani edhe me perdoruesin perdorues3 mund te lidhemi me serverin vsftp

[root@localhost student]# ftp 127.0.0.1 
Connected to 127.0.0.1 (127.0.0.1).
220 (vsFTPd 2.2.2)
Name (127.0.0.1:student): perdorues3
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (127,0,0,1,41,143).
150 Here comes the directory listing.
drwxr-xr-x    2 519      519          4096 Nov 27 17:04 database
drwxr-xr-x    2 519      519          4096 Nov 27 15:53 mail
drwxr-xr-x    2 519      519          4096 Dec 03 14:35 public_html
drwxr-xr-x    2 519      519          4096 Nov 27 15:52 web
226 Directory send OK.
ftp>