Te lejojme vetem nje liste paraprake perdoruesish te aksesojne Serverin FTP

Te lejojme vetem nje liste paraprake perdoruesish te aksesojne Serverin FTP

Udhezues

Ky udhezues ilustron me nje shembull hap pas hapi se si te kufizohet hyrja ne serverin vsftp vetem per nje liste paraprake perdoruesish.

Si rregull te gjithe perdoruesit e sistemit me perjashtim te atyre qe ndodhen ne skedarin ftp_user kane access ne serverin ftp.

Perdoruesit pozicionohen ne dosjen e tyre home ne momentin qe lidhen me serverin.

Ekspozimi i dosjeve te perdoruesve te sistemit nepermjet ftp jo gjithmone eshte i kerkuar.

Per te kontrolluar cilet perdorues mund te lidhen me dosjet e tyre nepermjet ftp mund te perdorim parametrat ekonfigurimit ne skedarin /etc/vstftpd/vsftpd.conf:

userlist_enable (YES/NO)

YES: filtro perdoruesit sipas userlist_deny dhe userlist_file

NO : mos i filtro perdoruesit sipas userlist_deny dhe userlist_file

userlist_deny (YES/NO)

YES: perdoruesit qe listohen ne userlist_file nuk do te lejohen te aksesojne serverin ftp

NO : vetem perdoruesit qe kistohen ne userlist_file do te lejohen te aksesojne serverin

userlist_file

skedar me username e perdoruesve sejcili ne rresht te ri.

Ky skedar duhet krijuar.

Te lejojme vetem disa perdorues qe te lidhen me serverin ftp

Per kete ushtrim:

1

Do te krijojme fillimisht tre perdorues me emrin dhe fjalekalimin is me poshte

[root@localhost student]# useradd perdorues1

[root@localhost student]# useradd perdorues2

[root@localhost student]# useradd perdorues3

[root@localhost student]#

te vendosim fjalekalimet perkatese per sejcilin nga perdoruesit

[root@localhost student]# passwd perdorues1

Changing password for user perdorues1.

New password:

Retype new password:

passwd: all authentication tokens updated successfully.

[root@localhost student]# passwd perdorues2

Changing password for user perdorues2.

New password:

Retype new password:

passwd: all authentication tokens updated successfully.

[root@localhost student]# passwd perdorues3

Changing password for user perdorues3.

New password:

Retype new password:

passwd: all authentication tokens updated successfully.

[root@localhost student]#

2

Do te verifikojme qe sejcili nga perdoruesit lidhet me serverin ftp

Pedoruesi 1

[root@localhost student]# ftp 127.0.0.1

Connected to 127.0.0.1 (127.0.0.1).

220 (vsFTPd 2.2.2)

Name (127.0.0.1:student): perdorues1

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> ls

227 Entering Passive Mode (127,0,0,1,152,72).

150 Here comes the directory listing.

drwxr-xr-x 2 517 517 4096 Nov 27 17:04 database

drwxr-xr-x 2 517 517 4096 Nov 27 15:53 mail

drwxr-xr-x 2 517 517 4096 Dec 03 14:35 public_html

drwxr-xr-x 2 517 517 4096 Nov 27 15:52 web

226 Directory send OK.

ftp>

Perdoruesi 2

[root@localhost student]# ftp 127.0.0.1

Connected to 127.0.0.1 (127.0.0.1).

220 (vsFTPd 2.2.2)

Name (127.0.0.1:student): perdorues2

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> ls

227 Entering Passive Mode (127,0,0,1,60,227).

150 Here comes the directory listing.

drwxr-xr-x 2 518 518 4096 Nov 27 17:04 database

drwxr-xr-x 2 518 518 4096 Nov 27 15:53 mail

drwxr-xr-x 2 518 518 4096 Dec 03 14:35 public_html

drwxr-xr-x 2 518 518 4096 Nov 27 15:52 web

226 Directory send OK.

ftp>

Perdoruesi 3

[root@localhost student]# ftp 127.0.0.1

Connected to 127.0.0.1 (127.0.0.1).

220 (vsFTPd 2.2.2)

Name (127.0.0.1:student): perdorues3

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> ls

227 Entering Passive Mode (127,0,0,1,124,202).

150 Here comes the directory listing.

drwxr-xr-x 2 519 519 4096 Nov 27 17:04 database

drwxr-xr-x 2 519 519 4096 Nov 27 15:53 mail

drwxr-xr-x 2 519 519 4096 Dec 03 14:35 public_html

drwxr-xr-x 2 519 519 4096 Nov 27 15:52 web

226 Directory send OK.

ftp>

3

Te krijojme nje skedar ne dosjen /etc/vsftpd me emrin usr_list

[root@localhost student]# cat > /etc/vsftpd/usr_list

perdorues1

perdorues2

^Z

[1]+ Stopped cat > /etc/vsftpd/usr_list

[root@localhost student]#

Te verifikojme permbajtjen e skedarit

[root@localhost student]# cat /etc/vsftpd/usr_list

perdorues1

perdorues2

[root@localhost student]#

Sic duket ne skedar ndodhen vetem perdoruesit me emrin perdorues1 dhe perdorues2 ku sejcili ndodhet ne nje rresht me vehte pa shenja pikesimi si presje pikepresje etj.

4

Ne skedarin /etc/vsftpd/vsftpd.conf:

Te aktivizojme opsionin userlist_enable si me poshte:

userlist_enable=YES

userlist_deny=NO

userlist_file=/etc/vsftpd/usr_list

5

Te ristartojme sherbimin vsftpd

[root@localhost student]# service vsftpd restart

Shutting down vsftpd: [ OK ]

Starting vsftpd for vsftpd: [ OK ]

[root@localhost student]#

Ne kete hap te vetmit perdorues qe lejohen te hyjne ne serverin ftp jane perdorues1 dhe perdorues2

6

Te verifikojme qe perdorues1 dhe perdorues2 mund te hyjne ne server dhe asnje perdorues tjeter (per shembull perdorues3) nuk mund te hyje ne serverin ftp.

Perdoruesi 1

[root@localhost student]# ftp 127.0.0.1

Connected to 127.0.0.1 (127.0.0.1).

220 (vsFTPd 2.2.2)

Name (127.0.0.1:student): perdorues1

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> ls

227 Entering Passive Mode (127,0,0,1,202,203).

150 Here comes the directory listing.

drwxr-xr-x 2 517 517 4096 Nov 27 17:04 database

drwxr-xr-x 2 517 517 4096 Nov 27 15:53 mail

drwxr-xr-x 2 517 517 4096 Dec 03 14:35 public_html

drwxr-xr-x 2 517 517 4096 Nov 27 15:52 web

226 Directory send OK.

ftp>

Perdoruesi 2

[root@localhost student]# ftp 127.0.0.1

Connected to 127.0.0.1 (127.0.0.1).

220 (vsFTPd 2.2.2)

Name (127.0.0.1:student): perdorues2

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> ls

227 Entering Passive Mode (127,0,0,1,40,229).

150 Here comes the directory listing.

drwxr-xr-x 2 518 518 4096 Nov 27 17:04 database

drwxr-xr-x 2 518 518 4096 Nov 27 15:53 mail

drwxr-xr-x 2 518 518 4096 Dec 03 14:35 public_html

drwxr-xr-x 2 518 518 4096 Nov 27 15:52 web

226 Directory send OK.

ftp>

Perdoruesi 3

[root@localhost student]# ftp 127.0.0.1

Connected to 127.0.0.1 (127.0.0.1).

220 (vsFTPd 2.2.2)

Name (127.0.0.1:student): perdorues3

530 Permission denied.

Login failed.

ftp>

Sic duke perdorues3 nuk i lejohet te hyje ne serverin ftp. Per me teper ne momentin autentikimit sapo perdoruesi vendos username verifikohet ne server paraprakisht nese ai ndodhet ne listen e perdoruesve qe ndodhen ne skedarin /etc/vsftpd/usr_list apo jo.

Duke qene se perdorues3 nuk ndodhet ne kete skedar atehere njoftohet menjehere perdoruesi qe nuk mund te kete access ne server dhe mbyllet sesioni i autentikimit.

530 Permission denied.

Login failed.

ftp>

Ky process nuk i kerkon perdoruesit te vendose fjalekalim pasi paraprakisht eshte verifikuar qe ky perdorues nuk mund te hyje ne serverin ftp. Kjo konsiderohet si nje mase sigurie ne vsftp.

7

Se fundi do te provojme te shtojme perdoruesin 3 ne skedarin usr_list , do te ristartojme vsftpd dhe do te provojme te hyjme serish ne serverin vsftp me username perdorues3

[root@localhost student]# cat >> /etc/vsftpd/usr_list

perdorues3

^Z

[2]+ Stopped cat >> /etc/vsftpd/usr_list

[root@localhost student]# cat /etc/vsftpd/usr_list

perdorues1

perdorues2

perdorues3

[root@localhost student]#

Sugjerim

Ndonese mund te perdorim shume editore teksti per te shtuar nje rresht ne skedarin /etc/vsftpd/usr_list, ne kete shembull eshte perdorur komanda cat duke ridrejtuar output me >>. Ridrejtimi i output ne kete menyre e shton tekstin ne fund te skedarit ekzistues (append) pa mbivendosur permbajten ekzistuese.

Kjo mund te jete nje praktike e mire nese perdoren skripte per te automatizuar aksesin e perdoruesve ne serverin vsftp.

Te ristartojme sherbimin

[root@localhost student]# service vsftpd restart

Shutting down vsftpd: [ OK ]

Starting vsftpd for vsftpd: [ OK ]

[root@localhost student]#

Te verifikojme qe tani edhe me perdoruesin perdorues3 mund te lidhemi me serverin vsftp

[root@localhost student]# ftp 127.0.0.1

Connected to 127.0.0.1 (127.0.0.1).

220 (vsFTPd 2.2.2)

Name (127.0.0.1:student): perdorues3

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> ls

227 Entering Passive Mode (127,0,0,1,41,143).

150 Here comes the directory listing.

drwxr-xr-x 2 519 519 4096 Nov 27 17:04 database

drwxr-xr-x 2 519 519 4096 Nov 27 15:53 mail

drwxr-xr-x 2 519 519 4096 Dec 03 14:35 public_html

drwxr-xr-x 2 519 519 4096 Nov 27 15:52 web

226 Directory send OK.

ftp>