mirror of
https://github.com/LCTT/TranslateProject.git
synced 2024-12-23 21:20:42 +08:00
[Translate] RHCSA Series--Part op--Installing,Configuring and Securing a Web and FTP Server.md
This commit is contained in:
parent
3c5f0491a9
commit
a8737174ca
@ -1,178 +0,0 @@
|
||||
FSSlc Translating
|
||||
|
||||
RHCSA Series: Installing, Configuring and Securing a Web and FTP Server – Part 9
|
||||
================================================================================
|
||||
A web server (also known as a HTTP server) is a service that handles content (most commonly web pages, but other types of documents as well) over to a client in a network.
|
||||
|
||||
A FTP server is one of the oldest and most commonly used resources (even to this day) to make files available to clients on a network in cases where no authentication is necessary since FTP uses username and password without encryption.
|
||||
|
||||
The web server available in RHEL 7 is version 2.4 of the Apache HTTP Server. As for the FTP server, we will use the Very Secure Ftp Daemon (aka vsftpd) to establish connections secured by TLS.
|
||||
|
||||
![Configuring and Securing Apache and FTP Server](http://www.tecmint.com/wp-content/uploads/2015/05/Install-Configure-Secure-Apache-FTP-Server.png)
|
||||
|
||||
RHCSA: Installing, Configuring and Securing Apache and FTP – Part 9
|
||||
|
||||
In this article we will explain how to install, configure, and secure a web server and a FTP server in RHEL 7.
|
||||
|
||||
### Installing Apache and FTP Server ###
|
||||
|
||||
In this guide we will use a RHEL 7 server with a static IP address of 192.168.0.18/24. To install Apache and VSFTPD, run the following command:
|
||||
|
||||
# yum update && yum install httpd vsftpd
|
||||
|
||||
When the installation completes, both services will be disabled initially, so we need to start them manually for the time being and enable them to start automatically beginning with the next boot:
|
||||
|
||||
# systemctl start httpd
|
||||
# systemctl enable httpd
|
||||
# systemctl start vsftpd
|
||||
# systemctl enable vsftpd
|
||||
|
||||
In addition, we have to open ports 80 and 21, where the web and ftp daemons are listening, respectively, in order to allow access to those services from the outside:
|
||||
|
||||
# firewall-cmd --zone=public --add-port=80/tcp --permanent
|
||||
# firewall-cmd --zone=public --add-service=ftp --permanent
|
||||
# firewall-cmd --reload
|
||||
|
||||
To confirm that the web server is working properly, fire up your browser and enter the IP of the server. You should see the test page:
|
||||
|
||||
![Confirm Apache Web Server](http://www.tecmint.com/wp-content/uploads/2015/05/Confirm-Apache-Web-Server.png)
|
||||
|
||||
Confirm Apache Web Server
|
||||
|
||||
As for the ftp server, we will have to configure it further, which we will do in a minute, before confirming that it’s working as expected.
|
||||
|
||||
### Configuring and Securing Apache Web Server ###
|
||||
|
||||
The main configuration file for Apache is located in `/etc/httpd/conf/httpd.conf`, but it may rely on other files present inside `/etc/httpd/conf.d`.
|
||||
|
||||
Although the default configuration should be sufficient for most cases, it’s a good idea to become familiar with all the available options as described in the [official documentation][1].
|
||||
|
||||
As always, make a backup copy of the main configuration file before editing it:
|
||||
|
||||
# cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.$(date +%Y%m%d)
|
||||
|
||||
Then open it with your preferred text editor and look for the following variables:
|
||||
|
||||
- ServerRoot: the directory where the server’s configuration, error, and log files are kept.
|
||||
- Listen: instructs Apache to listen on specific IP address and / or ports.
|
||||
- Include: allows the inclusion of other configuration files, which must exist. Otherwise, the server will fail, as opposed to the IncludeOptional directive, which is silently ignored if the specified configuration files do not exist.
|
||||
- User and Group: the name of the user/group to run the httpd service as.
|
||||
- DocumentRoot: The directory out of which Apache will serve your documents. By default, all requests are taken from this directory, but symbolic links and aliases may be used to point to other locations.
|
||||
- ServerName: this directive sets the hostname (or IP address) and port that the server uses to identify itself.
|
||||
|
||||
The first security measure will consist of creating a dedicated user and group (i.e. tecmint/tecmint) to run the web server as and changing the default port to a higher one (9000 in this case):
|
||||
|
||||
ServerRoot "/etc/httpd"
|
||||
Listen 192.168.0.18:9000
|
||||
User tecmint
|
||||
Group tecmint
|
||||
DocumentRoot "/var/www/html"
|
||||
ServerName 192.168.0.18:9000
|
||||
|
||||
You can test the configuration file with.
|
||||
|
||||
# apachectl configtest
|
||||
|
||||
and if everything is OK, then restart the web server.
|
||||
|
||||
# systemctl restart httpd
|
||||
|
||||
and don’t forget to enable the new port (and disable the old one) in the firewall:
|
||||
|
||||
# firewall-cmd --zone=public --remove-port=80/tcp --permanent
|
||||
# firewall-cmd --zone=public --add-port=9000/tcp --permanent
|
||||
# firewall-cmd --reload
|
||||
|
||||
Note that, due to SELinux policies, you can only use the ports returned by
|
||||
|
||||
# semanage port -l | grep -w '^http_port_t'
|
||||
|
||||
for the web server.
|
||||
|
||||
If you want to use another port (i.e. TCP port 8100), you will have to add it to SELinux port context for the httpd service:
|
||||
|
||||
# semanage port -a -t http_port_t -p tcp 8100
|
||||
|
||||
![Add Apache Port to SELinux Policies](http://www.tecmint.com/wp-content/uploads/2015/05/Add-Apache-Port-to-SELinux-Policies.png)
|
||||
|
||||
Add Apache Port to SELinux Policies
|
||||
|
||||
To further secure your Apache installation, follow these steps:
|
||||
|
||||
1. The user Apache is running as should not have access to a shell:
|
||||
|
||||
# usermod -s /sbin/nologin tecmint
|
||||
|
||||
2. Disable directory listing in order to prevent the browser from displaying the contents of a directory if there is no index.html present in that directory.
|
||||
|
||||
Edit `/etc/httpd/conf/httpd.conf` (and the configuration files for virtual hosts, if any) and make sure that the Options directive, both at the top and at Directory block levels, is set to None:
|
||||
|
||||
Options None
|
||||
|
||||
3. Hide information about the web server and the operating system in HTTP responses. Edit /etc/httpd/conf/httpd.conf as follows:
|
||||
|
||||
ServerTokens Prod
|
||||
ServerSignature Off
|
||||
|
||||
Now you are ready to start serving content from your /var/www/html directory.
|
||||
|
||||
### Configuring and Securing FTP Server ###
|
||||
|
||||
As in the case of Apache, the main configuration file for Vsftpd `(/etc/vsftpd/vsftpd.conf)` is well commented and while the default configuration should suffice for most applications, you should become acquainted with the documentation and the man page `(man vsftpd.conf)` in order to operate the ftp server more efficiently (I can’t emphasize that enough!).
|
||||
|
||||
In our case, these are the directives used:
|
||||
|
||||
anonymous_enable=NO
|
||||
local_enable=YES
|
||||
write_enable=YES
|
||||
local_umask=022
|
||||
dirmessage_enable=YES
|
||||
xferlog_enable=YES
|
||||
connect_from_port_20=YES
|
||||
xferlog_std_format=YES
|
||||
chroot_local_user=YES
|
||||
allow_writeable_chroot=YES
|
||||
listen=NO
|
||||
listen_ipv6=YES
|
||||
pam_service_name=vsftpd
|
||||
userlist_enable=YES
|
||||
tcp_wrappers=YES
|
||||
|
||||
By using `chroot_local_user=YES`, local users will be (by default) placed in a chroot’ed jail in their home directory right after login. This means that local users will not be able to access any files outside their corresponding home directories.
|
||||
|
||||
Finally, to allow ftp to read files in the user’s home directory, set the following SELinux boolean:
|
||||
|
||||
# setsebool -P ftp_home_dir on
|
||||
|
||||
You can now connect to the ftp server using a client such as Filezilla:
|
||||
|
||||
![Check FTP Connection](http://www.tecmint.com/wp-content/uploads/2015/05/Check-FTP-Connection.png)
|
||||
|
||||
Check FTP Connection
|
||||
|
||||
Note that the `/var/log/xferlo`g log records downloads and uploads, which concur with the above directory listing:
|
||||
|
||||
![Monitor FTP Download and Upload](http://www.tecmint.com/wp-content/uploads/2015/05/Monitor-FTP-Download-Upload.png)
|
||||
|
||||
Monitor FTP Download and Upload
|
||||
|
||||
Read Also: [Limit FTP Network Bandwidth Used by Applications in a Linux System with Trickle][2]
|
||||
|
||||
### Summary ###
|
||||
|
||||
In this tutorial we have explained how to set up a web and a ftp server. Due to the vastness of the subject, it is not possible to cover all the aspects of these topics (i.e. virtual web hosts). Thus, I recommend you also check other excellent articles in this website about [Apache][3].
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
|
||||
via: http://www.tecmint.com/rhcsa-series-install-and-secure-apache-web-server-and-ftp-in-rhel/
|
||||
|
||||
作者:[Gabriel Cánepa][a]
|
||||
译者:[译者ID](https://github.com/译者ID)
|
||||
校对:[校对者ID](https://github.com/校对者ID)
|
||||
|
||||
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创翻译,[Linux中国](https://linux.cn/) 荣誉推出
|
||||
|
||||
[a]:http://www.tecmint.com/author/gacanepa/
|
||||
[1]:http://httpd.apache.org/docs/2.4/
|
||||
[2]:http://www.tecmint.com/manage-and-limit-downloadupload-bandwidth-with-trickle-in-linux/
|
||||
[3]:http://www.google.com/cse?cx=partner-pub-2601749019656699:2173448976&ie=UTF-8&q=virtual+hosts&sa=Search&gws_rd=cr&ei=Dy9EVbb0IdHisASnroG4Bw#gsc.tab=0&gsc.q=apache
|
@ -0,0 +1,175 @@
|
||||
RHCSA 系列: 安装,配置及加固一个 Web 和 FTP 服务器 – Part 9
|
||||
================================================================================
|
||||
Web 服务器(也被称为 HTTP 服务器)是在网络中将内容(最为常见的是网页,但也支持其他类型的文件)进行处理并传递给客户端的服务。
|
||||
|
||||
FTP 服务器是最为古老且最常使用的资源之一(即便到今天也是这样),在身份认证不是必须的情况下,它可使得在一个网络里文件对于客户端可用,因为 FTP 使用没有加密的用户名和密码。
|
||||
|
||||
在 RHEL 7 中可用的 web 服务器是版本号为 2.4 的 Apache HTTP 服务器。至于 FTP 服务器,我们将使用 Very Secure Ftp Daemon (又名 vsftpd) 来建立用 TLS 加固的连接。
|
||||
|
||||
![配置和加固 Apache 和 FTP 服务器](http://www.tecmint.com/wp-content/uploads/2015/05/Install-Configure-Secure-Apache-FTP-Server.png)
|
||||
|
||||
RHCSA: 安装,配置及加固 Apache 和 FTP 服务器 – Part 9
|
||||
|
||||
在这篇文章中,我们将解释如何在 RHEL 7 中安装,配置和加固 web 和 FTP 服务器。
|
||||
|
||||
### 安装 Apache 和 FTP 服务器 ###
|
||||
|
||||
在本指导中,我们将使用一个静态 IP 地址为 192.168.0.18/24 的 RHEL 7 服务器。为了安装 Apache 和 VSFTPD,运行下面的命令:
|
||||
|
||||
# yum update && yum install httpd vsftpd
|
||||
|
||||
当安装完成后,这两个服务在开始时是默认被禁用的,所以我们需要暂时手动开启它们并让它们在下一次启动时自动地开启它们:
|
||||
|
||||
# systemctl start httpd
|
||||
# systemctl enable httpd
|
||||
# systemctl start vsftpd
|
||||
# systemctl enable vsftpd
|
||||
|
||||
另外,我们必须打开 80 和 21 端口,它们分别是 web 和 ftp 守护进程监听的端口,为的是允许从外面访问这些服务:
|
||||
|
||||
# firewall-cmd --zone=public --add-port=80/tcp --permanent
|
||||
# firewall-cmd --zone=public --add-service=ftp --permanent
|
||||
# firewall-cmd --reload
|
||||
|
||||
为了确认 web 服务工作正常,打开你的浏览器并输入服务器的 IP,则你应该可以看到如下的测试页面:
|
||||
|
||||
![确认 Apache Web 服务器](http://www.tecmint.com/wp-content/uploads/2015/05/Confirm-Apache-Web-Server.png)
|
||||
|
||||
确认 Apache Web 服务器
|
||||
|
||||
对于 ftp 服务器,在确保它如期望中的那样工作之前,我们必须进一步地配置它,我们将在几分钟后来做这件事。
|
||||
|
||||
### 配置并加固 Apache Web 服务器 ###
|
||||
|
||||
Apache 的主要配置文件位于 `/etc/httpd/conf/httpd.conf` 中,但它可能依赖 `/etc/httpd/conf.d` 中的其他文件。
|
||||
|
||||
尽管默认的配置对于大多数的情形是充分的,熟悉描述在 [官方文档][1] 中的所有可用选项是一个不错的主意。
|
||||
|
||||
同往常一样,在编辑主配置文件前先做一个备份:
|
||||
|
||||
# cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.$(date +%Y%m%d)
|
||||
|
||||
然后用你钟爱的文本编辑器打开它,并查找下面这些变量:
|
||||
|
||||
- ServerRoot: 服务器的配置,错误和日志文件保存的目录。
|
||||
- Listen: 通知 Apache 去监听特定的 IP 地址或端口。
|
||||
- Include: 允许包含其他配置文件,这个必须存在,否则,服务器将会崩溃。它恰好与 IncludeOptional 相反,假如特定的配置文件不存在,它将静默地忽略掉它们。
|
||||
- User 和 Group: 运行 httpd 服务的用户/组的名称。
|
||||
- DocumentRoot: Apache 为你的文档服务的目录。默认情况下,所有的请求将在这个目录中被获取,但符号链接和别名可能会被用于指向其他位置。
|
||||
- ServerName: 这个指令将设定用于识别它自身的主机名(或 IP 地址)和端口。
|
||||
|
||||
安全措施的第一步将包含创建一个特定的用户和组(如 tecmint/tecmint)来运行 web 服务器以及更改默认的端口为一个更高的端口(在这个例子中为 9000):
|
||||
|
||||
ServerRoot "/etc/httpd"
|
||||
Listen 192.168.0.18:9000
|
||||
User tecmint
|
||||
Group tecmint
|
||||
DocumentRoot "/var/www/html"
|
||||
ServerName 192.168.0.18:9000
|
||||
|
||||
你可以使用下面的命令来测试配置文件:
|
||||
|
||||
# apachectl configtest
|
||||
|
||||
假如一切 OK,接着重启 web 服务器。
|
||||
|
||||
# systemctl restart httpd
|
||||
|
||||
并别忘了在防火墙中开启新的端口(和禁用旧的端口):
|
||||
|
||||
|
||||
# firewall-cmd --zone=public --remove-port=80/tcp --permanent
|
||||
# firewall-cmd --zone=public --add-port=9000/tcp --permanent
|
||||
# firewall-cmd --reload
|
||||
|
||||
请注意,由于 SELinux 的策略,你只可使用如下命令所返回的端口来分配给 web 服务器。
|
||||
|
||||
# semanage port -l | grep -w '^http_port_t'
|
||||
|
||||
假如你想使用另一个端口(如 TCP 端口 8100)来给 httpd 服务,你必须将它加到 SELinux 的端口上下文:
|
||||
|
||||
# semanage port -a -t http_port_t -p tcp 8100
|
||||
|
||||
![添加 Apache 端口到 SELinux 策略](http://www.tecmint.com/wp-content/uploads/2015/05/Add-Apache-Port-to-SELinux-Policies.png)
|
||||
|
||||
添加 Apache 端口到 SELinux 策略
|
||||
|
||||
为了进一步加固你安装的 Apache,请遵循以下步骤:
|
||||
|
||||
1. 运行 Apache 的用户不应该拥有访问 shell 的能力:
|
||||
|
||||
# usermod -s /sbin/nologin tecmint
|
||||
|
||||
2. 禁用目录列表功能,为的是阻止浏览器展示一个未包含 index.html 文件的目录里的内容。
|
||||
|
||||
编辑 `/etc/httpd/conf/httpd.conf` (和虚拟主机的配置文件,假如有的话),并确保 Options 指令在顶级和目录块级别中(注:感觉这里我的翻译不对)都被设置为 None:
|
||||
|
||||
Options None
|
||||
|
||||
3. 在 HTTP 回应中隐藏有关 web 服务器和操作系统的信息。像下面这样编辑文件 `/etc/httpd/conf/httpd.conf`:
|
||||
|
||||
ServerTokens Prod
|
||||
ServerSignature Off
|
||||
|
||||
现在,你已经做好了从 `/var/www/html` 目录开始服务内容的准备了。
|
||||
|
||||
### 配置并加固 FTP 服务器 ###
|
||||
|
||||
和 Apache 的情形类似, Vsftpd 的主配置文件 `(/etc/vsftpd/vsftpd.conf)` 带有详细的注释,且虽然对于大多数的应用实例,默认的配置应该足够了,但为了更有效率地操作 ftp 服务器,你应该开始熟悉相关的文档和 man 页 `(man vsftpd.conf)`(对于这点,再多的强调也不为过!)。
|
||||
|
||||
在我们的示例中,使用了这些指令:
|
||||
|
||||
anonymous_enable=NO
|
||||
local_enable=YES
|
||||
write_enable=YES
|
||||
local_umask=022
|
||||
dirmessage_enable=YES
|
||||
xferlog_enable=YES
|
||||
connect_from_port_20=YES
|
||||
xferlog_std_format=YES
|
||||
chroot_local_user=YES
|
||||
allow_writeable_chroot=YES
|
||||
listen=NO
|
||||
listen_ipv6=YES
|
||||
pam_service_name=vsftpd
|
||||
userlist_enable=YES
|
||||
tcp_wrappers=YES
|
||||
|
||||
通过使用 `chroot_local_user=YES`,(默认情况下)本地用户在登陆之后,将马上被置于一个位于用户家目录的 chroot 环境中(注:这里的翻译也不准确)。这意味着本地用户将不能访问除其家目录之外的任何文件。
|
||||
|
||||
最后,为了让 ftp 能够在用户的家目录中读取文件,设置如下的 SELinux 布尔值:
|
||||
|
||||
# setsebool -P ftp_home_dir on
|
||||
|
||||
现在,你可以使用一个客户端例如 Filezilla 来连接一个 ftp 服务器:
|
||||
|
||||
![查看 FTP 连接](http://www.tecmint.com/wp-content/uploads/2015/05/Check-FTP-Connection.png)
|
||||
|
||||
查看 FTP 连接
|
||||
|
||||
注意, `/var/log/xferlog` 日志将会记录下载和上传的情况,这与上图的目录列表一致:
|
||||
|
||||
![监视 FTP 的下载和上传情况](http://www.tecmint.com/wp-content/uploads/2015/05/Monitor-FTP-Download-Upload.png)
|
||||
|
||||
监视 FTP 的下载和上传情况
|
||||
|
||||
另外请参考: [在 Linux 系统中使用 Trickle 来限制应用使用的 FTP 网络带宽][2]
|
||||
|
||||
### 总结 ###
|
||||
|
||||
在本教程中,我们解释了如何设置 web 和 ftp 服务器。由于这个主题的广泛性,涵盖这些话题的所有方面是不可能的(如虚拟网络主机)。因此,我推荐你也阅读这个网站中有关 [Apache][3] 的其他卓越的文章。
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
|
||||
via: http://www.tecmint.com/rhcsa-series-install-and-secure-apache-web-server-and-ftp-in-rhel/
|
||||
|
||||
作者:[Gabriel Cánepa][a]
|
||||
译者:[FSSlc](https://github.com/FSSlc)
|
||||
校对:[校对者ID](https://github.com/校对者ID)
|
||||
|
||||
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创翻译,[Linux中国](https://linux.cn/) 荣誉推出
|
||||
|
||||
[a]:http://www.tecmint.com/author/gacanepa/
|
||||
[1]:http://httpd.apache.org/docs/2.4/
|
||||
[2]:http://www.tecmint.com/manage-and-limit-downloadupload-bandwidth-with-trickle-in-linux/
|
||||
[3]:http://www.google.com/cse?cx=partner-pub-2601749019656699:2173448976&ie=UTF-8&q=virtual+hosts&sa=Search&gws_rd=cr&ei=Dy9EVbb0IdHisASnroG4Bw#gsc.tab=0&gsc.q=apache
|
Loading…
Reference in New Issue
Block a user