CentOS5.2에 Proftpd 설치하고 xinetd 방식으로 사용하기

0)proftpd 컴파일과 설치를 위해서 다음 패키지를 설치한다
# yum install gcc gcc-c++

1)소스 파일 다운로드
# wget ftp://ftp.proftpd.org/distrib/source/proftpd-1.3.2rc1.tar.gz
2)압축 풀고 생성된 디렉토리로 이동
# tar zxvf proftpd-1.3.2rc1.tar.gz
# cd proftpd-1.3.2rc1.tar.gz
3) 설정 컴파일 설치
# ./configure --with-modules=wrap-modules
# make
# make install
4)ftp 디렉토리 추가하고 테스트 파일 생성
# mkdir /home/ftp
# touch /home/ftp/test.txt
5)proftpd 설정 파일에서 다음을 수정하자 (/usr/local/etc/proftpd.conf)
# UseIPv6    off 주석 처리
<Anonymous /home/ftp>
참고 : ~ftp는 /var/ftp/pub 디렉토리를 의미한다

6)방화벽 21/tcp port 개방
vim /etc/sysconfig/iptables
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 21 -j ACCEPT
/etc/init.d/iptables restart

7)standalone 모드로 실행해 보자
/usr/local/sbin/proftpd
ftp localhost
Name (192.168.0.3:testman): anonymous
Password: # 여기서 그냥 엔터 누르면 됩니다

8)프로세스 죽이기
pkill -9 proftpd

xinetd 방식으로 사용해보자
1)
/usr/local/etc/proftpd.conf에서
ServerType inetd로 수정 
2)
/etc/xinetd.d 디렉토리에 proftpd 파일 생성 다음 내용 추가
service ftp
{
    flags = REUSE
    socket_type = stream
    wait    = no
    user = root
    server = /usr/local/sbin/in.proftpd
    log_on_failure += USERID
    disable    = no
}
3)xinetd 재시작
/etc/init.d/xinetd.d restart
4) 익명으로 접속이 가능한지 확인해 보자
ftp 192.168.0.3
Name (192.168.0.3:testman): anonymous
Password:
230 Anonymous access granted, restrictions apply
ftp>
접속 성공
5)am9시부터 pm1시까지만 ftp를 사용 가능하게 하고 싶다면 다음과 같이 하면 된다
vim /etc/xinetd.d/proftpd
service ftp
{
    flags = REUSE
    socket_type = stream
    wait    = no
    user = root
    server = /usr/local/sbin/in.proftpd
    access_times = 09:00-13:00
    log_on_failure += USERID
    disable    = no
}
xinetd 재시작
# /etc/init.d/xinetd restart

# ftp 192.168.0.3
Connected to 192.168.0.3.
421 Service not available, remote server has closed connection
지정한 시간 이외의 시간에 접속하면
위와 같은 메세지와 함께 접속이 불가하다

cat /etc/init.d/bridge 
#! /bin/bash
#
# bridge       Bring up/down bridge
#
# chkconfig: 2345 9 91
# description: Activates/Deactivates all bridge interfaces configured to \
#              start at boot time.
# probe: true
### BEGIN INIT INFO
# Provides: $bridge
### END INIT INFO

# See how we were called.
case "$1" in
  start)
        brctl addbr br
        brctl addif br eth0
        brctl addif br eth1
        /sbin/ifconfig eth0 0.0.0.0 up
        /sbin/ifconfig eth1 0.0.0.0 up
        /sbin/ifconfig br up
        /sbin/ifconfig br 10.50.0.1 up
        ;;
  stop)
        brctl delif br eth1
        brctl delif br eth0
        brctl delbr br
        ;;
  status)
        brctl showmacs br
        ;;
  restart|reload)
        cd $CWD
        $0 stop
        $0 start
        ;;
  *)
        echo $"Usage: $0 {start|stop|restart|reload|status}"
        exit 1
esac

exit 0

 

cat /etc/sysconfig/iptables
# Generated by iptables-save v1.2.9 on Thu Dec  9 10:08:33 2004
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [242:27601]
:OUTPUT ACCEPT [4445:1628609]
:RH-Firewall-1-INPUT - [0:0]

################################################################################
# Chain create
################################################################################
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT


################################################################################
# Public
################################################################################
# 잘못된 패킷 차단
#-A RH-Firewall-1-INPUT -m state --state INVALID -j DROP

# 로컬호스트에서의 모든패킷허용
-A RH-Firewall-1-INPUT -i lo -j ACCEPT

# 서브넷에서의 내,외부로 모든패킷허용
-A RH-Firewall-1-INPUT -s 211.212.213.0/255.255.255.0 -j ACCEPT

# 서브넷에서의 내,외부로 ping 허용
-A RH-Firewall-1-INPUT -s 211.212.213.0/255.255.255.0 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A RH-Firewall-1-INPUT -s 10.50.0.0/24 -p icmp -m icmp --icmp-type 8 -j ACCEPT

# 내부에서 외부로 나가는 tcp 모두허용
-A RH-Firewall-1-INPUT -p tcp -m tcp --sport 20 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state ESTABLISHED -m tcp --sport 1:65535 --dport 1:65535 -j ACCEPT

# 내부서브넷에서 외부로 나가는 udp 모두허용
-A RH-Firewall-1-INPUT -p udp -m udp --sport 1:65535 -j ACCEPT


################################################################################
# Firewall level
################################################################################
# SSH
-A RH-Firewall-1-INPUT -d 10.50.0.1 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 22 -j ACCEPT

# ntop
-A RH-Firewall-1-INPUT -d 10.50.0.1 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 3000 -j ACCEPT


################################################################################
# Desktop level
################################################################################
# MSN
-A RH-Firewall-1-INPUT -p tcp -d 211.212.213.0/255.255.255.0 --dport 1863:1864 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -d 211.212.213.0/255.255.255.0 --dport 6901 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -d 211.212.213.0/255.255.255.0 --dport 7801:7825 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -d 211.212.213.0/255.255.255.0 --dport 6891:6900 -j ACCEPT

# edonkey
-A RH-Firewall-1-INPUT -p tcp -d 211.212.213.0/255.255.255.0 --dport 4662 -j ACCEPT


################################################################################
# Server level
################################################################################

# SMTP/WWW/POP3
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 110 -j ACCEPT

# DNS
-A RH-Firewall-1-INPUT -d 211.212.213.214 -p udp -m udp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -d 211.212.213.214 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 53 -j ACCEPT

# SSH
-A RH-Firewall-1-INPUT -d 211.212.213.214 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 22 -j ACCEPT

# Samba
-A RH-Firewall-1-INPUT -d 211.212.213.214 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 139 -j ACCEPT

# 윈도우 네트워크 드라이브
#-A RH-Firewall-1-INPUT -d 211.212.213.214 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 139 -j ACCEPT
#-A RH-Firewall-1-INPUT -d 211.212.213.214 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 445 -j ACCEPT
#-A RH-Firewall-1-INPUT -d 211.212.213.214 -p udp -m state --state NEW,ESTABLISHED -m udp --dport 137 -j ACCEPT
#-A RH-Firewall-1-INPUT -d 211.212.213.214 -p udp -m state --state NEW,ESTABLISHED -m udp --dport 138 -j ACCEPT

# FTP
-A RH-Firewall-1-INPUT -d 211.212.213.214 -p tcp -m state --state RELATED,ESTABLISHED -m tcp --dport 20 -j ACCEPT
-A RH-Firewall-1-INPUT -d 211.212.213.214 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 21 -j ACCEPT

# ms-sql
#-A RH-Firewall-1-INPUT -d 211.212.213.214 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 1433 -j ACCEPT
#-A RH-Firewall-1-INPUT -d 211.212.213.214 -p tcp -m state --state NEW,ESTABLISHED -m udp --dport 1433 -j ACCEPT

# oracle
#-A RH-Firewall-1-INPUT -d 211.212.213.214 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 1522 -j ACCEPT

# Terminal service
-A RH-Firewall-1-INPUT -d 211.212.213.214 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 3389 -j ACCEPT


################################################################################
# DROP
################################################################################

# 외부에서 내부로의 TCP 를 차단.  내부에서 외부로의 TCP 는 막지않음.
-A RH-Firewall-1-INPUT -p tcp --syn -d 211.212.213.0/255.255.255.0 -j DROP

# ping 차단
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type 8 -j REJECT --reject-with icmp-port-unreachable

COMMIT
# Completed on Thu Dec  9 10:08:33 2004