Build Secure FTP Server (SERV-U SSH) zz

Downloading files from an FTP site is currently one of the most common file transfer methods. Especially for enterprise users, the company has established a dedicated FTP server for employees, it is the most convenient way for them to share resources through this server. But do you really understand FTP security as a network administrator? Do not worry about setting a Complex Administrator Account or password, or install the latest patch on the system or select the latest version.SERV-UThe FTP build tool will be safe. Today, I will lead you to introduce the FTP site data transmission vulnerabilities by default. Of course, I will also introduce how to fix these vulnerabilities.

I. Crack the FTP user name and password

First, we need to know that by default, FTP site information is transmitted in plain text without any encryption. That is to say, when a user logs on to the FTP site and enters the user name and password, the information is not encrypted. Illegal users can use tools such as sniffer to restore the cost of the information.

Practice: Use sniffer to restore the FTP site's user name and password to plain text

Environment Description:

In the company's network, the AB computers connect to the same subnet through switches. B is the employee's computer. An employee accesses the company's FTP server through him, use your username and password when logging on to FTP. A is the computer where sniffer is installed. Through sniffer, we can monitor the username and password for employees who use computer B to access the FTP server.

Implementation Method:

Step 1: first install the powerful sniffer tool on computer A and start the program.

Step 2: enable the monitoring interface through the "matrix" button in the sniffer software. (1)

Figure 1

Step 3: Open the monitoring page and start monitoring data packets on the network.

Step 4: In the detection data packet window, click the objects label in the lower left corner and select station. This will display all the communications in the current network in the window. (2)

Figure 2

Step 5: If B's employees use their computers to log on to the FTP server, click "capture-> stop and display" in sniffer ".

Step 6: assume that the IP address of our FTP server is 211.154.80.30, then we find the packet about 211.154.80.30 in the displayed address list, click the "DECODE" button below to analyze the data packets. (3)

Figure 3

Step 7: On the "DECODE" interface, we can analyze all data packets about 211.154.80.30. We analyze the data packets one by one and analyze the username information when there are about 12th data packets. We can see from the interface that the username is softer. (4)

Figure 4

Step 8: continue to see the password when the first packet arrives. The password is displayed in plaintext in sniffer and the password is pacino. (5)
 

Figure 5

So far, we have used the sniffer tool to crack the username and password of the employee on the FTP server. This method is effective when the employee and the computer installed with sniffer are in the same subnet.

 

Ii. encrypted transmission of FTP site information

Since we know that the FTP server transmits data in plaintext mode, especially the user name and password transmission is very secure and information is easily stolen, although FTP provides the SSL encryption function, however, this feature is not enabled by default.Serv-UFTP ServerServ-U). Therefore, to ensure that the transmitted data is not stolen at will, it is necessary to enable the SSL function to improve the security of server data transmission. We useServ-UAs an example to illustrate how to make up for this security defect.

TIPS: What is the SSL encryption protocol? The SSL protocol (Secure Socket Layer) is a secure communication protocol launched by Netscape. It can provide strong protection for credit card and personal information. SSL is the protocol used to encrypt the entire session between computers. In SSL, public keys and private keys are used. Therefore, after using the SSL protocol, we can ensure that the data transmitted in the network is not stolen by illegal users.

(1) InstallationServ-UServer

Due to installationServ-USo this article will not be detailed. (6) After installation, we need to create an FTP server domain and set the username and password.

(2) create an SSL Certificate

To useServ-UThe SSL function of SSL must be supported by the SSL certificate. AlthoughServ-UAn SSL certificate is automatically generated at the time of installation.Serv-UThe server is the same and very insecure, so we need to manually create a unique SSL certificate.

Step 1:Serv-UIn the Administrator window, expand "local server-> Settings" and switch to the "SSL Certificate" tab.

Step 2: Create a new SSL certificate. First, enter the IP address of the FTP server in the "common name" column, and then fill in the content of other topics, such as email, organization, and organization, based on the user's situation. (7)

Figure 7

Step 3: fill in all the content on the SSL Certificate tab, and click "Apply" at the bottom.Serv-UA new SSL certificate is generated.

(3) Enable the SSL Function

AlthoughServ-UThe server has created a new SSL certificate, but by default,Serv-USSL is not enabled. To use this SSL certificate, you must first enableServ-U.

Step 1: EnableServ-UThe SSL function of the domain name "softer" in the server. In theServ-UIn the Administrator window, expand "local server-> domain-> softer.

Step 2: Find the "Security" drop-down list option in the "Domain" Management box on the right. HereServ-UThree options are provided: "Only rule FTP, no SSL/TLS Process", "allow SSL/TLS and rule process", and "only allow SSL/TLS process ", by default,Serv-UThe SSL encryption function is not enabled because only FTP rules are used and no SSL/TLS processes are used.

Step 3: Select the "allow SSL/TLS processes only" option in the "Security" drop-down box, and click "Apply" to enable the SSL function of the softer domain. (8)

Figure 8

Tip: After the SSL feature is enabled,Serv-UThe default port number used by the server is no longer "21", but "990". Pay attention to this when logging on to FTP. Otherwise, you will not be able to connect to the FTP server.

(4) use SSL encryption to connect to FTP

EnableServ-UThe SSL function of the server can be used to transmit data securely, but the FTP client must support the SSL function. If you log on directly using IE, the error message shown in Figure 9 is displayed. On the one hand, the default port 21 is not modified to 990, and IE does not support SSL transmission.

Of course, there are also a lot of FTP client programs supporting SSL now. I will take the "Flash fxp" program as an example to introduce how to successfully connect toServ-UServer.

Step 1: run the "flashfxp" program and click "session-> quick connection" to bring up the "quick connection" dialog box. In the "server or URL" column, enterServ-UThe IP address of the server. You must enter "990" in the "Port" column. This is becauseServ-UAfter the SSL function is enabled on the server, the port number changes from "21" to "990 ".

Step 2: Enter the "user name" and "password" that can normally log on to the FTP server ". (10)

Figure 10

Step 3: switch to the "SSL" tab and select the "absolute SSL" option. This step is critical. If "absolute SSL" is not selected, the connection fails.Serv-UServer. Click "Connect. Select the four options under absolute SSL based on the actual transmission conditions. (11)

Figure 11

Step 4: when the user first connectsServ-UWhen the server is running, flash fxp will pop up a "certificate" dialog box. (12) at this time, you only need to click "accept and save" to download the SSL certificate to your local device and then connect to it successfully.Serv-UServers, andServ-UData transmission between servers will be protected by the SSL function and will not be transmitted in plain text, so that you do not have to worry about the theft of FTP accounts and the theft of sensitive information. At the bottom of Flash fxp, we will also see a small lock icon, which indicates that the current transmission is encrypted and secure. (13)

Figure 12 Figure 13

TIPS: if we only choose to accept the certificate, this certificate dialog box will pop up every time you log on to FTP.

Conclusion: Setting up an FTP site that uses SSL for encrypted transmission can effectively protect resources on its own servers from being browsed at will, only authenticated users can download their desired file resources. In addition, all data in the transmission process is encrypted. Other users in the network cannot use software similar to sniffer to restore the login information to plain text. Even if the data can be obtained, it is encrypted, there is no value at all.