Secure ftp access method 1: Using tcp_wrappers (Simple Firewall) in the main configuration file of vsftp
Method 2: implement secure ftp access using CA authentication
Step 1:
1. The main modified file is/etc/hosts. allow/etc/hosts. deny.
[Root @ mail ~] # Ldd 'which vsftpd'
2. The effect of control is that only the 192.168.1.0 network can be accessed, and others cannot be accessed.
[Root @ mail ~] # Man 5 hosts. allow
[Root @ mail ~] # Vim/etc/hosts. allow
Vsftpd: 192.168.1.0/255.255.255.0: allow (rewrite)
[Root @ mail ~] # Vim/etc/hosts. deny
Vsftpd: all: deny
3. ftp is not supported for the host 1.1. All others can.
[Root @ mail ~] # Vim/etc/hosts. allow
Vsftpd: 192.168.1.1: deny
Vsftpd: all: allow (add something)
In this way, the effect can be achieved. Here, only the allow file is changed, and the deny file does not work anymore. The system only looks at allow first to see deny.
CA implements ftp Security
[Root @ mail Server] # ll wir *
-R -- 328 root 94405 wireless-tools-28-2.el5.i386.rpm
-R -- 327 root 24200 wireless-tools-devel-28-2.el5.i386.rpm
-R -- 220 root 11130359 wireshark-1.0.8-1.el5_3.1.i386.rpm
-R -- 220 root 686650 wireshark-gnome-1.0.8-1.el5_3.1.i386.rpm
[Root @ mail Server] # yum install wireshark-1.0.8-1.el5_3.1.i386.rpm
[Root @ mail Server] # tshark-ni eth0-R "tcp. dstport eq 21" (traffic used to capture packets through this port)
[Root @ mail ftproot] # cd/etc/pki/CA/
[Root @ mail pki] # vim./tls/openssl. cnf
[Root @ mail CA] # touch index.txt serial
[Root @ mail CA] # mkdir certs newcerts crl
[Root @ mail pki] # echo "01"> serial
[Root @ mail CA] # openssl genrsa 1024> private/cakey. pem
[Root @ mail CA] # chmod 600 private /*
[Root @ mail CA] # openssl req-new-key private/cakey. pem-x509-out cacert. pem
Www.2cto.com
[Root @ mail pki] # mkdir-pv/etc/vsftpd/certs
[Root @ mail pki] # mkdir-pv/etc/vsftpd/certs
Mkdir: the directory "/etc/vsftpd/certs" has been created"
[Root @ mail pki] # cd/etc/vsftpd/certs/
[Root @ mail certs] # openssl genrsa 1024> vsftpd. key
[Root @ mail certs] # openssl req-new-key vsftpd. key-out vsftpd. crq
[Root @ mail certs] # openssl ca-in vsftpd. crq-out vsftpd. cert
[Root @ mail certs] # ll
Total 12
-Rw-r -- 1 root 3061 12-19 0:11 vsftpd. cert
-Rw-r -- 1 root 647 12-19 0:10 vsftpd. crq
-Rw-r -- 1 root 887 12-19 0:09 vsftpd. key
[Root @ mail certs] # chmod 600/etc/pki/CA/certs /*
[Root @ mail certs] # ll
Total 12
-Rw ------- 1 root 3061 12-19 0:11 vsftpd. cert
-Rw ------- 1 root 647 12-19 vsftpd. crq
-Rw ------- 1 root 887 12-19 0:09 vsftpd. key
Connect servers to cas
[Root @ mail certs] # vim/etc/vsftpd. conf
Force_local_data_ssl = YES # specify vsftpd to force non-anonymous users to use encrypted data transmission
Force_local_logins_ssl = YES # specify vsftpd to force non-anonymous users to log on encrypted
Ssl_enable = YES # specify vsftpd to support encryption protocols
Ssl_sslv2 = YES # specify vsftpd to support Secure Socket Layer v2
Ssl_sslv3 = YES # specify vsftpd to support Secure Socket Layer v3
Ssl_tlsv1 = YES # specify vsftpd to support tls encryption mode v1
Rsa_cert_file =/etc/vsftpd/certs/vsftpd. cert # specify the ftp-server certificate path
Rsa_private_key_file =/etc/vsftpd/. sslkey/vsftpd. key # specify the ftp-server private path
6) Only lftp commands and third-party tools support access to ftps. The following uses FlashFXP as an example to describe how to connect to ftps.
A. Open FlashFXP and select "Site" --> "Site Manager" to create a new site, such:
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
