Implementing SSL-based FTPs
Catalogue
1. See if the current VSFTPD has an SSL module
2. Create a self-signed certificate
3. View the Certificate
4. Configure VSFTP to support SSL
5. Test and use FileZilla login test
6, Wireshark clutch results
VSFPTD Normal data transmission is very insecure, such as user passwords, etc. can easily be stolen
1. See if the current VSFTPD has an SSL module
[[email protected] ~]# LDD $ (which vsftpd) |grep SSL
libssl.so.10 =/usr/lib64/libssl.so.10 (0x00007f55009bf000)
2. Create a self-signed certificate
[[email protected] ~]# cd /etc/pki/tls/certs/[[email protected] certs]# make vsftpd.pem[[email protected] certs]# make vsftpd.pemumask 77 ; Pem1= '/bin/mktemp /tmp/openssl. XXXXXX ' ; pem2= '/bin/mktemp /tmp/openssl. XXXXXX ' ; /usr/bin/openssl req -utf8 -newkey rsa:2048 -keyout $PEM 1 -nodes -x509 -days 365 \ -out $PEM 2 -set_serial 0 ; cat $PEM 1 > vsftpd.pem ; echo "" >> vsftpd.pem ; cat $PEM 2 >> vsftpd.pem ; rm -f $PEM 1 $PEM 2generating a 2048 bit rsa private key ..................................................+++............................+++writing new private key to '/TMP/OPENSSL.X3AYNR '-----you are about to be asked to enter information that will be Incorporatedinto your certificate request. what you are about to enter is what is called a Distinguished name or a dn. there are quite a few fields but you can leave some blankfor some fields there will be a default value,if you enter '. ', the field will be left blank.-----country name (2 letter code) [XX]:CNState or Province Name (full name) []: beijinglocality name (eg, city) [Default City]:beijingOrganization Name (eg , company) [Default Company Ltd]:mageOrganizational Unit Name (eg, section) []:ftpCommon Name (EG,&NBsp;your name or your server ' S hostname) []:172.16.250.90email address []:[email protected]
3. View the Certificate
[[email protected] certs]# openssl x509 -in vsftpd.pem -noout - Textcertificate: data: version: 3 (0x2) Serial Number: 0 (0x0) Signature Algorithm: sha1WithRSAEncryption Issuer: C=CN, ST=beijing, L=beijing, O=mage, OU=ftp, CN=172.16.250.90/[email protected] validity not before: Dec 20 15:44:44 2016 GMT Not After : Dec 20 15:44:44 2017 GMT Subject: c=cn, st=beijing, l=beijing, o=mage, ou=ftp, cn=172.16.250.90/[email protected] subject public key info: public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:e4:7c:a3:98:d5:b6:a0:6c:3e:67:86:b0:98:79 : ec:3d:d2:6a:76:bf:43:2f:8f:f9:bd:29:c2:11:50: 7a:64:24:b6:bc:64:9b:53:62:e2:25:44:7f:f4:ef: ea :81:01:92:ae:3a:02:f9:0a:75:92:00:62:97:64: a9:1e:d8:c0:89:4b:e0:1c:84:ea:d1:49:9b:80:97: a8:42:8d:00:ae:41:91:f7:3b:7e:19:58:32:57:2e: 6f:b3:e4:84:59:cc:4e:fe:04:6e:76:a2:6f:8b:ac : 5e:6c:98:28:1d:28:cb:d7:7f:df:e0:9c:85:eb:93: bf:c3:d7:8e:35:80:03:bf:8e:19:92:dd:4b:39:c3: 68:27:d2:4a:5e :b4:18:5d:02:08:2a:ce:66:00:64: 25:83:5b:dc:aa:9c:da:b2:5f:2e:59:bb:b7:eb:f0: 2c:e2:63 :a4:f8:e0:2e:38:d8:ad:ba:0e:05:96:e5: 91:26:87:a6:a0:64:c5:bd:b0:ad:00:4e:b0:be:e2: 91:35:f2:36:5b:b3:56:f7:0a:fa:3d:e9:f9:4f:6b: ab:c0:2b:2a:a4:0b:d7:f7:5b:06:86:c1:85:59:b8: 6a:78:1b:55:05:e9:5c:51:dd :d 3:0e:1a:75:0e:f1: 3a:b3:42:e6:62:02:d4:8b:30:fb:36:ec:75:5a:6d: 43:89 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: c6:f8:38:e5:9a:17:9b:0e:d 8:31:be:de:4e:29:14:dd:7f: EF:FB:FE X509v3 Authority Key identifier: keyid:C6:F8:38:E5:9A:17:9B:0E:D8:31:BE:DE:4E:29:14: DD:7F:EF:FB:FE X509v3 Basic Constraints: ca:true signature algorithm: sha1withrsaencryption dd:5f:de:d3:ff:53:ba:3a:69:7c : 46:78:38:b1:07:b6:cd:5a: 5d:aa:fc:fb:4d:19:63:a9:06:1e :95:8c:56:2f:c5:1f:3c:7e: b2:6d:9c:7e:ec:c6:ba:60:6c:25:b5:35:6a:87:32:06:0c:37: 89:f1:b1:c2:bd:4a:17:91:2a:a7:5f:f9:56:eb:64:a5:b1:1c: b1:db:f2:dc:eb:60:fc:37:4c:ca:c2:68:9b:f5:36:77:d4:36: 43:e8:4b:54:48:72:f8:dc:fe:80:96:c0:6a:1d:2a:95:5a:f9: 47:2e:14:1f:7a:ba:db:d2:5b:5c:6e:d6:4b:d1:f9:1b:4d:26: a2:47:69:14:23:52:f5:13:d7:2f:57:f2:d4:be:77:c8:b0:c5: 4f:04:43:66:5e:fe:8e:2f:5b:e7:8b:f3:6b:b1:13:a1:cd:95: 90:f5:94:2f:b6:75:0d:67:45:58:36:d8:82:7d:ac:fd:79:2c: 28:24:d9:a2:98:02:30:31:8a:91:a5:c6:15:49:c6:91:19:ae: 90:5a:fb:57:ff:c7:36:27:5b:29:e1:79:ea:7b:33:68:2b:1a: e7:89:0e:96:7d:ac:eb:d3:81:d6:5f:35:ca:bb:3d:cf:1e:f7: 87:28:00:c8:c9:ff:9e:50:ca:aa:13:66:29:be:2c:f1:11:28: 02:19:b3:ca
4. Configure VSFTP to support SSL
Anonymous_enable=no #禁止匿名用户登录chroot_local_user =yes #禁锢所用系统用户在家目录中ssl_enable =yes #启用sslallow_anon_ssl =no #匿名不支持SSLf Orce_local_logins_ssl=yes #本地用户登录加密force_local_data_ssl =yes #本地数据传输加密rsa_cert_file =/etc/pki/tls/certs/vsftpd.pem #证书 [[email protected] ~]# useradd-s/sbin/nologin Wang Create test user [[email protected] ~]# passwd Wang
5. Test and use FileZilla login test
650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M02/8B/EA/wKioL1hclWTh4h5NAACTar6QdLw467.jpg "title=" Qq20161220234945.jpg "width=" "height=" 485 "border=" 0 "hspace=" 0 "vspace=" 0 "style=" width:500px;height:485px; "alt = "Wkiol1hclwth4h5naactar6qdlw467.jpg"/>
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/8B/ED/wKiom1hclWPBbEIvAAC5d5oANjI640.jpg "style=" width : 500px;height:633px; "title=" qq20161220234225.jpg "width=" "height=" 633 "border=" 0 "hspace=" 0 "vspace=" 0 "alt=" Wkiom1hclwpbbeivaac5d5oanji640.jpg "/>
6, Wireshark clutch results
650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M00/8B/ED/wKiom1hclaajAM78AAHoyec2Wcs978.jpg "title=" Qq20161220234258.jpg "width=" "height=" 136 "border=" 0 "hspace=" 0 "vspace=" 0 "style=" WIDTH:700PX;HEIGHT:136PX; "alt = "Wkiom1hclaajam78aahoyec2wcs978.jpg"/>
This article is from the "Fall" blog, please be sure to keep this source http://lxlxlx.blog.51cto.com/3363989/1885416
Implementing SSL-based FTPs