Note:
Through the author's blog "working principle of the FTP server and how to log on to a virtual user through PAM Authentication", we learned that FTP is a file sharing protocol and uses a plaintext transmission mechanism, therefore, users and passwords transmitted over the Internet are insecure. Therefore, the SSL/TLS encryption algorithm must be used to provide the ciphertext transmission mechanism to ensure the security of users and passwords during transmission.
The relevant theoretical knowledge will not be elaborated here.FTP Theory"Understand FTP related knowledge and simple configuration.
The following blog introduces how to implement the secure transmission mechanism through FTP + SSL/TLS through the openssl tool based on SSL/TLS. To implement the SSL/TLS function, the mod_ssl module must be installed, therefore, you need to install mod_ssl in advance and use openssl to create a private CA. The author explains how to implement a private CA through Openssl, this article details how to use the openssl tool to create a private CA certificate authority.
Implementation process:
Seq1: install the software package required by FTP (you can use the source code for compilation and installation, or you can select rpm for installation. Here, the rpm installation method is used)
- # Rpm-q vsftpd # Check whether the vsftpd package is installed in the current Linux System
- # Yum install vsftpd-y # if not, use yum to install
- # Rpm-ql vsftpd # view the file path generated by the vsftpd package during installation
Seq2: Start the FTP server and use tcpdump, an open-source software provided by Linux, to intercept related packets generated during FTP logon and analyze the user name and password.
- # Service vsftpd restart
- Additional: tcpdump
- Tcpdump Syntax:
- Tcpdump [options] [Protocol] [Direction] [Host (s)] [Value] [Logical Operations] [Other expression]
- # Tcpdump-I eth0-nn-X tcp port 21 and ip host 172.16.88.10
Test: Use a Windows client to log on to the FTP server as a hadoop user and verify whether FTP uses the plaintext transmission mechanism.
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/1T95WV2-0.png "/>
View the message records generated by the server: (test result: it is not difficult to find the user and password)
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/1T95W154-1.png "/>
Seq3: Create a CA certificate authority through Openssl: You can go to the author "Create a private CA through openssl" to learn more"
- # Cd/etc/pki/CA
- # (Umask 077; openssl genrsa-out private/cakey. pem 2048) # generate a private key
- # Openssl req-new-x509-key private/cakey. pem cacert. pem-days 3650 # generate a self-checkout Certificate
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/1T95UR3-2.png "/>
Seq4: provide a key pair for the FTP service through Openssl and apply for a certificate issuance request
- # Mkdir/etc/vsftpd/ftps
- # (Umask 077; openssl genrsa-out ftps. key 1024) # create a private key
- # Openssl req-new-key ftps. key-out ftps. csr-days 3650 # send a certificate issuance request
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/1T95QA1-3.png "/>
Seq5: CA certificate authority, receives a certificate issuance request, and issues a digital certificate (crt) to the certificate (csr)
- # openssl ca -in vsftpd.csr -out vsftpd.crt -days 3650
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/1T95V556-4.png "/>
Seq6: edit the FTP master configuration file and add the following content to the last line:
- Ssl_enable = YES # enable ssl
- Ssl_tlsv1 = YES # protocols supporting ssl (tlsv1, sslv2 (not recommended), and sslv3)
- Ssl_sslv3 = YES
- Allow_anon_ssl = NO # ssl is not used for anonymous users
- Force_local_data_ssl = YES # data is encrypted over ssl during transmission
- Force_local_logins_ssl = YES # force ssl when a local user logs on to the FTP service
- Rsa_cert_file =/etc/vsftpd/ftps/vsftpd. crt # FTP service digital certificate (Public Key), storage location
- Rsa_private_key_file =/etc/vsftpd/ftps/vsftpd. key # key of the FTP service itself (Private key), storage location (600 permission)
Seq7: Set iptables and SElinux
- Note: When writing iptables session rules, you need to load the ip_conntrack_ftp and ip_nat_ftp modules.
- # Vim/etc/sysconfig/iptables-config
- IPTABLES_MODULES = "ip_conntrack_ftp ip_nat_ftp"
- # Iptables-F
- # Iptables-P INPUT DROP
- # Iptables-P OUTPUT DROP
- # Iptables-P FORWARD DROP
- # Iptables-a input-d 172.16.88.10-p tcp-m state -- state ESTABLELISHED, RELATED-j ACCEPT
- # Iptables-a output-s 172.16.88.10-p tcp-m state -- state ESTABLELISHED, RELATED-j ACCEPT
- # Service iptables save
- # Service iptables restart
- SELINUX settings
- # Gentenforce # view the working status of selinux
- Enforcing # SELinux security policy is enforced.
- Permissive # SELinux prints warnings instead of enforcing.
- Disabled # SELinux is fully disabled.
- # Getsebool-a | grep ftp
- Allow_ftpd_anon_write --> off
- Allow_ftpd_full_access --> off
- Allow_ftpd_use_cifs --> off
- Allow_ftpd_use_nfs --> off
- Allow_tftp_anon_write --> off
- Ftp_home_dir --> off
- Ftpd_connect_db --> off
- Ftpd_disable_trans --> off
- Ftpd_is_daemon --> on
- Httpd_enable_ftp_server --> off
- Tftpd_disable_trans --> off
- # Setsebool-P allow_ftpd_anon_write on
- # Setsebool-P allow_ftpd_full_access on
Seq9: use Windows again to log on to the FTP service and check whether logon is normal.
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/1T95V0U-5.png "/>
The test result shows that the logon fails and must be verified.
Seq10: we use the FlashFXP tool and verify it to see if it is possible to log on normally.
Run FlashFXP to connect to the FTP server:
Click session> quick connection.
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/1T95W340-6.png "/>
The test result shows that the connection failed because the user cannot log on to the FTP service normally. Check whether the user can log on to the FTP service normally through authentication:
Click site> create site>
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/1T95VG9-7.png "/>
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/1T95W948-8.png "/>
Click "accept" or "save" to transfer the FTP service. The user name and password are encrypted.
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/1T95T115-9.png "/>
This article is from the "See you next year CA" blog, please be sure to keep this source http://guodayong.blog.51cto.com/263451/1186003