Provides FTP + SSL/TLS authentication through Openssl and implements secure data transmission.

Note:
Through the author's blog "working principle of the FTP server and how to log on to a virtual user through PAM Authentication", we learned that FTP is a file sharing protocol and uses a plaintext transmission mechanism, therefore, users and passwords transmitted over the Internet are insecure. Therefore, the SSL/TLS encryption algorithm must be used to provide the ciphertext transmission mechanism to ensure the security of users and passwords during transmission.
The relevant theoretical knowledge will not be elaborated here.FTP Theory"Understand FTP related knowledge and simple configuration.
 
The following blog introduces how to implement the secure transmission mechanism through FTP + SSL/TLS through the openssl tool based on SSL/TLS. To implement the SSL/TLS function, the mod_ssl module must be installed, therefore, you need to install mod_ssl in advance and use openssl to create a private CA. The author explains how to implement a private CA through Openssl, this article details how to use the openssl tool to create a private CA certificate authority.

Implementation process:
Seq1: install the software package required by FTP (you can use the source code for compilation and installation, or you can select rpm for installation. Here, the rpm installation method is used)

 
 

  
  
# Rpm-q vsftpd # Check whether the vsftpd package is installed in the current Linux System
  
  
# Yum install vsftpd-y # if not, use yum to install
  
  
# Rpm-ql vsftpd # view the file path generated by the vsftpd package during installation
 
 

Seq2: Start the FTP server and use tcpdump, an open-source software provided by Linux, to intercept related packets generated during FTP logon and analyze the user name and password.

 
 

  
  
# Service vsftpd restart
  
  
Additional: tcpdump
  
  
Tcpdump Syntax:
  
  
Tcpdump [options] [Protocol] [Direction] [Host (s)] [Value] [Logical Operations] [Other expression]
  
  
# Tcpdump-I eth0-nn-X tcp port 21 and ip host 172.16.88.10
 
 

Test: Use a Windows client to log on to the FTP server as a hadoop user and verify whether FTP uses the plaintext transmission mechanism.

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/1T95WV2-0.png "/>

View the message records generated by the server: (test result: it is not difficult to find the user and password)

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/1T95W154-1.png "/>

Seq3: Create a CA certificate authority through Openssl: You can go to the author "Create a private CA through openssl" to learn more"

 
 

  
  
# Cd/etc/pki/CA
  
  
# (Umask 077; openssl genrsa-out private/cakey. pem 2048) # generate a private key
  
  
# Openssl req-new-x509-key private/cakey. pem cacert. pem-days 3650 # generate a self-checkout Certificate
 
 

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/1T95UR3-2.png "/>

Seq4: provide a key pair for the FTP service through Openssl and apply for a certificate issuance request

 
 

  
  
# Mkdir/etc/vsftpd/ftps
  
  
# (Umask 077; openssl genrsa-out ftps. key 1024) # create a private key
  
  
# Openssl req-new-key ftps. key-out ftps. csr-days 3650 # send a certificate issuance request
 
 

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/1T95QA1-3.png "/>

Seq5: CA certificate authority, receives a certificate issuance request, and issues a digital certificate (crt) to the certificate (csr)

 
 

  
  
# openssl ca -in vsftpd.csr -out vsftpd.crt -days 3650 
 
 

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/1T95V556-4.png "/>

Seq6: edit the FTP master configuration file and add the following content to the last line:

 
 

  
  
Ssl_enable = YES # enable ssl
  
  
Ssl_tlsv1 = YES # protocols supporting ssl (tlsv1, sslv2 (not recommended), and sslv3)
  
  
Ssl_sslv3 = YES
  
  
Allow_anon_ssl = NO # ssl is not used for anonymous users
  
  
Force_local_data_ssl = YES # data is encrypted over ssl during transmission
  
  
Force_local_logins_ssl = YES # force ssl when a local user logs on to the FTP service
  
  
Rsa_cert_file =/etc/vsftpd/ftps/vsftpd. crt # FTP service digital certificate (Public Key), storage location
  
  
Rsa_private_key_file =/etc/vsftpd/ftps/vsftpd. key # key of the FTP service itself (Private key), storage location (600 permission)
 
 

Seq7: Set iptables and SElinux

 
 

  
  
Note: When writing iptables session rules, you need to load the ip_conntrack_ftp and ip_nat_ftp modules.
  
  
# Vim/etc/sysconfig/iptables-config
  
  
IPTABLES_MODULES = "ip_conntrack_ftp ip_nat_ftp"
  
  
# Iptables-F
  
  
# Iptables-P INPUT DROP
  
  
# Iptables-P OUTPUT DROP
  
  
# Iptables-P FORWARD DROP
  
  
# Iptables-a input-d 172.16.88.10-p tcp-m state -- state ESTABLELISHED, RELATED-j ACCEPT
  
  
# Iptables-a output-s 172.16.88.10-p tcp-m state -- state ESTABLELISHED, RELATED-j ACCEPT
  
  
# Service iptables save
  
  
# Service iptables restart
  
  
SELINUX settings
  
  
# Gentenforce # view the working status of selinux
  
  
Enforcing # SELinux security policy is enforced.
  
  
Permissive # SELinux prints warnings instead of enforcing.
  
  
Disabled # SELinux is fully disabled.
  
  
# Getsebool-a | grep ftp
  
  
Allow_ftpd_anon_write --> off
  
  
Allow_ftpd_full_access --> off
  
  
Allow_ftpd_use_cifs --> off
  
  
Allow_ftpd_use_nfs --> off
  
  
Allow_tftp_anon_write --> off
  
  
Ftp_home_dir --> off
  
  
Ftpd_connect_db --> off
  
  
Ftpd_disable_trans --> off
  
  
Ftpd_is_daemon --> on
  
  
Httpd_enable_ftp_server --> off
  
  
Tftpd_disable_trans --> off
  
  
# Setsebool-P allow_ftpd_anon_write on
  
  
# Setsebool-P allow_ftpd_full_access on
 
 

Seq9: use Windows again to log on to the FTP service and check whether logon is normal.

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/1T95V0U-5.png "/>
The test result shows that the logon fails and must be verified.

Seq10: we use the FlashFXP tool and verify it to see if it is possible to log on normally.
Run FlashFXP to connect to the FTP server:
Click session> quick connection.

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/1T95W340-6.png "/>

The test result shows that the connection failed because the user cannot log on to the FTP service normally. Check whether the user can log on to the FTP service normally through authentication:
Click site> create site>

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/1T95VG9-7.png "/>

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/1T95W948-8.png "/>
Click "accept" or "save" to transfer the FTP service. The user name and password are encrypted.
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/1T95T115-9.png "/>

 

This article is from the "See you next year CA" blog, please be sure to keep this source http://guodayong.blog.51cto.com/263451/1186003