Provides FTP + SSL/TLS authentication through Openssl and implements secure data transmission.

Source: Internet
Author: User

Note:
Through the author's blog "working principle of the FTP server and how to log on to a virtual user through PAM Authentication", we learned that FTP is a file sharing protocol and uses a plaintext transmission mechanism, therefore, users and passwords transmitted over the Internet are insecure. Therefore, the SSL/TLS encryption algorithm must be used to provide the ciphertext transmission mechanism to ensure the security of users and passwords during transmission.
The relevant theoretical knowledge will not be elaborated here.
FTP Theory"Understand FTP related knowledge and simple configuration.
 

The following blog introduces how to implement the secure transmission mechanism through FTP + SSL/TLS through the openssl tool based on SSL/TLS. To implement the SSL/TLS function, the mod_ssl module must be installed, therefore, you need to install mod_ssl in advance and use openssl to create a private CA. The author explains how to implement a private CA through Openssl, this article details how to use the openssl tool to create a private CA certificate authority.

Implementation process:
Seq1: install the software package required by FTP (you can use the source code for compilation and installation, or you can select rpm for installation. Here, the rpm installation method is used)

 
 
  1. # Rpm-q vsftpd # Check whether the vsftpd package is installed in the current Linux System
  2. # Yum install vsftpd-y # if not, use yum to install
  3. # Rpm-ql vsftpd # view the file path generated by the vsftpd package during installation

Seq2: Start the FTP server and use tcpdump, an open-source software provided by Linux, to intercept related packets generated during FTP logon and analyze the user name and password.

 
 
  1. # Service vsftpd restart
  2. Additional: tcpdump
  3. Tcpdump Syntax:
  4. Tcpdump [options] [Protocol] [Direction] [Host (s)] [Value] [Logical Operations] [Other expression]
  5. # Tcpdump-I eth0-nn-X tcp port 21 and ip host 172.16.88.10

Test: Use a Windows client to log on to the FTP server as a hadoop user and verify whether FTP uses the plaintext transmission mechanism.

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/1T95WV2-0.png "/>

View the message records generated by the server: (test result: it is not difficult to find the user and password)

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/1T95W154-1.png "/>

Seq3: Create a CA certificate authority through Openssl: You can go to the author "Create a private CA through openssl" to learn more"

 
 
  1. # Cd/etc/pki/CA
  2. # (Umask 077; openssl genrsa-out private/cakey. pem 2048) # generate a private key
  3. # Openssl req-new-x509-key private/cakey. pem cacert. pem-days 3650 # generate a self-checkout Certificate

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/1T95UR3-2.png "/>

Seq4: provide a key pair for the FTP service through Openssl and apply for a certificate issuance request

 
 
  1. # Mkdir/etc/vsftpd/ftps
  2. # (Umask 077; openssl genrsa-out ftps. key 1024) # create a private key
  3. # Openssl req-new-key ftps. key-out ftps. csr-days 3650 # send a certificate issuance request

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/1T95QA1-3.png "/>

Seq5: CA certificate authority, receives a certificate issuance request, and issues a digital certificate (crt) to the certificate (csr)

 
 
  1. # openssl ca -in vsftpd.csr -out vsftpd.crt -days 3650 

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/1T95V556-4.png "/>

Seq6: edit the FTP master configuration file and add the following content to the last line:

 
 
  1. Ssl_enable = YES # enable ssl
  2. Ssl_tlsv1 = YES # protocols supporting ssl (tlsv1, sslv2 (not recommended), and sslv3)
  3. Ssl_sslv3 = YES
  4. Allow_anon_ssl = NO # ssl is not used for anonymous users
  5. Force_local_data_ssl = YES # data is encrypted over ssl during transmission
  6. Force_local_logins_ssl = YES # force ssl when a local user logs on to the FTP service
  7. Rsa_cert_file =/etc/vsftpd/ftps/vsftpd. crt # FTP service digital certificate (Public Key), storage location
  8. Rsa_private_key_file =/etc/vsftpd/ftps/vsftpd. key # key of the FTP service itself (Private key), storage location (600 permission)

Seq7: Set iptables and SElinux

 
 
  1. Note: When writing iptables session rules, you need to load the ip_conntrack_ftp and ip_nat_ftp modules.
  2. # Vim/etc/sysconfig/iptables-config
  3. IPTABLES_MODULES = "ip_conntrack_ftp ip_nat_ftp"
  4. # Iptables-F
  5. # Iptables-P INPUT DROP
  6. # Iptables-P OUTPUT DROP
  7. # Iptables-P FORWARD DROP
  8. # Iptables-a input-d 172.16.88.10-p tcp-m state -- state ESTABLELISHED, RELATED-j ACCEPT
  9. # Iptables-a output-s 172.16.88.10-p tcp-m state -- state ESTABLELISHED, RELATED-j ACCEPT
  10. # Service iptables save
  11. # Service iptables restart
  12. SELINUX settings
  13. # Gentenforce # view the working status of selinux
  14. Enforcing # SELinux security policy is enforced.
  15. Permissive # SELinux prints warnings instead of enforcing.
  16. Disabled # SELinux is fully disabled.
  17. # Getsebool-a | grep ftp
  18. Allow_ftpd_anon_write --> off
  19. Allow_ftpd_full_access --> off
  20. Allow_ftpd_use_cifs --> off
  21. Allow_ftpd_use_nfs --> off
  22. Allow_tftp_anon_write --> off
  23. Ftp_home_dir --> off
  24. Ftpd_connect_db --> off
  25. Ftpd_disable_trans --> off
  26. Ftpd_is_daemon --> on
  27. Httpd_enable_ftp_server --> off
  28. Tftpd_disable_trans --> off
  29. # Setsebool-P allow_ftpd_anon_write on
  30. # Setsebool-P allow_ftpd_full_access on

Seq9: use Windows again to log on to the FTP service and check whether logon is normal.

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/1T95V0U-5.png "/>
The test result shows that the logon fails and must be verified.

Seq10: we use the FlashFXP tool and verify it to see if it is possible to log on normally.
Run FlashFXP to connect to the FTP server:
Click session> quick connection.

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/1T95W340-6.png "/>

The test result shows that the connection failed because the user cannot log on to the FTP service normally. Check whether the user can log on to the FTP service normally through authentication:
Click site> create site>

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/1T95VG9-7.png "/>

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/1T95W948-8.png "/>
Click "accept" or "save" to transfer the FTP service. The user name and password are encrypted.
650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/1T95T115-9.png "/>

 

This article is from the "See you next year CA" blog, please be sure to keep this source http://guodayong.blog.51cto.com/263451/1186003

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.