Use SRP to create a secure LinuxFTP server (figure)

Source: Internet
Author: User
Tags install openssl file transfer protocol ssh server
Article Title: Use SRP to establish a secure LinuxFTP server (figure ). Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
In small and medium-sized heterogeneous networks, many users choose Linux as the network operating system and use its simple configuration and user-familiar graphical interfaces to provide Internet services. FTP is one of the services it provides. FTP (file transfer protocol) plays an important role in many network applications. Software resources are a very important resource on the Internet, and most of the various software resources are stored on FTP servers. Like most Internet services, FTP is also a client/server system.
  
FTP is a traditional network service program, which is inherently insecure because it transmits passwords and data in plain text on the network. It is very easy for others with ulterior motives to intercept these passwords and data. In addition, the security authentication methods of these service programs also have their weaknesses, that is, they are vulnerable to man-in-the-middle attacks. The so-called "man-in-the-middle" attack means that "man-in-the-middle" impersonates a Real Server to receive the data you send to the server, and then impersonates you to pass the data to the Real Server. After the data transfer between the server and you is transferred by a "man-in-the-middle", serious problems will occur. These passwords are intercepted by brute force cracking. In addition, you can use the sniffer program to monitor network packets and capture the session information starting with FTP.
  
SSH (Secure Shell) is a safer solution for operating servers through remote online services. It was initially developed by a Finnish company, but due to copyright and encryption algorithm restrictions, many people switched to the free alternative software OpenSSH. SSH (Secure Shell) is a safer solution for operating servers through remote online services. It was initially developed by a Finnish company, but due to copyright and encryption algorithm restrictions, many people switched to the free alternative software OpenSSH. You can use SSH to encrypt all transmitted data so that the "man-in-the-middle" attack method is not possible, and it can also prevent DNS and IP spoofing. It also has an additional advantage that the transmitted data is compressed and can speed up transmission. SSH is widely used. It can replace Telnet, provide FTP, POP, and even a secure "channel" for PPP ". The SSH protocol provides two Server functions in the preset state: one is a remote online Shell Server similar to Telnet, which is also known as the SSH function; the other is similar to the SFTP-Server function of the FTP service, provides more secure FTP services.
  
How does SSH security verification work? It mainly relies on online encryption technology. From the client perspective, there are two security verification levels:
  
1. Password-based security authentication (ssh1) as long as you know your account and password, you can log on to the remote host. All transmitted data will be encrypted, but there is no guarantee that the server being connected is the server to be connected. Attackers may be attacked by man-in-the-middle.
  
2. The key-based security authentication (ssh2) relies on the key, that is, you must create a pair of keys for yourself and put the public key on the server to be accessed. If you want to connect to the SSH server, the client software sends a request to the server, requesting security verification with the key. After receiving the request, the server first looks for the Public Key in the home directory of the server, and then compares it with the public key sent. If the two keys are consistent, the server uses the public key to encrypt the challenge and send it to the client software. After the client software receives a question, it can use a private key to decrypt it and then send it to the server. In this way, you must know the password of your key. Compared with the first level, this level does not need to transmit passwords over the network. It not only encrypts all transmitted data, but also prevents man-in-the-middle attacks. Currently, OpenSSH has two security risks: Password, key cracking (using dictionary files to unbind the password), and Trojan Horse placement in OpenSSH.
  
   1. Introduction to SRP
  
SRP stands for Secure Remote Password, which is an open source code authentication protocol. The client/server using SRP does not transmit the password in plaintext or encrypted mode on the network, which completely eliminates password spoofing. Ensure that passwords can be securely transmitted over the network. The basic idea is to prevent dictionary attacks by passive or active network intruders. The computer department of Standford University has developed SRP software packages that provide password-based authentication and Session Encryption security mechanisms without the need for users or network administrators to participate in key management or distribution. SRP provides transparent password security for each individual without other expensive initial expenses, such as blocking the use of other security software. Unlike other security software, the SRP package is a complete Cryptographic software package, not a temporary solution. Compared with standard/etc/shadow-style security, SRP is better in every aspect. Using SRP has the following benefits for users and managers:
  
SRP defends against password sniffing attacks. In a session that uses SRP authentication, the listener does not monitor any passwords transmitted over the network. In remote login software, plaintext password transfer is the biggest security vulnerability. Anyone can use a simple sniffer tool to obtain the key for logging on to the remote system.
  
SRP defends against dictionary attacks. It is not enough for a system to protect simple password listening. If attackers use powerful attacks, such as Dictionary attacks, they do not simply listen to passwords, but track the entire session process, and then compare the entire information with common passwords in the dictionary. Even some Kerberos systems are vulnerable to such attacks. SRP performs password security before resisting dictionary attacks. The algorithm used requires an attacker to execute an impossible large computing before launching a powerful attack. SRP even protects "active" attacks against passwords. Therefore, even if intruders have the ability to access the network, they cannot break the SRP. Therefore, even if the user uses a very fragile password, it will not make it easy for intruders to crack it. SRP is completely transparent to end users. Because there is no so-called "keyrings", "certificate", or "ticket ). Your password is the key. SRP simply protects this key, but it is better than the old and weak key protection mechanism. SRP is easy to implement from the perspective of managers. There are no such concepts as "Key Server", "certificate authentication", and "authentication server. The SRP password file is next to the standard Unix password file. The software works with the two system passwords to ensure consistency with the SRP password file. There is no redundant system maintenance mechanism. SRP exchanges an encrypted key when authenticating a user. This means that a login session can be encrypted to resist so-called network listening and malicious tampering. When users read their letterhead remotely, they use 128-bit encrypted information, which is automatically processed after the user logs on, and the user does not have to worry about whether or not encryption is required. The system completes encryption and sends it to the user. In addition, SRP does not use encryption for authentication, which makes it faster and safer than public/private key-based authentication. SRP uses the 128-bit CAST encryption algorithm by default. CAST-128 is defined in RFC2144 (http://srp.stanford.edu/srp/rfc2144.txt. Standard SRP also supports 56-bit DES and 48-bit DES. Advanced Support for Triple-DES encryption. This article describes how to create a SRP-based Telnet server. Operating Environment Redhat Linux 9.0.
  
   Ii. Software Download and compilation
  
SRP software home page is: http://srp.stanford.edu Latest Version 2.1.1, before installing SRP first install OpenSSL.
  
# Wget http://srp.stanford.edu/source/srp-2.1.1.tar.gz
  
# Cp/usr/src/redhat/SOURCES
  
#./Configure -- with-openssl =/usr/src/redhat/SOURCES/openssl-0.9.6
-- With-pam
  
# Make; make install
  
   3. Establish an index password system EPS
  
EPS Full name: Exponential Password System (Exponential Password System), which includes the source code of EPS.
  
1. Install the PAM module
  
PAM introduction:
  
PAM Full name: Pluggable Authentication Module (embedded Authentication Module ). It was initially developed by SUN and soon accepted by the Linux community and developed more modules. The goal is to provide a set of function libraries that can be used to authenticate user identities, thus separating authentication from application development. Linux-PAM handles four independent (Management) tasks. They are: authentication management, account management, session management, and password management.
  
PAM working method:
  
(1) call an application to obtain the service of the application.
  
(2) The PAM application calls the background PAM library for authentication.
  
(3) The PAM library searches for configuration files related to application details in the/etc/pam. d/directory, which tells PAM what authentication mechanism is used by the application.
  
(4) install the required authentication module in the PAM library.
  
(5) These modules allow PAM to communicate with Session functions in the application.
  
(6) The session function asks the user for relevant information.
  
(7) The user responds to these requirements and provides the required information.
  
(8) The PAM Authentication Module provides authentication information to applications through the PAM library.
  
(9) after the authentication is completed, the application has two options:
  
Grant the required permissions to the user and notify the user.
  
The authentication fails and the user is notified.
  
For PAM workflow, see.
  
   PAM Workflow
  
PAM usage:
  
# Cd/usr/src/redhat/SOURCES/srp-2.1.1/base/pam_eps.
  
# Install-m 644 pam_eps_auth.so pam_eps_passwd.so/lib/security
  
The above command installs the PAM module in the/lib/security directory. Run the "/usr/local/bin/tconf" command to create the/etc/tpasswd and/etc/tpasswd. conf files.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.