Vsftpd + SSL/TLS for secure communication
As mentioned in previous articles, FTP is transmitted in plain text, so it is easy for people to get their accounts and passwords. To implement secure FTP transmission, we need to use SSL/TLS to implement secure communication. Of course, there are two secure FTP communication methods:
One is implemented using SSL/TLS.
The other is implemented through SSH + FTP.
Here we will only introduce how to implement secure FTP communication through SSL/TLS
The implementation steps are as follows:
To use the SSL/TLS function, you must first install the mod_ssl module.
Use Yum-y install mod_ssl.
1. Create a self-Signed CA certificate
1. Create a private key
(Umask 077; OpenSSL genrsa-out/etc/pki/CA/private/cakey. pem2048)
2. generate self-signed documents
OpenSSL req-New-X509-key/etc/pki/CA/private/cakey. pem-out/etc/pki/CA/cacert. pem-days 3650
3. Create related directories and files
# Cd/etc/pki/CA
# Mkdir Cert CRL newcerts
# Touch index.txt serial
# Echo '01'> serial
Modify the SSL Configuration File
# Vim/etc/pki/tls/OpenSSL. CNF
Change the CA directory to the following
Dir =/etc/pki/CA
2. issue a certificate to the client
1. Create a private key on the client
OpenSSL genrsa-out/etc/pki/CA/private/vsftpd. Key 2048
2. generate an issue request
OpenSSL req-New-key/etc/pki/CA/private/vsftpd. Key-out/etc/pki/CA/vsftpd. CSR
3. Sign the request file for the client
OpenSSL ca-in/etc/pki/CA/vsftpd. CSR-out/etc/vsftpd/SSL/vsftpd. CRT-days 3650
After the preceding steps, a CA certificate is created.
Next, you only need to modify the configuration file of vsftpd.
3. Modify/etc/vsftpd. conf and add the following lines:
Ssl_enable = Yes
Ssl_tlsv1 = Yes
Ssl_sslv3 = Yes
Allow_anon_ssl = No
# Virtual users do not use the SSL Function
Force_local_data_ssl = Yes
Force_local_logins_ssl = Yes
Rsa_cert_file =/etc/pki/CA/cacert. pem
Rsa_key_file =/etc/pki/CA/private/cakey. pem
4. Test whether local users and virtual users use encryption to log on. (Virtual users do not use encrypted login)
During the test, make sure that SELinux is not in enforcing; otherwise, the test will fail.
Of course, you can also test the FTP client software. Here, the flashfxp software is used for testing and the testing process is not given.
This article from the "Linux learning path" blog, please be sure to keep this source http://xslwahaha.blog.51cto.com/4738972/1565771
Vsftpd integrates SSL/TLS for secure communication