標籤:ssl vsftpd
一、基礎環境1、版本cat /etc/debian_version 7.82、核心uname -r3.2.0-4-amd643、vsftpd版本vsftpd: version 2.3.54、ip(eth0)192.168.1.1245、proftpd官網vsftpd.beasts.org6、需求只允許fileftp使用者串連並登入ftp並鎖定在自訂的家目錄中 其他系統(匿名)使用者不能登入ftp,監聽在原生eth0地址二、安裝配置vsftpd服務端1、apt方式安裝apt-get -y install vsftpd2、建立ftp目錄mkdir /opt/ftp -p3、建立ftp賬戶並修改密碼1)添加fileftp使用者useradd -s /bin/false -d /opt/ftp fileftp2)設定密碼echo fileftp:redhat|chpasswd4、修改配置1)備份下配置cp /etc/vsftpd.conf /etc/vsftpd.conf.bakcp /etc/ftpusers /etc/ftpusers.bakcp /etc/shells /etc/shells.bak2)cat /etc/vsftpd.conflisten_port=21listen_address=192.168.1.124listen=YESlocal_enable=YESwrite_enable=YESlocal_umask=022xferlog_enable=YESdual_log_enable=YESxferlog_file=/var/log/xferlog.logvsftpd_log_file=/var/log/vsftpd.logxferlog_std_format=YESchroot_local_user=YESpam_service_name=vsftpdanonymous_enable=NOlocal_root=/opt/ftpuserlist_enable=YESuserlist_file=/etc/vsftpd.user_listuserlist_deny=NO3)配置只能fileftp可以登入ftp服務cat /etc/passwd|grep -v "fileftp"|awk -F: ‘{print $1}‘ > /etc/ftpusers4)查看下cat /etc/ftpusersrootdaemonbinsyssyncgamesmanlpmailnewsuucpproxywww-databackuplistircgnatsnobodylibuuidsshdjimmymessagebusftp5)ftp會檢查/etc/shells檔案,因為上面添加使用者時使用的shell是/bin/falseecho "/bin/false" >> /etc/shells6)查看下cat /etc/shells# /etc/shells: valid login shells/bin/sh/bin/dash/bin/bash/bin/rbash/bin/false7)如果沒有這個檔案 就建立1個檔案echo "fileftp" > /etc/vsftpd.user_list5、配置說明listen_port=21 #監聽連接埠listen_address=192.168.1.124 #監聽地址listen=YES #使用standalone方式啟動服務local_enable=YES #使用系統使用者登入write_enable=YES #允許上傳local_umask=022 #本機使用者檔案屬性xferlog_enable=YES #開啟日誌xferlog_file=/var/log/xferlog.log #日誌存放地方xferlog_std_format=YES #以標準xferlog的格式輸出日誌vsftpd_log_file=/var/log/vsftpd.log #日誌存放地方dual_log_enable=YES #啟用雙份日誌chroot_local_user=YES #限制在家目錄中pam_service_name=vsftpd #使用pam認證,具體配置看/etc/pam.d/vsftpdanonymous_enable=NO #不允許匿名使用者登入local_root=/opt/ftp #登入的ftp賬戶的家目錄在/opt/ftpuserlist_enable=YES #啟用vsftpd.user_list檔案userlist_file=/etc/vsftpd.user_list #具體設定檔存放路徑userlist_deny=NO #在vsftpd.user_list中的使用者才可以串連ftp6、重啟vsftpd服務/etc/init.d/vsftpd restartStopping FTP server: vsftpd.Starting FTP server: vsftpd.7、查看連接埠netstat -tupnl|grep 21tcp 0 0 192.168.1.124:21 0.0.0.0:* LISTEN 5713/vsftpd 8、查看進程ps -ef |grep vsftpdroot 5713 1 0 10:09 ? 00:00:00 /usr/sbin/vsftpd三、測試1、安裝lftp用戶端apt-get -y install lftp2、建立fileftp傳輸目錄mkdir /opt/ftp/fileftp -p && cd /opt/ftp/ && chown fileftp.fileftp fileftp -R3、測試登陸(linux下)lftp fileftp:‘redhat‘@192.168.1.124lftp jimmy:‘redhat‘@192.168.1.124lftp root:‘redhat‘@192.168.1.124lftp 192.168.1.1244、查看日誌(從1台ip為192.168.1.120測試的)Sat Aug 1 12:33:38 2015 [pid 2] CONNECT: Client "192.168.1.120"Sat Aug 1 12:33:38 2015 [pid 1] [fileftp] OK LOGIN: Client "192.168.1.120"PS:查看到只有fileftp登入成功,root和jimmy和匿名使用者都登入失敗5、工具測試
650) this.width=650;" src="http://s3.51cto.com/wyfs02/M00/70/BA/wKioL1W8Z4Kj-HzNAAMVM-e8oEQ466.jpg" title="aaa.jpg" alt="wKioL1W8Z4Kj-HzNAAMVM-e8oEQ466.jpg" />
四、配置ssl1、安裝包apt-get -y install openssl2、建立一個認證(時間365天)並填寫相關一些資訊openssl req -x509 -nodes -days 365 -newkey rsa:2048 -out /etc/ssl/certs/vsftpd.pem -keyout /etc/ssl/certs/vsftpd.pemGenerating a 2048 bit RSA private key..........+++.............+++writing new private key to ‘/etc/ssl/certs/vsftpd.pem‘-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter ‘.‘, the field will be left blank.-----Country Name (2 letter code) [AU]:CNState or Province Name (full name) [Some-State]:shanghaiLocality Name (eg, city) []:shanghaiOrganization Name (eg, company) [Internet Widgits Pty Ltd]:aaaOrganizational Unit Name (eg, section) []:aaaCommon Name (e.g. server FQDN or YOUR name) []:aaaEmail Address []:3、修改許可權chmod 0400 /etc/ssl/certs/vsftpd.pem4、ssl具體配置/etc/vsftpd.conf最後添加ssl_enable=YESrsa_cert_file=/etc/ssl/certs/vsftpd.pemssl_sslv2=YESssl_sslv3=YESssl_tlsv1=YES5、配置說明ssl_enable=YES #開啟vsftpd對ssl協議的支援ssl_sslv2=YES #支援SSL v2 protocolssl_sslv3=YES #支援SSL v3 protocolssl_tlsv1=YES #支援TSL v1rsa_cert_file=/etc/ssl/certs/vsftpd.pem #存放認證地方6、重啟服務/etc/init.d/vsftpd restartStopping FTP server: vsftpd.Starting FTP server: vsftpd.7、測試1)lftp fileftp:‘redhat‘@192.168.1.124ls: Fatal error: Certificate verification: Not trusted解決在/etc/lftp.conf檔案中添加1行到最後set ssl:verify-certificate no再登入一次就OK了2)查看日誌Sat Aug 1 13:52:23 2015 [pid 2] CONNECT: Client "192.168.1.124"Sat Aug 1 13:52:23 2015 [pid 2] DEBUG: Client "192.168.1.124", "Connection terminated without SSL shutdown - buggy client?"Sat Aug 1 13:56:25 2015 [pid 2] CONNECT: Client "192.168.1.120"Sat Aug 1 13:56:25 2015 [pid 1] [fileftp] OK LOGIN: Client "192.168.1.120"8、工具測試(flashfxp)
650) this.width=650;" src="http://s3.51cto.com/wyfs02/M00/70/BA/wKioL1W8Z6-DvZdKAAF_eazDch0333.jpg" title="ccc.png" alt="wKioL1W8Z6-DvZdKAAF_eazDch0333.jpg" />
650) this.width=650;" src="http://s3.51cto.com/wyfs02/M00/70/BD/wKiom1W8ZdWTJ6l2AAGsnFufwBA975.jpg" title="bbb.png" alt="wKiom1W8ZdWTJ6l2AAGsnFufwBA975.jpg" />
650) this.width=650;" src="http://s3.51cto.com/wyfs02/M01/70/BD/wKiom1W8ZebwhCbeAAJUqbTf_Q4457.jpg" title="ddd.jpg" alt="wKiom1W8ZebwhCbeAAJUqbTf_Q4457.jpg" />
五、參考文章http://rajaseelan.com/2011/12/18/lftp-fatal-error-certificate-verification-not-trusted/
本文出自 “7928217” 部落格,請務必保留此出處http://7938217.blog.51cto.com/7928217/1680797
安裝及使用vsftpd+ssl
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
