linux下搭建ftps服務器

一、基本原理

FTP（File Transfer Protocol, FTP）是TCP/IP網絡上兩臺計算機傳送文件的協議，用來將文件從一個主機複製到另一個主機，FTP是在TCP/IP網絡和INTERNET上最早使用的協議之一，它屬於網絡協議組的應用層。FTP客戶機可以給服務器發出命令來下載文件，上載文件，創建或改變服務器上的目錄。FTP服務一般運行在20和21兩個端口。端口20用於在客戶端和服務器之間傳輸數據流，而端口21用於傳輸控制流，並且是命令通向ftp服務器的進口。當數據通過數據流傳輸時，控制流處於空閒狀態。而當控制流空閒很長時間後，客戶端的防火牆會將其會話置爲超時，這樣當大量數據通過防火牆時，會產生一些問題。此時，雖然文件可以成功的傳輸，但因爲控制會話會被防火牆斷開，傳輸會產生一些錯誤。

二、案例

案例一、練手

首先安裝wireshark抓包工具

[root@uodekoaix Server]# yum install wireshark

[root@uodekoaix Server]# yum install vsftpd-2.0.5-16.el5.i386.rpm    //安裝vsftpd服務

[root@uodekoaix Server]# service vsftpd start

匿名登錄

以下可以看出來匿名登錄是不允許將其他文件複製到pub的

[root@uodekoaix ~]# useradd user1

[root@uodekoaix ~]# passwd user1

[root@uodekoaix user1]# touch f1.user1

測試：ftp://192.168.101.1

使用本地用戶登陸

登陸成功會看到剛剛創建的文件

以下可以看出來用戶登錄是允許將其他文件複製到pub的

[root@uodekoaix Server]# vim /etc/vsftpd/vsftpd.conf    //開啓上傳功能

//上傳

//創建目錄

anon_other_write_enable=YES        //更改名字，刪除目錄。

anon_umask=073                   //更改權限使可以下載

[root@uodekoaix Server]# chmod o+wt /var/ftp/pub/           //改權限

[root@uodekoaix Server]# ll -d /var/ftp/pub/

drwxr-xrwt 2 root root 4096 2009-05-13 /var/ftp/pub/

以下可以看出來現在可以匿名上傳了。

訪問ftp服務器的方法

1.命令行

幫助？

Dir列遠程的內容

！Dir 列本地內容

Cd 遠程切換

Lcd  本地切換

下載 get

一次下載多個   mget

上傳  put

一次上傳多個   mput

Ascii（ascii碼上傳）   bin（二進制方式傳遞）

2瀏覽器  ie   {ftp://}

3客戶端軟件

Cuteftp     leapftp    flushkp

[root@uodekoaix pub]# vim .message

message

[root@uodekoaix pub]# ftp 192.168.101.1

Connected to 192.168.101.1.

220 (vsFTPd 2.0.5)

530 Please login with USER and PASS.

530 Please login with USER and PASS.

KERBEROS_V4 rejected as an authentication type

Name (192.168.101.1:root): anonymous

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> cd pub

250-message

250 Directory successfully changed.

[root@uodekoaix pub]# vim /etc/vsftpd/vsftpd.conf   //開啓日誌功能

[root@uodekoaix ~]# tail -f /var/log/xferlog             //查看日誌

61 #idle_session_timeout=600   //會話超時

64 #data_connection_timeout=120         //連接超時

83 #ascii_upload_enable=YES

84 #ascii_download_enable=YES         //ascii碼傳遞

91 deny_email_enable=YES

92 # (default follows)

93 banned_email_file=/etc/vsftpd/banned_emails      //總是使用一個賬號登陸？

[root@uodekoaix pub]# touch /etc/vsftpd/banned_emails

[root@uodekoaix pub]# echo "[email protected]">> /etc/vsftpd/banned_emails

[root@uodekoaix pub]# ftp 127.0.0.1

Connected to 127.0.0.1.

220 (vsFTPd 2.0.5)

530 Please login with USER and PASS.

530 Please login with USER and PASS.

KERBEROS_V4 rejected as an authentication type

Name (127.0.0.1:root): anonymous

331 Please specify the password.

Password:

530 Login incorrect.

Login failed.

ftp>             //此時登陸失敗

98 chroot_list_enable=YES    //切換目錄

99 # (default follows)

100 chroot_list_file=/etc/vsftpd/chroot_list        //將本地賬號放在這個文件中時將不可以切換

[root@uodekoaix pub]# vim /etc/vsftpd/chroot_list

user1

以下用user1測試  

將不可以切換

[root@uodekoaix pub]# ftp 127.0.0.1

Connected to 127.0.0.1.

220 (vsFTPd 2.0.5)

530 Please login with USER and PASS.

530 Please login with USER and PASS.

KERBEROS_V4 rejected as an authentication type

Name (127.0.0.1:root): user1

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> pwd

257 "/"

ftp> cd /

250 Directory successfully changed.

ftp> dir

227 Entering Passive Mode (127,0,0,1,99,15)

150 Here comes the directory listing.

-rw-r--r--    1 0        0               0 Aug 31 14:03 f1.user1

-rw-r--r--    1 500      500          3984 Aug 31 14:13 т?¨τ±?τμμ (9).txt

226 Directory send OK.

ftp>

98 chroot_local_user=YES

99 chroot_list_enable=YES

100 # (default follows)

101 chroot_list_file=/etc/vsftpd/chroot_list

只有放到chroot_list 中的賬號可以切換

以下可以看出user1可以切換

[root@uodekoaix pub]# ftp 127.0.0.1

Connected to 127.0.0.1.

220 (vsFTPd 2.0.5)

530 Please login with USER and PASS.

530 Please login with USER and PASS.

KERBEROS_V4 rejected as an authentication type

Name (127.0.0.1:root): user1

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> pwd

257 "/home/user1"

ftp>

以下可以看出use2不能切換

[root@uodekoaix pub]# ftp 127.0.0.1

Connected to 127.0.0.1.

220 (vsFTPd 2.0.5)

530 Please login with USER and PASS.

530 Please login with USER and PASS.

KERBEROS_V4 rejected as an authentication type

Name (127.0.0.1:root): user2

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> pwd

257 "/"

ftp>

112 listen=YES    //表明是一個獨立守護進程

[root@uodekoaix vsftpd]# vim ftpusers

user

[root@uodekoaix vsftpd]# service vsftpd restart

關閉 vsftpd：                                              [確定]

爲 vsftpd 啓動 vsftpd：                                    [確定]

以下可以看出user1登陸失敗了

[root@uodekoaix vsftpd]# ftp 127.0.0.1

Connected to 127.0.0.1.

220 (vsFTPd 2.0.5)

530 Please login with USER and PASS.

530 Please login with USER and PASS.

KERBEROS_V4 rejected as an authentication type

Name (127.0.0.1:root): user1

331 Please specify the password.

Password:

530 Login incorrect.

Login failed.

ftp>

[root@uodekoaix vsftpd]# vim user_list

user1

以下可以看出user1直接就被拒絕了，安全。

[root@uodekoaix vsftpd]# ftp 127.0.0.1

Connected to 127.0.0.1.

220 (vsFTPd 2.0.5)

530 Please login with USER and PASS.

530 Please login with USER and PASS.

KERBEROS_V4 rejected as an authentication type

Name (127.0.0.1:root): user1

530 Permission denied.

Login failed.

[root@uodekoaix vsftpd]# vim /etc/hosts.allow

vsftpd:192.168.101.2 :deny

vsftpd:all:allow

以下將看到101.2機子被拒絕訪問

案例二  通過爲ftp增加ssl功能，有效提高ftp服務器的安全性

[root@uodekoaix Server]# cd /etc/pki/CA/

[root@uodekoaix CA]# ll

總計 8

drwx------ 2 root root 4096 2009-06-30 private

[root@uodekoaix CA]# cd ..

修改CA服務器的配置文件

[root@uodekoaix pki]# vim tls/openssl.cnf

45 dir             = /etc/pki/CA           # Where everything is kept

88 countryName             = optional

89 stateOrProvinceName     = optional

90 organizationName        = optional

91 organizationalUnitName  = optional

92 commonName              = supplied

93 emailAddress            = optional

134 [ req_distinguished_name ]

135 countryName                     = Country Name (2 letter code)

136 countryName_default             = CN

137 countryName_min                 = 2

138 countryName_max                 = 2

139

140 stateOrProvinceName             = State or Province Name (full name)

141 stateOrProvinceName_default     = BEIJING

142

143 localityName                    = Locality Name (eg, city)

144 localityName_default            = BEIJING

145

146 0.organizationName              = Organization Name (eg, company)

147 0.organizationName_default      = My Company Ltd

在CA目錄下建立三個目錄和兩個文件，並將01導入serial

[root@uodekoaix pki]# cd CA

[root@uodekoaix CA]# mkdir crl certs newcerts

[root@uodekoaix CA]# touch index.txt serial

[root@uodekoaix CA]# echo "01">serial

爲CA建立私鑰並改變其權限屬性

[root@uodekoaix CA]# openssl genrsa 1024 >private/cakey.pem

Generating RSA private key, 1024 bit long modulus

..................................++++++

.................++++++

e is 65537 (0x10001)

[root@uodekoaix CA]# chmod 600 private/*

頒發證書

[root@uodekoaix CA]# openssl req -new -key private/cakey.pem -x509 -out cacert.pem

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [BEIJING]:

Locality Name (eg, city) [BEIJING]:

Organization Name (eg, company) [My Company Ltd]:sec

Organizational Unit Name (eg, section) []:tec

Common Name (eg, your name or your server's hostname) []:

創建一個certs目錄存放自己的ftp的證書鑰匙、請求文件、證書文件

[root@uodekoaix CA]# mkdir /etc/vsftpd/certs

[root@uodekoaix CA]# openssl genrsa 1024 >vsfptd.key

產生鑰匙文件

Generating RSA private key, 1024 bit long modulus

..............................++++++

...............................++++++

e is 65537 (0x10001)

產生請求文件

[root@uodekoaix CA]# openssl req -new -key vsftpd.key -out vsftpd.csr
Error opening Private Key vsftpd.key
7911:error:02001002:system library:fopen:No such file or directory:bss_file.c:352:fopen('vsftpd.key','r')
7911:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354:
unable to load Private Key
[root@uodekoaix CA]# cd /etc/vsftpd/certs/
[root@uodekoaix certs]# openssl req -new -key vsftpd.key -out vsftpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BEIJING]:
Locality Name (eg, city) [BEIJING]:
Organization Name (eg, company) [My Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

請求CA頒發證書

[root@uodekoaix certs]# openssl ca -in vsftpd.csr -out vsftpd.cert

Using configuration from /etc/pki/tls/openssl.cnf

Check that the request matches the signature

Signature ok

Certificate Details:

        Serial Number: 1 (0x1)

        Validity

            Not Before: Aug 31 17:45:35 2012 GMT

            Not After : Aug 31 17:45:35 2013 GMT

        Subject:

            countryName               = CN

            stateOrProvinceName       = BEIJING

            organizationName          = abc

            organizationalUnitName    = etc

            commonName                = ftp.abc.com

        X509v3 extensions:

            X509v3 Basic Constraints:

                CA:FALSE

            Netscape Comment:

                OpenSSL Generated Certificate

            X509v3 Subject Key Identifier:

                85:ED:3A:5F:B0:AC:82:2E:8D:C6:2D:81:37:D5:AB:39:EF:78:B6:6B

            X509v3 Authority Key Identifier:

                keyid:AA:07:05:D0:70:9C:3F:E5:D4:01:94:07:AA:76:52:A8:98:9B:85:64

Certificate is to be certified until Aug 31 17:45:35 2013 GMT (365 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

ftp和證書結合，編輯ftp主配置文件/etc/vsftpd/vsftpd.conf

[root@uodekoaix pki]# vim /etc/vsftpd/vsftpd.conf

119 pam_service_name=vsftpd

120 userlist_enable=YES

121 tcp_wrappers=YES

122 rsa_cert_file=/etc/vsftpd/certs/vsftpd.cert         //證書文件的名字和位置

123 rsa_private_key_file=/etc/vsftpd/certs/vsftpd.key     //私鑰文件的名字和位置

124 ssl_tlsv1=YES        //標準傳輸

125 ssl_sslv3=YES

126 ssl_sslv2=YES          //不同版本的傳輸

127 ssl_enable=YES          //開啓ssl驗證服務

128 force_local_logins_ssl=YES      //登錄使用ssl加密

129 force_local_data_ssl=YES        //開啓數據加密傳輸

:set nu       

重新啓動vsftpd服務，開機自啓動

[root@uodekoaix certs]# service vsftpd restart

使用客戶端工具flushfxp測試  

可以看到頒發的如下證書

連接成功切換到use2家目錄

監控   實現了ssl驗證 ……

[root@uodekoaix ~]# tshark -ni eth1 -R "tcp.dstport eq 21" 
Running as user "root" and group "root". This could be dangerous.
Capturing on eth1
70.949540 192.168.101.5 -> 192.168.101.1 FTP Request: \025\003\000\000\030f\267!\345|\341\024'=4UT\253\262\245dzY\230uoOzA
70.950319 192.168.101.5 -> 192.168.101.1 TCP 57130 > 21 [RST, ACK] Seq=60 Ack=19 Win=0 Len=0
113.210988 192.168.101.5 -> 192.168.101.1 FTP Request: \025\003\000\000\030\033\367\275\026(u\275j\351$\271a\016b(\005\322\246J\277\310]\226`
113.212027 192.168.101.5 -> 192.168.101.1 TCP 57132 > 21 [FIN, ACK] Seq=30 Ack=11 Win=16292 Len=0
113.212029 192.168.101.5 -> 192.168.101.1 TCP 57132 > 21 [RST, ACK] Seq=31 Ack=11 Win=0 Len=0

案例三 虛擬賬號

添加本地賬號

[root@uodekoaix vsftpd]# useradd user4

[root@uodekoaix vsftpd]# passwd user4

添加虛擬賬號

[root@uodekoaix vsftpd]# vim viruser.txt

test

123

test1

123

[root@uodekoaix Server]# rpm -ivh db4-utils-4.3.29-10.el5.i386.rpm

生成虛擬賬號庫

[root@uodekoaix Server]# cd /etc/vsftpd/

[root@uodekoaix vsftpd]# db_load -T -t hash -f viruser.txt viruser.db

[root@uodekoaix vsftpd]# find / -name pam_listfile.so

/lib/security/pam_listfile.so

[root@uodekoaix vsftpd]# cd /lib/security/

修改虛擬賬號庫所在目錄

[root@uodekoaix security]# vim /etc/pam.d/vsftpd

2 auth required pam_userdb.so db=/etc/vsftpd/viruser

3 account required pam_userdb.so db=/etc/vsftpd/viruser

設置guest賬號和本地賬號映射關係

[root@uodekoaix security 4]# vim /etc/vsftpd/vsftpd.conf

119 pam_service_name=vsftpd

120 userlist_enable=YES

121 tcp_wrappers=YES

122 #rsa_cert_file=/etc/vsftpd/certs/vsftpd.cert

123 #rsa_private_key_file=/etc/vsftpd/certs/vsftpd.key

119 pam_service_name=vsftpd

120 userlist_enable=YES

121 tcp_wrappers=YES

122 #rsa_cert_file=/etc/vsftpd/certs/vsftpd.cert

123 #rsa_private_key_file=/etc/vsftpd/certs/vsftpd.key

124 #ssl_tlsv1=YES

125 #ssl_sslv3=YES

126 #ssl_sslv2=YES

127 #ssl_enable=YES

128 #force_local_logins_ssl=YES

129 guest_enable=YES （啓用guest）

130 guest_username=user4 （guest賬號映射爲user4）

131 #force_local_data_ssl=YES

創建一個f1文件並改權限

[root@uodekoaix security]# cd /home/user4

[root@uodekoaix user4]# touch f1

[root@uodekoaix user4]# cd ..

[root@uodekoaix home]# chmod a+rx user4

虛擬賬號登陸測試