一、基本原理
FTP(File Transfer Protocol, FTP)是TCP/IP網絡上兩臺計算機傳送文件的協議,用來將文件從一個主機複製到另一個主機,FTP是在TCP/IP網絡和INTERNET上最早使用的協議之一,它屬於網絡協議組的應用層。FTP客戶機可以給服務器發出命令來下載文件,上載文件,創建或改變服務器上的目錄。FTP服務一般運行在20和21兩個端口。端口20用於在客戶端和服務器之間傳輸數據流,而端口21用於傳輸控制流,並且是命令通向ftp服務器的進口。當數據通過數據流傳輸時,控制流處於空閒狀態。而當控制流空閒很長時間後,客戶端的防火牆會將其會話置爲超時,這樣當大量數據通過防火牆時,會產生一些問題。此時,雖然文件可以成功的傳輸,但因爲控制會話會被防火牆斷開,傳輸會產生一些錯誤。
二、案例
案例一、練手
首先安裝wireshark抓包工具
[root@uodekoaix Server]# yum install wireshark
[root@uodekoaix Server]# yum install vsftpd-2.0.5-16.el5.i386.rpm //安裝vsftpd服務
[root@uodekoaix Server]# service vsftpd start
匿名登錄
以下可以看出來匿名登錄是不允許將其他文件複製到pub的
[root@uodekoaix ~]# useradd user1
[root@uodekoaix ~]# passwd user1
[root@uodekoaix user1]# touch f1.user1
測試:ftp://192.168.101.1
使用本地用戶登陸
登陸成功會看到剛剛創建的文件
以下可以看出來用戶登錄是允許將其他文件複製到pub的
[root@uodekoaix Server]# vim /etc/vsftpd/vsftpd.conf //開啓上傳功能
anon_other_write_enable=YES //更改名字,刪除目錄。
anon_umask=073 //更改權限使可以下載
[root@uodekoaix Server]# chmod o+wt /var/ftp/pub/ //改權限
[root@uodekoaix Server]# ll -d /var/ftp/pub/
drwxr-xrwt 2 root root 4096 2009-05-13 /var/ftp/pub/
以下可以看出來現在可以匿名上傳了。
訪問ftp服務器的方法
1.命令行
幫助?
Dir列遠程的內容
!Dir 列本地內容
Cd 遠程切換
Lcd 本地切換
下載 get
一次下載多個 mget
上傳 put
一次上傳多個 mput
Ascii(ascii碼上傳) bin(二進制方式傳遞)
2瀏覽器 ie {ftp://}
3客戶端軟件
Cuteftp leapftp flushkp
[root@uodekoaix pub]# vim .message
message
[root@uodekoaix pub]# ftp 192.168.101.1
Connected to 192.168.101.1.
220 (vsFTPd 2.0.5)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (192.168.101.1:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd pub
250-message
250 Directory successfully changed.
[root@uodekoaix pub]# vim /etc/vsftpd/vsftpd.conf //開啓日誌功能
[root@uodekoaix ~]# tail -f /var/log/xferlog //查看日誌
61 #idle_session_timeout=600 //會話超時
64 #data_connection_timeout=120 //連接超時
83 #ascii_upload_enable=YES
84 #ascii_download_enable=YES //ascii碼傳遞
91 deny_email_enable=YES
92 # (default follows)
93 banned_email_file=/etc/vsftpd/banned_emails //總是使用一個賬號登陸?
[root@uodekoaix pub]# touch /etc/vsftpd/banned_emails
[root@uodekoaix pub]# echo "[email protected]">> /etc/vsftpd/banned_emails
[root@uodekoaix pub]# ftp 127.0.0.1
Connected to 127.0.0.1.
220 (vsFTPd 2.0.5)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (127.0.0.1:root): anonymous
331 Please specify the password.
Password:
530 Login incorrect.
Login failed.
ftp> //此時登陸失敗
98 chroot_list_enable=YES //切換目錄
99 # (default follows)
100 chroot_list_file=/etc/vsftpd/chroot_list //將本地賬號放在這個文件中時將不可以切換
[root@uodekoaix pub]# vim /etc/vsftpd/chroot_list
user1
以下用user1測試
將不可以切換
[root@uodekoaix pub]# ftp 127.0.0.1
Connected to 127.0.0.1.
220 (vsFTPd 2.0.5)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (127.0.0.1:root): user1
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/"
ftp> cd /
250 Directory successfully changed.
ftp> dir
227 Entering Passive Mode (127,0,0,1,99,15)
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 0 Aug 31 14:03 f1.user1
-rw-r--r-- 1 500 500 3984 Aug 31 14:13 т?¨τ±?τμμ (9).txt
226 Directory send OK.
ftp>
98 chroot_local_user=YES
99 chroot_list_enable=YES
100 # (default follows)
101 chroot_list_file=/etc/vsftpd/chroot_list
只有放到chroot_list 中的賬號可以切換
以下可以看出user1可以切換
[root@uodekoaix pub]# ftp 127.0.0.1
Connected to 127.0.0.1.
220 (vsFTPd 2.0.5)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (127.0.0.1:root): user1
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/home/user1"
ftp>
以下可以看出use2不能切換
[root@uodekoaix pub]# ftp 127.0.0.1
Connected to 127.0.0.1.
220 (vsFTPd 2.0.5)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (127.0.0.1:root): user2
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/"
ftp>
112 listen=YES //表明是一個獨立守護進程
[root@uodekoaix vsftpd]# vim ftpusers
user
[root@uodekoaix vsftpd]# service vsftpd restart
關閉 vsftpd: [確定]
爲 vsftpd 啓動 vsftpd: [確定]
以下可以看出user1登陸失敗了
[root@uodekoaix vsftpd]# ftp 127.0.0.1
Connected to 127.0.0.1.
220 (vsFTPd 2.0.5)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (127.0.0.1:root): user1
331 Please specify the password.
Password:
530 Login incorrect.
Login failed.
ftp>
[root@uodekoaix vsftpd]# vim user_list
user1
以下可以看出user1直接就被拒絕了,安全。
[root@uodekoaix vsftpd]# ftp 127.0.0.1
Connected to 127.0.0.1.
220 (vsFTPd 2.0.5)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (127.0.0.1:root): user1
530 Permission denied.
Login failed.
[root@uodekoaix vsftpd]# vim /etc/hosts.allow
vsftpd:192.168.101.2 :deny
vsftpd:all:allow
以下將看到101.2機子被拒絕訪問
案例二 通過爲ftp增加ssl功能,有效提高ftp服務器的安全性
[root@uodekoaix Server]# cd /etc/pki/CA/
[root@uodekoaix CA]# ll
總計 8
drwx------ 2 root root 4096 2009-06-30 private
[root@uodekoaix CA]# cd ..
修改CA服務器的配置文件
[root@uodekoaix pki]# vim tls/openssl.cnf
45 dir = /etc/pki/CA # Where everything is kept
88 countryName = optional
89 stateOrProvinceName = optional
90 organizationName = optional
91 organizationalUnitName = optional
92 commonName = supplied
93 emailAddress = optional
134 [ req_distinguished_name ]
135 countryName = Country Name (2 letter code)
136 countryName_default = CN
137 countryName_min = 2
138 countryName_max = 2
139
140 stateOrProvinceName = State or Province Name (full name)
141 stateOrProvinceName_default = BEIJING
142
143 localityName = Locality Name (eg, city)
144 localityName_default = BEIJING
145
146 0.organizationName = Organization Name (eg, company)
147 0.organizationName_default = My Company Ltd
在CA目錄下建立三個目錄和兩個文件,並將01導入serial
[root@uodekoaix pki]# cd CA
[root@uodekoaix CA]# mkdir crl certs newcerts
[root@uodekoaix CA]# touch index.txt serial
[root@uodekoaix CA]# echo "01">serial
爲CA建立私鑰並改變其權限屬性
[root@uodekoaix CA]# openssl genrsa 1024 >private/cakey.pem
Generating RSA private key, 1024 bit long modulus
..................................++++++
.................++++++
e is 65537 (0x10001)
[root@uodekoaix CA]# chmod 600 private/*
頒發證書
[root@uodekoaix CA]# openssl req -new -key private/cakey.pem -x509 -out cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BEIJING]:
Locality Name (eg, city) [BEIJING]:
Organization Name (eg, company) [My Company Ltd]:sec
Organizational Unit Name (eg, section) []:tec
Common Name (eg, your name or your server's hostname) []:
創建一個certs目錄存放自己的ftp的證書鑰匙、請求文件、證書文件
[root@uodekoaix CA]# mkdir /etc/vsftpd/certs
[root@uodekoaix CA]# openssl genrsa 1024 >vsfptd.key
產生鑰匙文件
Generating RSA private key, 1024 bit long modulus
..............................++++++
...............................++++++
e is 65537 (0x10001)
產生請求文件
[root@uodekoaix CA]# openssl req -new -key vsftpd.key -out vsftpd.csr
Error opening Private Key vsftpd.key
7911:error:02001002:system library:fopen:No such file or directory:bss_file.c:352:fopen('vsftpd.key','r')
7911:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354:
unable to load Private Key
[root@uodekoaix CA]# cd /etc/vsftpd/certs/
[root@uodekoaix certs]# openssl req -new -key vsftpd.key -out vsftpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BEIJING]:
Locality Name (eg, city) [BEIJING]:
Organization Name (eg, company) [My Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
請求CA頒發證書
[root@uodekoaix certs]# openssl ca -in vsftpd.csr -out vsftpd.cert
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Aug 31 17:45:35 2012 GMT
Not After : Aug 31 17:45:35 2013 GMT
Subject:
countryName = CN
stateOrProvinceName = BEIJING
organizationName = abc
organizationalUnitName = etc
commonName = ftp.abc.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
85:ED:3A:5F:B0:AC:82:2E:8D:C6:2D:81:37:D5:AB:39:EF:78:B6:6B
X509v3 Authority Key Identifier:
keyid:AA:07:05:D0:70:9C:3F:E5:D4:01:94:07:AA:76:52:A8:98:9B:85:64
Certificate is to be certified until Aug 31 17:45:35 2013 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
ftp和證書結合,編輯ftp主配置文件/etc/vsftpd/vsftpd.conf
[root@uodekoaix pki]# vim /etc/vsftpd/vsftpd.conf
119 pam_service_name=vsftpd
120 userlist_enable=YES
121 tcp_wrappers=YES
122 rsa_cert_file=/etc/vsftpd/certs/vsftpd.cert //證書文件的名字和位置
123 rsa_private_key_file=/etc/vsftpd/certs/vsftpd.key //私鑰文件的名字和位置
124 ssl_tlsv1=YES //標準傳輸
125 ssl_sslv3=YES
126 ssl_sslv2=YES //不同版本的傳輸
127 ssl_enable=YES //開啓ssl驗證服務
128 force_local_logins_ssl=YES //登錄使用ssl加密
129 force_local_data_ssl=YES //開啓數據加密傳輸
:set nu
重新啓動vsftpd服務,開機自啓動
[root@uodekoaix certs]# service vsftpd restart
使用客戶端工具flushfxp測試
可以看到頒發的如下證書
連接成功切換到use2家目錄
監控 實現了ssl驗證 ……
[root@uodekoaix ~]# tshark -ni eth1 -R "tcp.dstport eq 21"
Running as user "root" and group "root". This could be dangerous.
Capturing on eth1
70.949540 192.168.101.5 -> 192.168.101.1 FTP Request: \025\003\000\000\030f\267!\345|\341\024'=4UT\253\262\245dzY\230uoOzA
70.950319 192.168.101.5 -> 192.168.101.1 TCP 57130 > 21 [RST, ACK] Seq=60 Ack=19 Win=0 Len=0
113.210988 192.168.101.5 -> 192.168.101.1 FTP Request: \025\003\000\000\030\033\367\275\026(u\275j\351$\271a\016b(\005\322\246J\277\310]\226`
113.212027 192.168.101.5 -> 192.168.101.1 TCP 57132 > 21 [FIN, ACK] Seq=30 Ack=11 Win=16292 Len=0
113.212029 192.168.101.5 -> 192.168.101.1 TCP 57132 > 21 [RST, ACK] Seq=31 Ack=11 Win=0 Len=0
案例三 虛擬賬號
添加本地賬號
[root@uodekoaix vsftpd]# useradd user4
[root@uodekoaix vsftpd]# passwd user4
添加虛擬賬號
[root@uodekoaix vsftpd]# vim viruser.txt
test
123
test1
123
[root@uodekoaix Server]# rpm -ivh db4-utils-4.3.29-10.el5.i386.rpm
生成虛擬賬號庫
[root@uodekoaix Server]# cd /etc/vsftpd/
[root@uodekoaix vsftpd]# db_load -T -t hash -f viruser.txt viruser.db
[root@uodekoaix vsftpd]# find / -name pam_listfile.so
/lib/security/pam_listfile.so
[root@uodekoaix vsftpd]# cd /lib/security/
修改虛擬賬號庫所在目錄
[root@uodekoaix security]# vim /etc/pam.d/vsftpd
2 auth required pam_userdb.so db=/etc/vsftpd/viruser
3 account required pam_userdb.so db=/etc/vsftpd/viruser
設置guest賬號和本地賬號映射關係
[root@uodekoaix security 4]# vim /etc/vsftpd/vsftpd.conf
119 pam_service_name=vsftpd
120 userlist_enable=YES
121 tcp_wrappers=YES
122 #rsa_cert_file=/etc/vsftpd/certs/vsftpd.cert
123 #rsa_private_key_file=/etc/vsftpd/certs/vsftpd.key
119 pam_service_name=vsftpd
120 userlist_enable=YES
121 tcp_wrappers=YES
122 #rsa_cert_file=/etc/vsftpd/certs/vsftpd.cert
123 #rsa_private_key_file=/etc/vsftpd/certs/vsftpd.key
124 #ssl_tlsv1=YES
125 #ssl_sslv3=YES
126 #ssl_sslv2=YES
127 #ssl_enable=YES
128 #force_local_logins_ssl=YES
129 guest_enable=YES (啓用guest)
130 guest_username=user4 (guest賬號映射爲user4)
131 #force_local_data_ssl=YES
創建一個f1文件並改權限
[root@uodekoaix security]# cd /home/user4
[root@uodekoaix user4]# touch f1
[root@uodekoaix user4]# cd ..
[root@uodekoaix home]# chmod a+rx user4
虛擬賬號登陸測試