簡介:
ftps是一種多傳輸協議,相當於加密版的FTP。當你在FTP服務器上收發文件的時候,你面臨兩個風險。第一個風險是在上載文件的時候爲文件加密。第二個風險是,這些文件在你等待接收方下載的時候將停留在FTP服務器上,這時你如何保證這些文件的安全。你的第二個選擇(創建一個支持SSL的FTP服務器)能夠讓你的主機使用一個FTPS連接上載這些文件。這包括使用一個在FTP協議下面的SSL層加密控制和數據通道。一種替代FTPS的協議是安全文件傳輸協議(SFTP)。這個協議使用SSH文件傳輸協議加密從客戶機到服務器的FTP連接。
FTPS是在安全套接層使用標準的FTP協議和指令的一種增強型TFP協議,爲FTP協議和數據通道增加了SSL安全功能。FTPS也稱作“FTP-SSL”和“FTP-over-SSL”。SSL是一個在客戶機和具有SSL功能的服務器之間的安全連接中對數據進行加密和解密的協議。
首先安裝抓包工具:
[root@localhost ~]# yum list all |grep wireshark 搜索wireshark包
wireshark.i386 1.0.8-1.el5_3.1 rhel-server
wireshark-gnome.i386 (在桌面環境下)1.0.8-1.el5_3.1 rhel-server
安裝包:wireshark
[root@localhost ~]# yum install -y wireshark
[root@localhost ~]# rpm -ql wireshark |less
實現抓包功能在:/usr/sbin/tshark
一定要啓動vsftpd:service vsftpd start
[root@localhost ~]# tshark –ni eth0 –R “tcp.dsport eq 21”
在windows上的命令行模式下輸入:
在linux上也可以登錄:
ftps的步驟:
建立CA
[root@localhost ~]# cd /etc/pki/
[root@localhost pki]# ll
total 36
drwx------ 3 root root 4096 Feb 9 00:16 CA
drwxr-xr-x 4 root root 4096 Mar 20 10:27 dovecot
drwxr-xr-x 2 root root 4096 Feb 9 00:15 nssdb
drwxr-xr-x 2 root root 4096 Feb 9 00:15 rpm-gpg
drwxr-xr-x 5 root root 4096 Mar 20 19:37 tls
[root@localhost pki]# vim tls/openssl.cnf
[root@localhost pki]# cd CA 切換到CA目錄
[root@localhost CA]# mkdir certs crl newcerts 創建3個目錄
[root@localhost CA]# touch index.txt serial 創建2個文檔
[root@localhost CA]# echo "01" >serial 賦予serial初始值
[root@localhost CA]# ll 查看
total 24
drwxr-xr-x 2 root root 4096 Mar 20 20:08 certs
drwxr-xr-x 2 root root 4096 Mar 20 20:08 crl
-rw-r--r-- 1 root root 0 Mar 20 20:08 index.txt
drwxr-xr-x 2 root root 4096 Mar 20 20:08 newcerts
drwx------ 2 root root 4096 Jun 30 2009 private
-rw-r--r-- 1 root root 3 Mar 20 20:09 serial
創建CA的私鑰:
[root@localhost CA]# openssl genrsa 1024 >private/cakey.pem
Generating RSA private key, 1024 bit long modulus
..........++++++
.++++++
e is 65537 (0x10001)
創建CA的證書:
[root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:BEIJING
Locality Name (eg, city) [Newbury]:BEIJING
Organization Name (eg, company) [My Company Ltd]:SECCENTER
Organizational Unit Name (eg, section) []:tec
Common Name (eg, your name or your server's hostname) []:rootca.net.net
Email Address []:
[root@localhost CA]# ll
total 28
-rw-r--r-- 1 root root 1155 Mar 20 20:17 cacert.pem
drwxr-xr-x 2 root root 4096 Mar 20 20:08 certs
drwxr-xr-x 2 root root 4096 Mar 20 20:08 crl
-rw-r--r-- 1 root root 0 Mar 20 20:08 index.txt
drwxr-xr-x 2 root root 4096 Mar 20 20:08 newcerts
drwx------ 2 root root 4096 Mar 20 20:11 private
-rw-r--r-- 1 root root 3 Mar 20 20:09 serial
[root@localhost CA]# chmod 600 private/cakey.pem 更改鑰匙權限
[root@localhost CA]# mkdir /etc/vsftpd/certs 創建目錄
[root@localhost CA]# cd /etc/vsftpd/certs/ 切換到目錄
[root@localhost certs]# ll 查看
total 0
產生鑰匙:
[root@localhost certs]# openssl genrsa 1024 >vsftpd.key
Generating RSA private key, 1024 bit long modulus
...........++++++
.++++++
e is 65537 (0x10001)
根據鑰匙做請求文件:
[root@localhost certs]# openssl req -new -key vsftpd.key -out vsftpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:HENAN
Locality Name (eg, city) [Newbury]:ZHENGZHOU
Organization Name (eg, company) [My Company Ltd]:zzdx
Organizational Unit Name (eg, section) []:tec
Common Name (eg, your name or your server's hostname) []:ftp.zzdx.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
根據鑰匙請求文件得到證書:
[root@localhost certs]# openssl ca -in vsftpd.csr -out vsftpd.cert
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Mar 20 12:27:04 2012 GMT
Not After : Mar 20 12:27:04 2013 GMT
Subject:
countryName = CN
stateOrProvinceName = HENAN
organizationName = zzdx
organizationalUnitName = tec
commonName = ftp.zzdx.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
54:FA:EA:A7:E0:8B:72:DF:57:37:4E:41:84:AA:BA:1A:AB:C4:B7:C9
X509v3 Authority Key Identifier:
keyid:8F:9B:34:8D:DA:DD:63:D5:0B:07:AF:F4:E4:E0:C9:6C:04:44:65:CC
Certificate is to be certified until Mar 20 12:27:04 2013 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@localhost certs]# ll 查看證書
total 12
-rw-r--r-- 1 root root 3075 Mar 20 20:27 vsftpd.cert
-rw-r--r-- 1 root root 647 Mar 20 20:23 vsftpd.csr
-rw-r--r-- 1 root root 887 Mar 20 20:19 vsftpd.key
[root@localhost certs]# chmod 600 * 更改證書的權限
[root@localhost certs]# ll
總計 12
-rw------- 1 root root 3075 03-21 11:01 vsftpd.cert
-rw------- 1 root root 647 03-21 10:57 vsftpd.csr
-rw------- 1 root root 887 03-21 10:52 vsftpd.key
ftp服務器+證書
[root@localhost certs]# vim /etc/vsftpd/vsftpd.conf
[root@localhost certs]# service vsftpd restart
Shutting down vsftpd: [ OK ]
Starting vsftpd for vsftpd: [ OK ]
用戶登陸:
[root@localhost ~]# tshark -ni eth0 -R "tcp.dstport eq 21"