<b>FTPS</b><b>(</b><b>FTP+SSL</b><b>)</b>
ftps是一種多傳輸協定,相當于加密版的FTP。當你在FTP伺服器上收發檔案的時候,你面臨兩個風險。第一個風險是在上載檔案的時候為檔案加密。第二個風險是,這些檔案在你等待接收方下載下傳的時候将停留在FTP伺服器上,這時你如何保證這些檔案的安全。你的第二個選擇(建立一個支援SSL的FTP伺服器)能夠讓你的主機使用一個FTPS連接配接上載這些檔案。這包括使用一個在FTP協定下面的SSL層加密控制和資料通道。一種替代FTPS的協定是安全檔案傳輸協定(SFTP)。這個協定使用SSH檔案傳輸協定加密從客戶機到伺服器的FTP連接配接。
FTPS是在安全套接層使用标準的FTP協定和指令的一種增強型TFP協定,為FTP協定和資料通道增加了SSL安全功能。FTPS也稱作“FTP-SSL”和“FTP-over-SSL”。SSL是一個在客戶機和具有SSL功能的伺服器之間的安全連接配接中對資料進行加密和解密的協定。
和sftp連接配接方法類似,在windows中可以使用FileZilla等傳輸軟體來連接配接FTPS進行上傳,下載下傳檔案,建立,删除目錄等操作,在FileZilla連接配接時,有顯式和隐式TLS/SSL連接配接之分,連接配接時也有指紋提示。
安全:ftps ftp+ssl
<b>準備工作:</b>
<b>準備一:關閉防火牆;</b>
<b>準備二:挂載CD光牒;</b>
<b>準備三:建構本地yum伺服器。</b>
<b>FTP+SSL</b><b>配置詳細過程:</b>
<b>①.安裝配置FTP伺服器和抓包工具:</b><b>(ftp:192.168.101.210)</b>
[root@ftp ~]# yum list all |grep vsftpd
[root@ftp ~]# yum install -y vsftpd
[root@ftp ~]# yum list all |grep wireshark
[root@ftp ~]# yum install -y wireshark
[root@ftp ~]# useradd user1
[root@ftp ~]# echo "123" |passwd --stdin user1
[root@ftp ~]# service vsftpd start
Starting vsftpd for vsftpd: [ OK ]
<a target="_blank" href="http://blog.51cto.com/attachment/201203/180810930.png"></a>
<b>[root@ftp ~]# tshark -ni eth0 -R "tcp.dstport eq 21"</b>
<a target="_blank" href="http://blog.51cto.com/attachment/201203/180823432.png"></a>
<b>②.配置本地CA憑證伺服器:</b>
[root@ftp ~]# cd /etc/pki/
[root@ftp pki]# ll
[root@ftp pki]# vim tls/openssl.cnf
<b>45 dir = /etc/pki/CA</b>
<b>88 countryName = optional</b>
<b>89 stateOrProvinceName = optional</b>
<b>90 organizationName = optional</b>
[root@ftp pki]# cd CA/
[root@ftp CA]# mkdir certs newcerts crl
[root@ftp CA]# touch index.txt serial
[root@ftp CA]# echo "01" >serial
[root@ftp CA]# ll
[root@ftp CA]# openssl genrsa 1024 > private/cakey.pem
<b>Generating RSA private key, 1024 bit long modulus</b>
<b>...........++++++</b>
<b>....++++++</b>
<b>e is 65537 (0x10001)</b>
[root@ftp CA]# chmod 600 private/cakey.pem
[root@ftp CA]# ll private/cakey.pem
<b>-rw------- 1 root root 887 Feb 10 23:22 private/cakey.pem</b>
[root@ftp CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650
<b>You are about to be asked to enter information that will be incorporated</b>
<b>into your certificate request.</b>
<b>What you are about to enter is what is called a Distinguished Name or a DN.</b>
<b>There are quite a few fields but you can leave some blank</b>
<b>For some fields there will be a default value,</b>
<b>If you enter '.', the field will be left blank.</b>
<b>-----</b>
<b>Country Name (2 letter code) [GB]:cn</b>
<b>State or Province Name (full name) [Berkshire]:henan</b>
<b>Locality Name (eg, city) [Newbury]:zhengzhou</b>
<b>Organization Name (eg, company) [My Company Ltd]:junjie</b>
<b>Organizational Unit Name (eg, section) []:soft</b>
<b>Common Name (eg, your name or your server's hostname) []:ca.junjie.com</b>
<b>Email Address []:[email protected]</b>
[root@ftp CA]#ll
<b>③.為ftp伺服器建立證書:</b>
[root@ftp CA]# mkdir /etc/vsftpd/certs
[root@ftp CA]# cd /etc/vsftpd/certs
[root@ftp certs]# <b>openssl genrsa 1024 >vsftpd.key</b>
<b>...++++++</b>
[root@ftp certs]# <b>openssl req -new -key vsftpd.key -out vsftpd.csr</b>
<b>Organizational Unit Name (eg, section) []:ftp</b>
<b>Common Name (eg, your name or your server's hostname) []:ftp.junjie.com</b>
<b>Email Address []:[email protected]</b>
<b> </b>
<b>Please enter the following 'extra' attributes</b>
<b>to be sent with your certificate request</b>
<b>A challenge password []:</b>
<b>An optional company name []:</b>
[root@ftp certs]# <b>openssl ca -in vsftpd.csr -out vsftpd.crt</b>
<b>Using configuration from /etc/pki/tls/openssl.cnf</b>
<b>Check that the request matches the signature</b>
<b>Signature ok</b>
<b>Certificate Details:</b>
<b> Serial Number: 1 (0x1)</b>
<b> Validity</b>
<b> Not Before: Feb 10 15:48:55 2012 GMT</b>
<b> Not After : Feb 9 15:48:55 2013 GMT</b>
<b> Subject:</b>
<b> countryName = cn</b>
<b> stateOrProvinceName = henan</b>
<b> organizationName = junjie</b>
<b> organizationalUnitName = ftp</b>
<b> commonName = ftp.junjie.com</b>
<b> emailAddress = [email protected]</b>
<b> X509v3 extensions:</b>
<b> X509v3 Basic Constraints:</b>
<b> CA:FALSE</b>
<b> Netscape Comment:</b>
<b> OpenSSL Generated Certificate</b>
<b> X509v3 Subject Key Identifier:</b>
<b> 33:C5:01:33:A5:CF:42:9F:24:A9:0D:E9:41:8E:26:C3:1B:7B:18:11</b>
<b> X509v3 Authority Key Identifier:</b>
<b> keyid:50:D1:A8:0A:1F:B7:CD:49:94:69:E3:70:E9:AE:93:73:2C:94:66:AC</b>
<b>Certificate is to be certified until Feb 9 15:48:55 2013 GMT (365 days)</b>
<b>Sign the certificate? [y/n]:y</b>
<b>1 out of 1 certificate requests certified, commit? [y/n]y</b>
<b>Write out database with 1 new entries</b>
<b>Data Base Updated</b>
[root@ftp certs]# ll
[root@ftp certs]# chmod 600 *
<b>④.使ftp服務應用證書:</b>
[root@ftp certs]# cd /etc/vsftpd/
[root@ftp vsftpd]# vim vsftpd.conf #增加以下内容
<b>118 rsa_cert_file=/etc/vsftpd/certs/vsftpd.crt</b>
<b>119 rsa_private_key_file=/etc/vsftpd/certs/vsftpd.key</b>
<b>120 force_local_data_ssl=YES</b>
<b>121 force_local_logins_ssl=YES</b>
<b>122 ssl_enable=YES</b>
<b>123 ssl_sslv2=YES</b>
<b>124 ssl_sslv3=YES</b>
<b>125 ssl_tlsv1=YES</b>
[root@ftp vsftpd]# service vsftpd restart
Shutting down vsftpd: [ OK ]
<b>⑤用戶端測試(已加密傳輸):</b>
<a target="_blank" href="http://blog.51cto.com/attachment/201203/180902785.png"></a>
<a target="_blank" href="http://blog.51cto.com/attachment/201203/180916113.png"></a>
從上面看出證書名稱出現問題,但可是可以使用!選擇接收一次!
<a target="_blank" href="http://blog.51cto.com/attachment/201203/180929183.png"></a>
<b>該次登入抓包内容如下所示:傳輸已經經過加密!</b>
<a target="_blank" href="http://blog.51cto.com/attachment/201203/181005903.png"></a>
[root@ftp ~]# tshark -ni eth0 -R "tcp.dstport eq 21"
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
9.742109 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=2
9.742144 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [ACK] Seq=1 Ack=1 Win=65700 Len=0
9.747458 192.168.101.113 -> 192.168.101.210 FTP Request: <b>AUTH SSL</b>
9.755605 192.168.101.113 -> 192.168.101.210 FTP Request: \200\310\001\003\001\000\237\000\000\000 \000\300\024\000\300
9.758795 192.168.101.113 -> 192.168.101.210 FTP Request: \026\003\001\000\206\020\000\000\202\000\200n\257\315\204\324o
9.778662 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030\215\325t\357\277\001\376FZ\243D\373\003\367\231\207Q\324\003Q}/\335\025\027\003\001\000 \f\355b\270\355\325\020[\372\302s{^\375\307\364C\307\243\251v9\370\364\260\277\253\317\321gB]
9.779885 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030\324\000\267\312\0320\213\266y\311\025[\371\275?\254Y\257\024[\245vjM\027\003\001\000(\236\321\221Z\321Z(\316'\343.\235?\321=8\264b\270(j\336\231\\210\265\207K\223A\037"\277\251\252t\252a`\374
9.782153 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030\257d\313mXZT\356\2366\334q\223\017gt\371\232\207\226\325
9.793165 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\0301\020S\237\372\210\004N4\370\366\377\2213m\356\233w:\275)>@%\027\003\001\000 Y\032\275BM=3J\313\240\241\372Z\371@\335\262\252\240\235\021\345\271\305\223\211\020\340\332\323Q\251
9.795630 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030\302\016=LR\272\030{\034\277V\256]\230\247\363\355M\241\327U\207k\032\027\003\001\000 OYi\216=S\322\212)\271V\016\2519w\332f\213\222S\244\275M\316\025N\302:k\312b\331
9.796727 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [ACK] Seq=741 Ack=1260 Win=64440 Len=0
9.797542 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [ACK] Seq=741 Ack=1334 Win=64364 Len=0
9.798327 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [ACK] Seq=741 Ack=1408 Win=64292 Len=0
9.798775 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [ACK] Seq=741 Ack=1482 Win=65700 Len=0
9.799387 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [ACK] Seq=741 Ack=1564 Win=65616 Len=0
9.799910 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [ACK] Seq=741 Ack=1638 Win=65544 Len=0
9.805078 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030G}\305\210\021s\244q\023k=\345R\232A\366B\360\202\320\361(x\344\027\003\001\000 \351W\350\377\362\2756\334\303\035+1l|{\304\277\224\326n\036d\213\217\b\216\023N\225\003a\274
9.810763 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030\203\354F\302\253\205\212\355\334$\321=\303h\276\302\350\320.\346\223\337BG\027\003\001\000 73\027\372#\232
9.813350 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030\203x`k\337RM\341w\022N\255|f\260U ?\354)A\301^\251\027\003\001\000 \031`\366\364He\030\266z)\373\265\237\261\\3430\220\331\340Kv[\033\347\tXj\344\314\236\242
9.814073 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030\307\2126sY\a\237\034\321\277!j\320\213\235\032\277e\345\361E>|)\027\003\001\000 \256\304}:-\365\034\aD~\fk`]\\314\b\207\365-\217\305\244
9.838659 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030\300\272t&\t(\262\243\361\210\263\343\326\261\017$\317V\002\354\325\271\250\366\027\003\001\000 \350F\305\360\363\365\033\274W\207M\006\216\255\016\365\205z\033\002\032B\345,\3712\034\377\327[\272P
9.851675 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [ACK] Seq=1071 Ack=2041 Win=65140 Len=0
9.856073 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030\f\357\000E/\372\333\247\016\344\315\345\346\271L\327\214CE0*i\316\332\027\003\001\000(8\220\341\316.*\234dM\235
10.061779 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [ACK] Seq=1145 Ack=2094 Win=65088 Len=0
39.978110 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030=\032\322\022\216B\025O\016\034
39.980672 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [FIN, ACK] Seq=1211 Ack=2139 Win=65040 Len=0
39.980725 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [RST, ACK] Seq=1212 Ack=2149 Win=0 Len=0
27 packets captured
[root@ftp ~]#
<a href="http://down.51cto.com/data/2360091" target="_blank">附件:http://down.51cto.com/data/2360091</a>
本文轉自xjzhujunjie 51CTO部落格http://blog.51cto.com/xjzhujunjie/811673,原文連結:
![linux-svn解除安裝與安裝[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)