在LINUX系統上創建FTP加密傳輸SSL（proftpd和vsftpd）

時間 2020-02-07

標籤 linux 系統創建 ftp 加密傳輸 ssl proftpd vsftpd 欄目 Linux 简体版

原文原文鏈接

一、下載最新的軟件版本：node

# wget [url]ftp://ftp.proftpd.org/distrib/source/proftpd-1.3.0rc3.tar.gz[/url]安全

二、建立FTP組和用戶服務器

首先建立ROFTPD運行的用戶和組：session

# groupadd nogroupapp

# useradd –g nogroup –d /dev/null –s /sbin/nologin nobodyasync

首先建立上傳下載的用戶和組：tcp

# groupadd ftpide

# useradd –g ftp –d /home/down –s /sbin/nologin down測試

# useradd –g ftp –d /home/upload –s /sbin/nologin uploadui

用戶密碼設置略

三、編譯安裝PROFRPD:

# tar –zxvf proftpd-1.3.0rc3.tar.gz

# cd proftpd-1.3.0rc3

# ./configure

--prefix=/usr/local/proftpd

--sysconfdir=/etc

--enable-autoshadow

--localstatedir=/var/run

--enable-ctrls

--with-modules=mod_tls

# make

# make install

四、配置PROFTPD服務器：

# vi /etc/proftpd.conf

================+================+================# This is a basic ProFTPD configuration file (rename it to

# 'proftpd.conf' for actual use. It establishes a single server

# and a single anonymous login. It assumes that you have a user/group

# "nobody" and "ftp" for normal operation and anon.

ServerName "jekay"

ServerType standalone

DefaultServer on

AllowRetrieveRestart on

AllowStoreRestart on

ServerType standalone

ServerIdent on

SystemLog /var/log/proftpd.log

UseReverseDNS off

IdentLookups off

RequireValidShell off

# Port 21 is the standard FTP port.

Port 21

# Umask 022 is a good standard umask to prevent new dirs and files

# from being group and world writable.

Umask 022

MaxInstances 100

# Set the user and group under which the server will run.

User nobody

Group nogroup

# To cause every FTP user to be "jailed" (chrooted) into their home

# directory, uncomment this line.

DefaultRoot ~

# Normally, we want files to be overwriteable.

AllowOverwrite on

</Directory>

# We want 'welcome.msg' displayed at login, and '.message' displayed

# in each newly chdired directory.

DisplayLogin .welcome

DisplayFirstChdir .message

# Limit User of being enbled login ftp server

AllowGroup ftp

DenyAll

</Limit>

SSL加密的參數在這裏，重點！

#########################ssl/tls####################### MOD_TLS SETTING

TLSEngine on

TLSLog /var/log/proftpd-tls.log

TLSProtocol SSLv23

# Are clients required to use FTP over TLS when talking to this server?

TLSRequired ctrl

# Server's certificate

TLSRSACertificateFile /etc/proftpd.crt

TLSRSACertificateKeyFile /etc/proftpd.key

# Authenticate clients that want to use FTP over TLS

TLSVerifyClient off

#########################ssl/tls######################<Directory /home/down>

DenyGroup ftp

</Limit>

TransferRate RETR 150 group ftp

</Directory>

DenyGroup ftp

</Limit>

TransferRate STOR 150 group ftp

</Directory>

MaxClientsPerHost 200

PassivePorts 55000 56000

================+================+================建立PROFTPD的日誌文件：

# touch /var/log/proftpd.log

# touch /var/log/proftpd-tls.log

# chown nobody:nogroup /var/log/proftpd.log /var/log/proftpd-tls.log

建立SSL傳輸的證書和密匙：

# cp /usr/share/ssl/openssl.cnf ./

# openssl req -new -x509 -nodes -config openssl.cnf -out proftpd.crt –keyout proftpd.key

這裏安裝提示須要輸入證書信息略

把證書和密匙複製到指定目錄：

# cp proftpd.crt proftpd.key /etc/

最後建立PROFTPD啓動腳本：

# vi /etc/init.d/proftpd

================+================+================

#!/bin/sh

# Startup script for ProFTPD

# chkconfig: 345 85 15

# description: ProFTPD is an enhanced FTP server

# processname: proftpd

# config: /etc/proftpd.conf

# Source function library.

. /etc/rc.d/init.d/functions

if [ -f /etc/sysconfig/proftpd ]; then

. /etc/sysconfig/proftpd

PATH="$PATH:/usr/local/proftpd/sbin"

# See how we were called.

case "$1" in

start)

echo -n "Starting proftpd: "

daemon proftpd $OPTIONS

echo

touch /var/lock/subsys/proftpd

;;

stop)

echo -n "Shutting down proftpd: "

killproc proftpd

echo

rm -f /var/lock/subsys/proftpd

;;

status)

status proftpd

;;

restart)

$0 stop

$0 start

;;

reread)

echo -n "Re-reading proftpd config: "

killproc proftpd -HUP

echo

;;

suspend)

hash ftpshut >/dev/null 2>&1

if [ $? = 0 ]; then

if [ $# -gt 1 ]; then

shift

echo -n "Suspending with '$*' "

ftpshut $*

else

echo -n "Suspending NOW "

ftpshut now "Maintanance in progress"

else

echo -n "No way to suspend "

echo

;;

resume)

if [ -f /etc/shutmsg ]; then

echo -n "Allowing sessions again "

rm -f /etc/shutmsg

else

echo -n "Was not suspended "

echo

;;

echo -n "Usage: $0 {start|stop|restart|status|reread|resume"

hash ftpshut

if [ $? = 1 ]; then

echo '}'

else

echo '|suspend}'

echo 'suspend accepts additional arguments which are passed to ftpshut(8)'

exit 1

esac

if [ $# -gt 1 ]; then

shift

$0 $*

exit 0

================+================+================# chomd 755 /etc/init.d/proftpd

# chkconfig –-add proftpd

# chkconfig proftpd on

五、客戶端鏈接測試

到這裏ftp服務器端安裝設置完畢，登錄服務器的客戶端我用了徹底免費的FileZilla

本服務器支持兩種客戶端加密鏈接方式：

1. FTP over ssl (顯示加密)方式鏈接。

2. FTP over tls (顯示加密) 方式鏈接

創建在LINUX系統上的VSFTP加密傳輸

參考文檔：[url]ftp://vsftpd.beasts.org/users/ce[/url] ... pd-2.0.1/README.ssl

在衆多的FTP服務器中VSFTP以安全，小巧著稱。近年來一直受到人們的喜好。一般狀況下FTP包括認證過程，傳輸是明文傳輸的，在傳輸一些敏感數據時老是不能讓人放心。

一、下載

最新的VSFTPD：

# wget [url]ftp://vsftpd.beasts.org/users/cevans/vsftpd-2.0.3.tar.gz[/url]

二、編譯安裝VSFTPD:

# tar –zxvf vsftpd-2.0.3.tar.gz

# cd vsftpd-2.0.3

三、修改VSFTPD使其支持SSL傳輸：

修改builddefs.h文件中的：

#undef VSF_BUILD_TCPWRAPPERS

#define VSF_BUILD_PAM

#undef VSF_BUILD_SSL

爲：

#define VSF_BUILD_TCPWRAPPERS

#undef VSF_BUILD_PAM

#define VSF_BUILD_SSL

四、開始編譯安裝：

# make

# make install

# cp vsftpd.conf /etc/

建立SSL證書：

# openssl req -new -x511 -nodes -out vsftpd.pem -keyout vsftpd.pem

# cp vsftpd.pem /usr/share/ssl/certs/vsftpd.pem

建立須要的賬號和目錄：

# useradd –d /dev/null –s /sbin/nologin nobody

# mkdir /usr/share/empty

# mkdir /var/ftp

# useradd -d /var/ftp –s /sbin/nologin ftp

# chown root:root /var/ftp

# chmod og-w /var/ftp

五、配置VSFTPD：

# vi /etc/vsftpd.conf

===========+=============+===========

anonymous_enable=NO

local_enable=YES

write_enable=YES

local_umask=022

#anon_upload_enable=YES

#anon_mkdir_write_enable=YES

dirmessage_enable=YES

xferlog_enable=YES

connect_from_port_20=YES

#chown_uploads=YES

#chown_username=whoever

#xferlog_file=/var/log/vsftpd.log

#xferlog_std_format=YES

#idle_session_timeout=600

#data_connection_timeout=120

#nopriv_user=ftpsecure

#async_abor_enable=YES

ascii_upload_enable=YES

ascii_download_enable=YES

ftpd_banner=Welcome to Serv-U FTP Server v5.0 for WinSock.

#deny_email_enable=YES

#banned_email_file=/etc/vsftpd.banned_emails

chroot_list_enable=YES

chroot_list_file=/etc/vsftpd.chroot_list

ls_recurse_enable=NO

hide_ids=YES

userlist_enable=NO

use_localtime=YES

listen=YES

listen_port=21

tcp_wrappers=YES

ssl_enable=YES

ssl_sslv2=YES

allow_anon_ssl=YES

force_local_data_ssl=YES

force_local_logins_ssl=YES

rsa_cert_file=/usr/share/ssl/certs/vsftpd.pem

===========+=============+===========

# touch /etc/vsftpd.chroot_list

寫一個VSFTPD啓動教本：

# vi /etc/init.d/vsftpd

===========+=============+===========

#!/bin/sh

# chkconfig: - 110 30

# description: Starts and stops the Vsftpd Service

# config: /etc/vsftpd.conf

case "$1" in

start)

/usr/local/sbin/vsftpd &

;;

stop)

pkill vsftpd

;;

echo "Usage: $0 { start | stop }"

exit 1

;;

esac

exit 0

===========+=============+===========

# chmod 755 /etc/init.d/vsftpd

# chkconfig –-add vsftpd

# chkconfig vsftpd on

六、測試

到這裏ftp服務器端安裝設置完畢，登錄服務器的客戶端我用了徹底免費的FileZilla

相關標籤/搜索

每日一句

每一个你不满意的现在，都有一个你没有努力的曾经。