-->
传统的FTP服务器都是使用明文传输账号、命令和数据,这样很不安全,只要在网络中安装嗅探器,就可以很轻易的获取会话的整个数据。以下是我用Ethereal截获的一个示例FTP会话:
220 Web Server.
FEAT
211-Features:
EPRT
EPSV
MDTM
PASV
REST STREAM
SIZE
TVFS
211 End
USER ttt
331 Please specify the password.
PASS ccc
230 Login successful.
PWD
257 "/home/ttt"
PASV
227 Entering Passive Mode (192,168,2,10,101,186)
LIST
150 Here comes the directory listing.
226 Directory send OK.
PASV
227 Entering Passive Mode (192,168,2,10,97,28)
LIST
150 Here comes the directory listing.
226 Directory send OK.
PASV
227 Entering Passive Mode (192,168,2,10,66,236)
NLST
150 Here comes the directory listing.
226 Directory send OK.
CWD /home
250 Directory successfully changed.
PASV
227 Entering Passive Mode (192,168,2,10,23,159)
LIST
150 Here comes the directory listing.
226 Directory send OK.
CWD /home/jboss
250 Directory successfully changed.
PASV
227 Entering Passive Mode (192,168,2,10,102,193)
LIST
150 Here comes the directory listing.
226 Directory send OK.
QUIT
221 Goodbye.
从截获的数据中,我们可以看到此会话中使用的用户名和密码及运行的命令。如果我们加密了会话,即使会话被截获,账号、密码及送输的数据也是安全的,下面是一个用Ethereal截获的加密的FTP会话。
220 Web Server.
FEAT
211-Features:
AUTH SSL
AUTH TLS
EPRT
EPSV
MDTM
PASV
PBSZ
PROT
REST STREAM
SIZE
TVFS
211 End
AUTH TLS
234 Proceed with negotiation.
.|....c......9..8..5........
.....3..2../.....f..............c..b..a...........@..e..d..`.....................6.....{4.[..........J...F..G .nAz.Qs...~..@mzK..o. .;$"Wd.< .e.7......,!.....-......'j.S.....
................0...0..r..a..0 ..*.H.. .....0L1.0...U....GB1.0...U....Berkshire1.0...U....Newbury1.0...U.
..My Company Ltd0.. 071011055036Z. 080119055036Z0L1.0...U....CN1.0...U....Berkshire1.0...U....Newbury1.0...U.
..My Company Ltd0..0 ..*.H.. .........0.........B...Ig...Xh.N...5...fs.~..l#]@..m!...t....c.(....K n|....1.....l..9..;...c.h.l.DG*.c.k......^....&.".t......G..0..NA{..od...K.....0 ..*.H.. ...........b.........`....s..T...+g}.....|..a..QF..F."%.#.......d..b....W..@+.(,%.......$E~..`..Utu....9O....JD..0......s.Ln}.m......~C...;..@.~.#..v).&.9KX.lVB.@jb].:.
.9.x`.."^7<..qX9..$R....T".A.2c....T.T.......p..u....R.Ky;./=.+...P...ey7.....^."....h....r.0...2....................7..e.....EL.Z.V.A....n.{,..o./.....'...&{......D...._....1...1......Hgj.X.:...._.h......)...a.....L..UpS.'.t...}...^<.zE....?n.X..........(.X..........!.|#......@....oN....1~-.;............(... ...\3.Z.....?..
.....\...>m....I.Z.f.... n.<.e.!..P...e.LA:{....\.(....e&....8.F.....m.H..}.....o.(.....f.F['...=.....S....3MF.P.......... Y.......
.d..s.......h..w{.....:....0+.y-e8z..`..\!V.. ..l..u.a..@..b....*...G.L
W..\.... /.......;...&..&a...h...9....f`7....(.I...Y..KM.=....2.'O.6....+L.X1...{..".Y.... ...3..wi.Qa....Ws! F.e*..1...P......0....RB..
.h.ao.........V.4.(5;.pCz..7.4....5.A...... Hh....."..3...n.F..*.-.s_......J....0....n...6.Ok.U.Q.0@<.=...d_. @R.._.>.%..}.&!U....... ..l2X......V?...y.LP|Z\7;..{..|t....H/.9..)..zc.8X.%..cC.+..vN...4{}.R..X...yf..9>87..M...C(.}..1.(S*.&e.g....... ...()...].f.+........4.[.F..()......@.<.k~.
....e..wQ[.C....N....jI.j4l..QkL~.V.vhq....O8..?...i!...O....0.$.......+r}.........>.......Y6....-D..D.>.9d....... A.d.....3/...6)y..^..Zzjp@...=......@.,..=....=....z>...\][..oS.P1.bTq..........m^.B...H...o..!n....M.... ..I....8f'....MJRX..........O.......H..0...........9.......q....us......iL)3d-....]..?..P..]...>.x.v.D.u.G.W|.... ..o.K...\..."........<;..!....\]....@g. a.K...5..].V...w.H."...e.t...rI
...E......K..HM.{8h....pd........0....f.!..L..94.2l.u.v..@r.I.".^..x^I....i8...).@....(..{QQ.`...He.$.C]q..CIwbeK..d..He...........@[o.......9<.Q9."....J.,e.2f..G%........*..@...!..P.uu3......t....... ....?,...er.,.B:r.........kn5.......H.c.4O..G.....=.MM}............}||
.y.D.....}.).N..........F..@z.....LZ...... .*.A......2>.<.A/..u..=.B_W T.......@W(..U./....0...d.;cu.(......F....../Y.6.\.<b.HE...-k....]...........0'.xO,I.....B$...;N=.D..:.........B#..%.A...C...C.... 4q..L..r....Y.LA..>..2|KvH....u.....(..I..slR^.....].=( ...ZnY..:.t.+........
当然在交换网络中,嗅探也不是容易的事。
下面说一下在Linux环境下使用vsftpd架设支持SSL加密的FTP服务器。整个架设过程分为以下几步:
- 下载vsftpd源码包并解压,根椐环境需要的功能,编缉builddefs.h文件(不用担心,很简单) ;
- 编译程序(在Redhat平台下找不到kerberos头文件);
- 检查并配置vsftpd的运行环境;
- 安装程序
- 生成服务器端数字证书(用于SSL加密) ;
- 设定vsftpd的配置文件;
- 试调服务器。
接下来让我们细述服务的架设过程:
下载vsftpd源码包并解压,根椐环境需要的功能,编缉builddefs.h文件:
vsftpd项目的主页为:http://vsftpd.beasts.org
源码包下载地址为:ftp://vsftpd.beasts.org/users/cevans/
此处我们能版本2.0.5为例:ftp://vsftpd.beasts.org/users/cevans/vsftpd-2.0.5.tar.gz
下载完记得源证包的完整性,具体方法请见:检测已下载的软件包的完整性
解压软件包,配置builddefs.h:
[root@supersun.biz vsftpd]# tar zxvf vsftpd-2.0.5.tar.gz
[root@supersun.biz vsftpd]# cd vsftpd-2.0.5
[root@supersun.biz vsftpd-2.0.5]# vi builddefs.h
builddefs.h的原内容为:
#ifndef VSF_BUILDDEFS_H
#define VSF_BUILDDEFS_H
#undef VSF_BUILD_TCPWRAPPERS
#define VSF_BUILD_PAM
#undef VSF_BUILD_SSL
#endif /* VSF_BUILDDEFS_H */
上面定义了几个功能,如果使用这个功以及设定为
#define function
如果不使用功能可以将其设定为:
#undef function
我们使用tcpwrappers(/etc/hosts.allow,/etc/hosts.deny)增强访问限制;禁用PAM(可插拔验证模块)模能, 这个模块暂时不是很熟悉,正在学习,所以没有使用;使用SSL模块用于加密,这正是本章要介绍的主要内容,因此编缉后的内容为:
#ifndef VSF_BUILDDEFS_H
#define VSF_BUILDDEFS_H
#define VSF_BUILD_TCPWRAPPERS
#undef VSF_BUILD_PAM
#define VSF_BUILD_SSL
#endif /* VSF_BUILDDEFS_H */
这样,第一步就完成了.
编译代码
[root@supersun.biz vsftpd-2.0.5]# make
在fedora core 6下正确通过,在redhat enterprise as 3上编译过程中出了一点小错误,提示找不到头文件krb5.h:
gcc -c ssl.c -O2 -Wall -W -Wshadow -idirafter dummyinc
In file included from /usr/include/openssl/ssl.h:179,
from ssl.c:26:
/usr/include/openssl/kssl.h:72:18: krb5.h: No such file or directory
In file included from /usr/include/openssl/ssl.h:179,
from ssl.c:26:
使用find命查找该文件
[root@supersun.biz vsftpd-2.0.5]# find . /usr -name krb5.h
/usr/kerberos/include/krb5.h
从网上搜索vsftpd的faq中找到答案,编缉Makefile在CFLAGS中添加参数-I/usr/kerberos/include
如:CFLAGS = -O2 -Wall -W -Wshadow -I/usr/kerberos/include
编译成功
检查并配置vsftpd的运行环境
1、需要nobody用户的存在,不存在的话添加他,添加后别忘了编缉/etc/passwd文件禁止此用户登陆在shell域添写/sbin/nologin
2、需要/usr/share/empty目录的存在,不存在的话用mkdir创建它;
3、如果需要使用anonymous登录的话还要添加ftp用户及用户的主目录及更改目录的权限,在此不细述,请阅读INSTALL文件。
安装程序
在/usr/local/man下建两个目录man5、man8
[root@supersun.biz vsftpd-2.0.5]# mkdir /usr/local/man/man{8,5}
运行make install命令进行安装:
[root@supersun.biz vsftpd-2.0.5]# make install
因为我们不使用super daemon模式,编缉/etc/xinet.d/vsftpd
disable = yes
编缉配置文件/etc/vsftpd.conf并进行简单的测试:
[root@supersun.biz vsftpd-2.0.5]# cp vsftpd.conf /etc/
[root@supersun.biz vsftpd-2.0.5]# vi /etc/vsftpd.conf
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_file=/var/log/vsftpd.log
xferlog_std_format=YES
idle_session_timeout=600
ftpd_banner=Welcome to supersun.biz
chroot_local_user=YES
listen=YES
建立一个本地用户,能够正常登陆:
[root@supersun.biz ~]#lftp pcap:pppp@supersun.biz
lftp pcap@supersun.biz:~> ls
drwxr-xr-x 11 0 0 4096 Oct 15 08:30 ccc
drwxr-xr-x 3 0 0 4096 Sep 12 04:03 photo
生成服务器端数字证书
可以参考一下前面的文章:用openssl签发证书
编缉openssl配置文件设置openssl主目录环境变量
vi openssl.cnf
生成认证中心的私钥
openssl genrsa -des3 -out private/ca.key 2048
生成随机数文件
openssl rand -out .rand 1034
生成CA(认证中心)证书申请
openssl req -new -key private/ca.key -out ca.req.pem
自签认证中心证书
openssl x509 -req -days 1000 -sha1 -extensions v3_ca -signkey private/ca.key -in ca.req.pem -out certs/ca.crt.pem
删除证书申请
rm ca.req.pem
建立hash索引
openssl x509 -hash -noout -in certs/ca.crt.pem >certs/ca.srl
生成服务器端私钥
openssl genrsa -out private/serverkey.pem 1024
生成服务器端证书申请
openssl req -new -key private/serverkey.pem -out server.req.pem
使用认证中心证书签服务器端证书
openssl x509 -req -days 100 -sha1 -extensions v3_req -CA certs/ca.crt.pem -CAkey private/ca.key -in server.req.pem -out certs/server.crt.pem
下面是一个实例,如果看不懂可以看前面的文章。
[root@supersun.biz ssl]# openssl genrsa -des3 -out private/ca.key 2048
Generating RSA private key, 2048 bit long modulus
...+++
............................+++
e is 65537 (0x10001)
Enter pass phrase for private/ca.key:
Verifying - Enter pass phrase for private/ca.key:
[root@supersun.biz ssl]# openssl rand -out .rand 1034
[root@supersun.biz ssl]# chmod 600 .rand
[root@supersun.biz ssl]# openssl req -new -key private/ca.key -out ca.req.pem
Enter pass phrase for private/ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:Beijing
Locality Name (eg, city) [Newbury]:Haidian qu
Organization Name (eg, company) [My Company Ltd]:Dareway
Organizational Unit Name (eg, section) []:Network management
Common Name (eg, your name or your server's hostname) []:supersun.biz
Email Address []:supersun06@gmail.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@supersun.biz ssl]# openssl x509 -req -days 1000 -sha1 -extensions v3_ca -signkey private/ca.key -in ca.req.pem -out certs/ca.crt.pem
Signature ok
subject=/C=CN/ST=Beijing/L=Haidian qu/O=Dareway/OU=Network management/CN=supersun.biz/emailAddress=supersun06@gmail.com
Getting Private key
Enter pass phrase for private/ca.key:
[root@supersun.biz ssl]# rm ca.req.pem
rm: remove regular file `ca.req.pem'? y
[root@supersun.biz ssl]# openssl x509 -hash -noout -in certs/ca.crt.pem >certs/ca.srl
[root@supersun.biz ssl]# openssl genrsa -out private/serverkey.pem 1024
Generating RSA private key, 1024 bit long modulus
...........................++++++
.......................++++++
e is 65537 (0x10001)
[root@supersun.biz ssl]# openssl req -new -key private/serverkey.pem -out server.req.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:Beijing
Locality Name (eg, city) [Newbury]:Handan qu
Organization Name (eg, company) [My Company Ltd]:Dareway
Organizational Unit Name (eg, section) []:Network Management
Common Name (eg, your name or your server's hostname) []:ftp.supersun.biz
Email Address []:supersun06@gmail.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@supersun.biz ssl]# openssl x509 -req -days 100 -sha1 -extensions v3_req -CA certs/ca.crt.pem -CAkey private/ca.key -in server.req.pem -out certs/server.crt.pem
Signature ok
subject=/C=CN/ST=Beijing/L=Handan qu/O=Dareway/OU=Network Management/CN=ftp.supersun.biz/emailAddress=supersun06@gmail.com
Getting CA Private Key
Enter pass phrase for private/ca.key:
已生成证书,将服务器的私钥复制到证书的结尾:
[root@supersun.biz ssl]# cat private/serverkey.pem >>certs/server.crt.pem
然后将server.crt.pem复制到/etc/下
下面继续配置/etc/vsftpd.conf添加下面几个选项
tcp_wrappers=YES
ssl_enable=YES
force_local_data_ssl=YES
force_local_logins_ssl=YES
listen=YES
rsa_cert_file=/etc/server.crt.pem
userlist_enable=YES
编缉/etc/vsftpd.user_list,在文件中添加不允许登录ftp的本地用户,我的方法是
[root@supersun.biz ssl]# awk -F: '{print $1}' /etc/passwd >/etc/vsftpd.user_list
然后编缉/etc/vsftpd.user_list去除可登录ftp的本地用户。
整个配置过程就这样,运行vsftpd就OK了。
如果利用lftp连接记得编缉:/etc/lftp.conf
set ftp:ssl-protect-data true
发表评论