FTPS（FTP+SSL）

admin

FTPS（FTP+SSL）
* h9 a4 J3 Z# X+ C9 ?
) u9 f, S# V" J( L1 m/ V   ftps是一种多传输协议，相当于加密版的FTP。当你在FTP服务器上收发文件的时候，你面临两个风险。第一个风险是在上载文件的时候为文件加密。第二个风险是，这些文件在你等待接收方下载的时候将停留在FTP服务器上，这时你如何保证这些文件的安全。你的第二个选择(创建一个支持SSL的FTP服务器)能够让你的主机使用一个FTPS连接上载这些文件。这包括使用一个在FTP协议下面的SSL层加密控制和数据通道。一种替代FTPS的协议是安全文件传输协议(SFTP)。这个协议使用SSH文件传输协议加密从客户机到服务器的FTP连接。


; `( j! e8 p3 a7 S% j. w1 m, C  DFTPS是在安全套接层使用标准的FTP协议和指令的一种增强型TFP协议，为FTP协议和数据通道增加了SSL安全功能。FTPS也称作“FTP-SSL”和“FTP-over-SSL”。SSL是一个在客户机和具有SSL功能的服务器之间的安全连接中对数据进行加密和解密的协议。

9 }' l3 g/ y4 _! L! }$ y4 l/ o
和sftp连接方法类似，在windows中可以使用FileZilla等传输软件来连接FTPS进行上传，下载文件，建立，删除目录等操作,在FileZilla连接时，有显式和隐式TLS/SSL连接之分，连接时也有指纹提示。


9 M* z, F. [- e! C' H  k1 r
安全：ftps ftp+ssl
$ E3 n$ g- _" V3 ~
准备工作：
  j( h$ j& p/ V0 n% K2 i
准备一:关闭防火墙；
" l" K7 \; ^$ }+ [! X) Q+ ~
准备二：挂载光盘；
7 Z5 Z1 i$ t+ i7 y1 E' P
) I& l% q) Y# `9 J. c准备三：构建本地yum服务器。

4 i5 |: b' \/ q! fFTP+SSL配置详细过程:
# Y' e; H+ J# _, Q1 ~. \' q, T: K
$ E! m  V2 X( q) }5 H8 K8 q: |# Y# w①.安装配置FTP服务器和抓包工具：（ftp：192.168.101.210）
# @( I  ~! u$ o* `6 l4 a0 O. ]% g
[root@ftp ~]# yum list all |grep vsftpd
[root@ftp ~]# yum install -y vsftpd

0 o% q# F+ [) L[root@ftp ~]# yum list all |grep wireshark

8 l) H- |6 `6 y, {  Y" \6 F8 A[root@ftp ~]# yum install -y wireshark

[root@ftp ~]# useradd user1
[root@ftp ~]# echo "123" |passwd --stdin user1

[root@ftp ~]# service vsftpd start
" `- `6 S! X! e8 a; q
Starting vsftpd for vsftpd:                                [ OK ]
. L, X" o# w3 r
1 e: t' \, Q0 v
* p6 t9 |  a, I1 E# f( U/ t% W[root@ftp ~]# tshark -ni eth0 -R "tcp.dstport eq 21"


( _" w  L9 Q& w( Y: w% x6 B
②.配置本地CA证书服务器：
$ X) ~3 d" }5 G# }- d* h0 Y
& i4 Q6 X. |8 m) X& x+ ]+ Z% w: r[root@ftp ~]# cd /etc/pki/
; Z5 G% n5 `' |: H3 ]0 o, `[root@ftp pki]# ll
4 i% A; b; I4 q$ R, |[root@ftp pki]# vim tls/openssl.cnf
7 ]* g2 P# H( R- h8 [45 dir             = /etc/pki/CA
) J1 R+ W% G5 M4 P1 I88 countryName             = optional

( ]+ ]9 p2 H% ~. W, ?89 stateOrProvinceName     = optional

90 organizationName        = optional

3 p9 Z( l- y  n+ V  r  t- V2 p[root@ftp pki]# cd CA/
2 R6 @1 p  q+ a; B0 H$ d[root@ftp CA]# mkdir certs newcerts crl
[root@ftp CA]# touch index.txt serial
7 ~! n3 U8 j6 O! o$ y9 z% P- ][root@ftp CA]# echo "01" >serial
/ ?6 N' {4 j! ?
[root@ftp CA]# ll
[root@ftp CA]# openssl genrsa 1024 > private/cakey.pem
  n5 x7 x" l- r
Generating RSA private key, 1024 bit long modulus
6 [0 `+ K0 ^) L7 y* w, T" A  F: ~; z
* A. w3 d) i% V/ K0 ~...........++++++
7 [( k' e1 L& }6 m....++++++
7 x+ J4 T+ E% U, M  Xe is 65537 (0x10001)

[root@ftp CA]# chmod 600 private/cakey.pem
5 N7 q9 k% j( D& U[root@ftp CA]# ll private/cakey.pem
6 E: C. N0 t) K-rw------- 1 root root 887 Feb 10 23:22 private/cakey.pem
[root@ftp CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650
  L4 @# L; n8 S8 X
4 C! f  S, K' RYou are about to be asked to enter information that will be incorporated
" ]+ F0 i2 G1 ]# ?
into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank
" `7 [1 E; J- ]8 G/ G; t+ D+ \. u
For some fields there will be a default value,
( ^; ?! o; m1 P
" w! N1 @4 ]. B# A7 ?( Y2 fIf you enter '.', the field will be left blank.
' U0 n" Q" S- Y/ S
-----
Country Name (2 letter code) [GB]:cn

5 a4 \  G4 H: `* H' T% MState or Province Name (full name) [Berkshire]:henan
1 [6 K4 R4 S1 l8 p1 S. H
9 a! ~7 K0 X0 v( FLocality Name (eg, city) [Newbury]:zhengzhou

Organization Name (eg, company) [My Company Ltd]:junjie
9 w4 q0 a) e& d+ L. `& G2 d
: m* |3 [5 Y# Y: O3 D5 h( t  KOrganizational Unit Name (eg, section) []:soft

Common Name (eg, your name or your server's hostname) []:ca.junjie.com

' G+ S1 N& @6 B3 |* h. x# @Email Address []:junjie@junjie.com
[root@ftp CA]#ll
③.为ftp服务器创建证书：

& H2 m4 N, [; z0 @[root@ftp CA]# mkdir /etc/vsftpd/certs
[root@ftp CA]# cd /etc/vsftpd/certs
9 V: e: K$ t- f4 ~- q, i[root@ftp certs]# openssl genrsa 1024 >vsftpd.key
Generating RSA private key, 1024 bit long modulus
" {2 w! f- }* |6 h, `; j/ @
....++++++
! O: n' d  h* \) O9 V...++++++
e is 65537 (0x10001)
" g9 c, X$ Y/ {% q: v- {4 R
[root@ftp certs]# openssl req -new -key vsftpd.key -out vsftpd.csr

' f- d; s" t+ p6 uYou are about to be asked to enter information that will be incorporated
/ r  i: g. Z$ F0 l
& \8 {7 s$ p/ x. g9 [$ vinto your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.
$ T: u0 J2 Y: k8 t8 G
There are quite a few fields but you can leave some blank

For some fields there will be a default value,
. k9 W$ K7 `* J2 n: {1 ?
If you enter '.', the field will be left blank.
6 ]* f- A/ F1 P: I6 d
0 K8 v/ A2 v; t& i7 I( s-----
4 J. y, L" m, t4 a; Q) W  ]Country Name (2 letter code) [GB]:cn
- @/ {; Q; @+ y% i
, F) }0 |& m8 r6 W7 EState or Province Name (full name) [Berkshire]:henan

Locality Name (eg, city) [Newbury]:zhengzhou

Organization Name (eg, company) [My Company Ltd]:junjie
3 p8 ?3 f$ l' j
3 y! A% ~6 ~- z9 J; d/ v6 iOrganizational Unit Name (eg, section) []:ftp

Common Name (eg, your name or your server's hostname) []:ftp.junjie.com
' ~- y. c& u  o1 ^" u4 v
9 t, r1 I* T; h, K) }* d' GEmail Address []:ftp@junjie.com

4 c& h6 |& q: |  |Please enter the following 'extra' attributes

. ?! A- M0 m, g& H* o7 Y. q& Eto be sent with your certificate request
2 w& X5 W4 b9 o. ~
A challenge password []:

, j8 e9 \4 |/ P; B0 vAn optional company name []:

/ f+ t: j: Q( Q( W" N1 n# n, G  O[root@ftp certs]# openssl ca -in vsftpd.csr -out vsftpd.crt
Using configuration from /etc/pki/tls/openssl.cnf
) V' A- f1 ^; N; x" g5 q
: r! C* C  g2 O: zCheck that the request matches the signature

: }6 P; W  |/ B& W# p) Z3 aSignature ok
- i4 G/ a5 ]3 J! {! {/ U8 g; {Certificate Details:

        Serial Number: 1 (0x1)
        Validity
: n9 q8 v/ p9 s, O& s9 l! a            Not Before: Feb 10 15:48:55 2012 GMT

/ z- @; l5 m/ R" s, v            Not After : Feb 9 15:48:55 2013 GMT
' r- T, s3 E# X        Subject:
            countryName               = cn
            stateOrProvinceName       = henan
            organizationName          = junjie
            organizationalUnitName    = ftp
            commonName                = ftp.junjie.com
            emailAddress              = junjie@junjie.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
; g* V( ^) y- P# D4 o            X509v3 Subject Key Identifier:
% {3 w. L( r2 s2 u6 |                33:C5:01:33:A5:CF:42:9F:24:A9:0D:E9:41:8E:26:C3:1B:7B:18:11
5 ]5 p0 B. Q) s3 b/ R3 Z2 [! l7 |$ S
            X509v3 Authority Key Identifier:
6 n% `7 e) ?- c1 Y9 P0 G( Z8 t  E; p                keyid:501:A8:0A:1F:B7:CD:49:94:69:E3:70:E9:AE:93:73:2C:94:66:AC

* \- ~8 R6 C8 b+ B& }5 \- m
, a1 a$ n& e5 m) E9 t1 k  z2 A3 UCertificate is to be certified until Feb 9 15:48:55 2013 GMT (365 days)
0 X/ e. e! \' j
Sign the certificate? [y/n]:y

' k5 W% f4 _; W( {
: y! z& G- m7 E6 I
1 out of 1 certificate requests certified, commit? [y/n]y
/ l6 @- O% m& d9 M$ N5 @
* i! _; j2 x' b# p+ BWrite out database with 1 new entries
$ `7 o0 V6 C9 ]& b) w1 F( v- `( l& Z
' E" x+ u- g' `3 d( `4 F+ m0 m. TData Base Updated
0 ]& b$ k3 C+ i$ b$ ]( w[root@ftp certs]# ll
+ Z1 a' h$ w) C0 C) w! F[root@ftp certs]# chmod 600 *
( a' V( r( B/ h* R* o  p[root@ftp certs]# ll
④.使ftp服务应用证书：

$ j. D: Y) _2 y1 \) P) U/ k/ a[root@ftp certs]# cd /etc/vsftpd/            
[root@ftp vsftpd]# vim vsftpd.conf         #增加以下内容
# K$ H- i. X! x) \" h118 rsa_cert_file=/etc/vsftpd/certs/vsftpd.crt
& [8 w& `; ^4 B5 W
) Y% W: k/ ?; r8 E119 rsa_private_key_file=/etc/vsftpd/certs/vsftpd.key
% [) u4 A8 N9 O2 e  `9 R( k' b
  d' ?: `3 M0 Y- E120 force_local_data_ssl=YES
121 force_local_logins_ssl=YES
) J' x# E# r4 C  K4 Z6 i; m5 D122 ssl_enable=YES
123 ssl_sslv2=YES
( d7 Y, o% g, z# Z9 i5 ~- p# W3 P  r124 ssl_sslv3=YES
125 ssl_tlsv1=YES
; Q2 G+ U  e9 z, o3 Y[root@ftp vsftpd]# service vsftpd restart

/ C" F% I4 V  }Shutting down vsftpd:                                      [ OK ]
Starting vsftpd for vsftpd:                                [ OK ]
⑤客户端测试（已加密传输）：


. Z% x  @5 e& U  }! c8 ~: m! g


) }8 ]  J7 m, S; l& U从上面看出证书名称出现问题，但可是可以使用！选择接收一次！



该次登录抓包内容如下所示：传输已经经过加密！
7 E% ?- b5 P$ r( U7 ^[root@ftp ~]# tshark -ni eth0 -R "tcp.dstport eq 21"
" X; Z3 r' f- A6 F2 P$ k


[root@ftp ~]# tshark -ni eth0 -R "tcp.dstport eq 21"

' H0 ?. I$ D; x, Z# T7 r9 uRunning as user "root" and group "root". This could be dangerous.

% Z7 `' }- x- d7 U0 QCapturing on eth0

9.742109 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=2
# s; Y, ~9 n+ |' C& ?8 O
: m; [8 @0 P( g5 D  g. I* \+ ?& i 9.742144 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [ACK] Seq=1 Ack=1 Win=65700 Len=0

" K6 ^1 C5 I, O0 n5 L# Y) i& W 9.747458 192.168.101.113 -> 192.168.101.210 FTP Request: AUTH SSL

9.755605 192.168.101.113 -> 192.168.101.210 FTP Request: \200\310\001\003\001\000\237\000\000\000 \000\300\024\000\300
; m/ j* s; ^- W
9.758795 192.168.101.113 -> 192.168.101.210 FTP Request: \026\003\001\000\206\020\000\000\202\000\200n\257\315\204\324o
$ n9 O! [* n: j+ m6 _0 x5 I
9.778662 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030\215\325t\357\277\001\376FZ\243D\373\003\367\231\207Q\324\003Q}/\335\025\027\003\001\000 \f\355b\270\355\325\020[\372\302s{^\375\307\364C\307\243\251v9\370\364\260\277\253\317\321gB]

9.779885 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030\324\000\267\312\0320\213\266y\311\025[\371\275?\254Y\257\024[\245vjM\027\003\001\000(\236\321\221Z\321Z(\316'\343.\235?\321=8\264b\270(j\336\231\210\265\207K\223A\037"\277\251\252t\252a`\374
1 R! g) \3 f9 }" Q! c
9.782153 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030\257d\313mXZT\356\2366\334q\223\017gt\371\232\207\226\325
7 ^4 F- c2 Z! t. M/ n1 c* M
2 b4 I- j7 `4 \% _ 9.793165 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\0301\020S\237\372\210\004N4\370\366\377\2213m\356\233w:\275)>@%\027\003\001\000 Y\032\275BM=3J\313\240\241\372Z\371@\335\262\252\240\235\021\345\271\305\223\211\020\340\332\323Q\251
0 a, q4 b5 Q& i: ~
9.795630 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030\302\016=LR\272\030{\034\277V\256]\230\247\363\355M\241\327U\207k\032\027\003\001\000 OYi\216=S\322\212)\271V\016\2519w\332f\213\222S\244\275M\316\025N\302:k\312b\331
% u" J0 r! H1 N* H8 U
1 x# G2 a% h$ h( ]2 R5 e 9.796727 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [ACK] Seq=741 Ack=1260 Win=64440 Len=0
6 h) t# q1 }2 I0 F" U0 _' L
$ ^  j2 [" \4 m8 x5 s* j2 Q 9.797542 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [ACK] Seq=741 Ack=1334 Win=64364 Len=0

9.798327 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [ACK] Seq=741 Ack=1408 Win=64292 Len=0

) F+ Q! c% Z( N6 o( R4 r5 L 9.798775 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [ACK] Seq=741 Ack=1482 Win=65700 Len=0
* u0 J' a, M6 f' ?0 I
9.799387 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [ACK] Seq=741 Ack=1564 Win=65616 Len=0

1 ]3 P  O% w; g( T4 d 9.799910 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [ACK] Seq=741 Ack=1638 Win=65544 Len=0
* y1 y; P  g/ V1 x. P5 _/ [) R0 A
) |; E/ |1 |5 \8 ?, b5 X1 i9 W 9.805078 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030G}\305\210\021s\244q\023k=\345R\232A\366B\360\202\320\361(x\344\027\003\001\000 \351W\350\377\362\2756\334\303\035+1l|{\304\277\224\326n\036d\213\217\b\216\023N\225\003a\274
& u$ k+ P$ C8 i. g- |& z( k- ?: R& K4 h
9.810763 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030\203\354F\302\253\205\212\355\334$\321=\303h\276\302\350\320.\346\223\337BG\027\003\001\000 73\027\372#\232
+ C0 k* s0 w, o, l& h# `4 f+ x8 B
9.813350 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030\203x`k\337RM\341w\022N\255|f\260U ?\354)A\301^\251\027\003\001\000 \031`\366\364He\030\266z)\373\265\237\261\3430\220\331\340Kv[\033\347\tXj\344\314\236\242
; c& R' w. r2 k% c7 t9 n" T5 h5 H
9.814073 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030\307\2126sY\a\237\034\321\277!j\320\213\235\032\277e\345\361E>|)\027\003\001\000 \256\304}:-\365\034\aD~\fk`]\314\b\207\365-\217\305\244
  h1 s) I' q" u1 G9 T) b: K
( w8 B+ X  v: Z8 Y( M4 \+ [: T 9.838659 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030\300\272t&\t(\262\243\361\210\263\343\326\261\017$\317V\002\354\325\271\250\366\027\003\001\000 \350F\305\360\363\365\033\274W\207M\006\216\255\016\365\205z\033\002\032B\345,\3712\034\377\327[\272P
% C7 _, A; h/ E1 y6 y3 Q% c
5 A( i2 ?: x% Y! }2 P( u& B, S 9.851675 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [ACK] Seq=1071 Ack=2041 Win=65140 Len=0

: _! J" R3 i  C  e# x) \ 9.856073 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030\f\357\000E/\372\333\247\016\344\315\345\346\271L\327\214CE0*i\316\332\027\003\001\000(8\220\341\316.*\234dM\235

10.061779 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [ACK] Seq=1145 Ack=2094 Win=65088 Len=0
; H% o0 k9 m) o* Q2 [
39.978110 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030=\032\322\022\216B\025O\016\034
. X; k3 C" i' o4 {) X) ]
39.980672 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [FIN, ACK] Seq=1211 Ack=2139 Win=65040 Len=0

39.980725 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [RST, ACK] Seq=1212 Ack=2149 Win=0 Len=0

27 packets captured
$ t9 }6 E# S3 K2 h) m7 v( Y% G7 a
[root@ftp ~]#