FTPS（FTP+SSL）

admin

FTPS（FTP+SSL）
# _7 L7 K$ A3 A1 e; @
   ftps是一种多传输协议，相当于加密版的FTP。当你在FTP服务器上收发文件的时候，你面临两个风险。第一个风险是在上载文件的时候为文件加密。第二个风险是，这些文件在你等待接收方下载的时候将停留在FTP服务器上，这时你如何保证这些文件的安全。你的第二个选择(创建一个支持SSL的FTP服务器)能够让你的主机使用一个FTPS连接上载这些文件。这包括使用一个在FTP协议下面的SSL层加密控制和数据通道。一种替代FTPS的协议是安全文件传输协议(SFTP)。这个协议使用SSH文件传输协议加密从客户机到服务器的FTP连接。
5 c3 [) x$ W' ~5 o
: ]; V( E* A. }3 e- R
3 G; R' \7 y/ x! T0 ]& cFTPS是在安全套接层使用标准的FTP协议和指令的一种增强型TFP协议，为FTP协议和数据通道增加了SSL安全功能。FTPS也称作“FTP-SSL”和“FTP-over-SSL”。SSL是一个在客户机和具有SSL功能的服务器之间的安全连接中对数据进行加密和解密的协议。


和sftp连接方法类似，在windows中可以使用FileZilla等传输软件来连接FTPS进行上传，下载文件，建立，删除目录等操作,在FileZilla连接时，有显式和隐式TLS/SSL连接之分，连接时也有指纹提示。

  P' s7 L. X& Z$ k% B$ u

- t+ r* e! Y+ ?% C- _安全：ftps ftp+ssl
- U% i6 t4 G% {; K, P
准备工作：
) s/ u0 P0 Z# g, t
" o( o2 |5 Q1 Y9 o/ @7 J4 O1 }" h准备一:关闭防火墙；
. m5 R/ N' o/ W/ u, }- H
准备二：挂载光盘；

准备三：构建本地yum服务器。

" F& q0 ~) l! L) v2 PFTP+SSL配置详细过程:
% k/ c4 A# K: c/ N! X/ |* _
- X' P% s9 N7 N" q6 m: U' }/ }; {①.安装配置FTP服务器和抓包工具：（ftp：192.168.101.210）
% i* M/ e) Z! o; Z' |0 K
[root@ftp ~]# yum list all |grep vsftpd
& _6 H& X  j+ ?0 m7 ~[root@ftp ~]# yum install -y vsftpd
% b2 v/ O4 O* C- j# k
/ O5 H  I1 V- f1 N[root@ftp ~]# yum list all |grep wireshark
1 h( Q; p3 {- `7 n: `
4 p( V, m( Y: o; K, L[root@ftp ~]# yum install -y wireshark
% l! N, `8 p+ Q* D2 V
[root@ftp ~]# useradd user1
[root@ftp ~]# echo "123" |passwd --stdin user1

[root@ftp ~]# service vsftpd start
7 o: a2 F5 U9 `
Starting vsftpd for vsftpd:                                [ OK ]


5 m9 A% X, S! j- q: _6 r  @[root@ftp ~]# tshark -ni eth0 -R "tcp.dstport eq 21"
: j2 H8 U; f0 ~* {9 J

" R/ G/ p/ Z/ y/ X) e7 `
②.配置本地CA证书服务器：
5 K) n( G' ^  T% F, }+ f; ]
3 y* G' P0 @' F$ d[root@ftp ~]# cd /etc/pki/
$ F3 Z' N2 G4 G* l[root@ftp pki]# ll
6 C. q$ r$ `/ b: z[root@ftp pki]# vim tls/openssl.cnf
# V7 Q0 L, `* y1 A) W9 r45 dir             = /etc/pki/CA
88 countryName             = optional

89 stateOrProvinceName     = optional
5 ~1 T; L& M5 Z
90 organizationName        = optional

; G; N" k& }2 m  G9 Y7 A; ^[root@ftp pki]# cd CA/
; }/ W5 M  ]- V2 u[root@ftp CA]# mkdir certs newcerts crl
  ~0 ~, z" F( l. W0 u/ C[root@ftp CA]# touch index.txt serial
[root@ftp CA]# echo "01" >serial
& b3 x2 \8 {9 k* v; x
3 D6 Q, M6 `6 o' v- I% V[root@ftp CA]# ll
0 v' M! A+ v# d' E[root@ftp CA]# openssl genrsa 1024 > private/cakey.pem

( Z% O4 O6 z( ]; BGenerating RSA private key, 1024 bit long modulus
3 \; s8 Q6 \  H; O( ?
...........++++++
....++++++
e is 65537 (0x10001)

' Y- J, _2 J9 f& x5 J& a1 y[root@ftp CA]# chmod 600 private/cakey.pem
, y8 `# j7 q6 W3 k5 Q# K- d[root@ftp CA]# ll private/cakey.pem
& ^+ n3 Y1 G. t2 q. [" `-rw------- 1 root root 887 Feb 10 23:22 private/cakey.pem
" N" q6 Z2 x1 U: {0 }[root@ftp CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650
4 L0 F7 Y8 s  U* g& a2 x
; {" x9 d) U7 H: g5 AYou are about to be asked to enter information that will be incorporated
  w1 Y, l$ f! I$ P6 `
( v4 B5 e$ D+ K7 m0 C* Ninto your certificate request.

$ P$ A: b8 ~9 D) j! l" _/ K/ jWhat you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

. f$ b# B2 @% q) d4 ^% gFor some fields there will be a default value,

! t3 `( n$ b4 |( F- pIf you enter '.', the field will be left blank.
: T: E) I: v  o: q% i5 \. i& m/ x
-----
Country Name (2 letter code) [GB]:cn
" L! |% L; C4 ^- f4 ]
" }- H7 i: m# Q& ~# ?$ M; `6 JState or Province Name (full name) [Berkshire]:henan
' o+ L  m8 W' H: t% e% \" _
3 s3 }1 m1 [7 d! iLocality Name (eg, city) [Newbury]:zhengzhou
" N. X2 V% o  s3 a
Organization Name (eg, company) [My Company Ltd]:junjie

) w( X+ ^8 r  e' [' w8 x0 sOrganizational Unit Name (eg, section) []:soft

) @8 j9 P$ s. R% W% ?& GCommon Name (eg, your name or your server's hostname) []:ca.junjie.com
! G3 O4 [8 P. K% q; _4 a$ ?9 h
Email Address []:junjie@junjie.com
[root@ftp CA]#ll
* ^  c3 ^3 m' P" u③.为ftp服务器创建证书：
  t  Q/ i5 n* c/ p7 J( X( Z2 Q
( O0 j, r( t9 f( S5 X* K[root@ftp CA]# mkdir /etc/vsftpd/certs
) t) _! r# ]8 B6 ?; T7 r9 ~1 f[root@ftp CA]# cd /etc/vsftpd/certs
[root@ftp certs]# openssl genrsa 1024 >vsftpd.key
Generating RSA private key, 1024 bit long modulus

& A. A+ m/ [8 r5 e. X) D7 _/ E....++++++
- Q& e. L7 {4 ]. B7 W1 h...++++++
e is 65537 (0x10001)

. l, x$ q4 [( O[root@ftp certs]# openssl req -new -key vsftpd.key -out vsftpd.csr
% F8 ?2 t' @, s# [: A
  L( ^+ |/ i$ z4 u+ H. CYou are about to be asked to enter information that will be incorporated
4 a5 x- ~  [1 p" m
3 q) @; h( z$ i# dinto your certificate request.
4 V/ }* i/ |# O2 Q4 i9 t- l
' s4 a2 Q- H- gWhat you are about to enter is what is called a Distinguished Name or a DN.

* r/ |2 q. W* e4 X) `1 ^# B- nThere are quite a few fields but you can leave some blank
6 Y! v. c. |5 Q5 K6 j
For some fields there will be a default value,

1 B/ G1 ]" m$ w0 |* u7 J3 S/ AIf you enter '.', the field will be left blank.

+ h* }. F5 b. b' q7 t3 E-----
Country Name (2 letter code) [GB]:cn

# M" I9 `+ z  i9 |; dState or Province Name (full name) [Berkshire]:henan

+ I# X8 d: p2 }, GLocality Name (eg, city) [Newbury]:zhengzhou
6 V: d. X4 a- w5 ?' ], D6 Q
Organization Name (eg, company) [My Company Ltd]:junjie

Organizational Unit Name (eg, section) []:ftp

Common Name (eg, your name or your server's hostname) []:ftp.junjie.com
# T6 D+ v( H: M
* ]  c$ M, x6 R' y" o6 XEmail Address []:ftp@junjie.com
' q2 d1 L( F: s8 F& g0 y7 f
Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:
" ^3 u; [# G! `/ {& x8 `& B
: H5 j% X0 C1 b4 b9 FAn optional company name []:
  t5 D1 |  v0 S* _6 C) S. V# a5 S
[root@ftp certs]# openssl ca -in vsftpd.csr -out vsftpd.crt
0 l7 O7 Z* i9 Y1 y8 U0 O& d6 xUsing configuration from /etc/pki/tls/openssl.cnf

9 w' V+ G9 t. e3 h1 lCheck that the request matches the signature
1 s! L% j5 E& l/ G% _: p3 p! P6 {
Signature ok
# U% r4 L. a/ n, NCertificate Details:
3 K' i6 f" {/ h
' `! X0 R+ S7 O' ]  D; j% G" s# g( e        Serial Number: 1 (0x1)
        Validity
7 H1 @$ _  V" D3 }" L" H            Not Before: Feb 10 15:48:55 2012 GMT
9 Z8 U* x& f# R& Q6 i
3 |- Y" o1 k+ k& ~: T9 a/ s            Not After : Feb 9 15:48:55 2013 GMT
) g2 ]/ ?7 i% J        Subject:
" N5 p6 k5 C" H( a' h            countryName               = cn
            stateOrProvinceName       = henan
            organizationName          = junjie
0 k. s" ]; }# ^$ V            organizationalUnitName    = ftp
            commonName                = ftp.junjie.com
            emailAddress              = junjie@junjie.com
! _3 Z% g1 g9 e1 H        X509v3 extensions:
- o, L8 \4 l5 T$ d8 N            X509v3 Basic Constraints:
5 F# q2 w' Y+ u1 N1 W9 ]5 L" R                CA:FALSE
            Netscape Comment:
6 x. X4 F: j7 v- q- r, o4 O+ d2 {                OpenSSL Generated Certificate
; c3 K0 V! k$ P- @- w0 s            X509v3 Subject Key Identifier:
                33:C5:01:33:A5:CF:42:9F:24:A9:0D:E9:41:8E:26:C3:1B:7B:18:11
3 q) u4 F$ ^. l6 u
            X509v3 Authority Key Identifier:
                keyid:501:A8:0A:1F:B7:CD:49:94:69:E3:70:E9:AE:93:73:2C:94:66:AC
: `1 X+ A$ w$ ~$ B( Z
5 ^; s/ e7 G' |' B
' r7 V7 R5 @' L; G" G: jCertificate is to be certified until Feb 9 15:48:55 2013 GMT (365 days)
8 @# X( i2 L6 `( f# y1 D
Sign the certificate? [y/n]:y
7 G0 J# J4 q# F
0 \" y7 b4 U: y, m  [
, f6 c* f5 d3 [, e, O
8 f9 t+ @+ q& u. q7 w( Z) P: F1 out of 1 certificate requests certified, commit? [y/n]y
' y) l+ t2 l1 @! }0 Z! B  n8 X/ d3 K
4 s5 n( L6 c% {+ \& P( C1 r) VWrite out database with 1 new entries

3 z! \: R7 E# W) C$ S. T* s+ w' }Data Base Updated
[root@ftp certs]# ll
[root@ftp certs]# chmod 600 *
[root@ftp certs]# ll
④.使ftp服务应用证书：

( l! b, m8 r9 y- C[root@ftp certs]# cd /etc/vsftpd/            
[root@ftp vsftpd]# vim vsftpd.conf         #增加以下内容
118 rsa_cert_file=/etc/vsftpd/certs/vsftpd.crt
. \% y9 F9 D; S+ y' i  d
, v4 N6 }4 I& z119 rsa_private_key_file=/etc/vsftpd/certs/vsftpd.key
: Z5 p7 y& Q5 f6 Y5 b! [
120 force_local_data_ssl=YES
121 force_local_logins_ssl=YES
( F# Z1 I% G; ^4 g# n2 `1 r2 m9 U8 c122 ssl_enable=YES
& h5 k. q4 X2 {- y5 a123 ssl_sslv2=YES
* U/ _3 ]$ n. H1 n, P124 ssl_sslv3=YES
5 s4 t% L6 D9 ?( O$ N$ I. [+ r125 ssl_tlsv1=YES
" J& l" r$ q  |* _8 z) ~6 o: g, @[root@ftp vsftpd]# service vsftpd restart

3 M. A; {7 k1 v. d5 ]Shutting down vsftpd:                                      [ OK ]
Starting vsftpd for vsftpd:                                [ OK ]
  n$ @' h8 q/ f" Z& N' q) B2 E2 [6 j⑤客户端测试（已加密传输）：
5 X1 ^/ f- ]% ]& r6 u% V  N
: S) a" E! Q, k$ j+ n4 V& {
4 L; X- ~/ K1 }8 O4 k( G$ `
2 j1 M8 `9 S" T" ~

从上面看出证书名称出现问题，但可是可以使用！选择接收一次！

+ D! X' h! N8 T0 c  U) ^% L

该次登录抓包内容如下所示：传输已经经过加密！
[root@ftp ~]# tshark -ni eth0 -R "tcp.dstport eq 21"
3 f9 m5 y0 W5 O- l4 X- V* L2 o. ?


2 a+ B7 _: Q0 d9 }' e9 p[root@ftp ~]# tshark -ni eth0 -R "tcp.dstport eq 21"

Running as user "root" and group "root". This could be dangerous.
4 Y' k; t! H3 n! b- ]
! M0 g; w8 [! L- i# XCapturing on eth0
& ]5 \0 @1 J* z; h
9.742109 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=2

9.742144 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [ACK] Seq=1 Ack=1 Win=65700 Len=0

' p4 H0 n+ s' ]+ ^* [4 e. ?7 i 9.747458 192.168.101.113 -> 192.168.101.210 FTP Request: AUTH SSL
/ f4 _% o; ]2 a+ ^
. E0 H' a( d( a* M) n 9.755605 192.168.101.113 -> 192.168.101.210 FTP Request: \200\310\001\003\001\000\237\000\000\000 \000\300\024\000\300

9.758795 192.168.101.113 -> 192.168.101.210 FTP Request: \026\003\001\000\206\020\000\000\202\000\200n\257\315\204\324o
. `; G$ L' |$ I5 Q
9.778662 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030\215\325t\357\277\001\376FZ\243D\373\003\367\231\207Q\324\003Q}/\335\025\027\003\001\000 \f\355b\270\355\325\020[\372\302s{^\375\307\364C\307\243\251v9\370\364\260\277\253\317\321gB]
1 r% w7 F7 k9 V( V
9.779885 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030\324\000\267\312\0320\213\266y\311\025[\371\275?\254Y\257\024[\245vjM\027\003\001\000(\236\321\221Z\321Z(\316'\343.\235?\321=8\264b\270(j\336\231\210\265\207K\223A\037"\277\251\252t\252a`\374
, ~5 [# @/ v- r# H5 K( l7 y
9.782153 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030\257d\313mXZT\356\2366\334q\223\017gt\371\232\207\226\325

' H7 W! S8 v; F: e 9.793165 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\0301\020S\237\372\210\004N4\370\366\377\2213m\356\233w:\275)>@%\027\003\001\000 Y\032\275BM=3J\313\240\241\372Z\371@\335\262\252\240\235\021\345\271\305\223\211\020\340\332\323Q\251

2 n- w7 a+ i4 U( v! J. {  | 9.795630 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030\302\016=LR\272\030{\034\277V\256]\230\247\363\355M\241\327U\207k\032\027\003\001\000 OYi\216=S\322\212)\271V\016\2519w\332f\213\222S\244\275M\316\025N\302:k\312b\331

4 J; ]- }2 w/ A% |) M' I 9.796727 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [ACK] Seq=741 Ack=1260 Win=64440 Len=0
4 v9 N; S+ K1 @8 p, s" o
5 @7 c" n/ Q8 H' h  _ 9.797542 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [ACK] Seq=741 Ack=1334 Win=64364 Len=0

" d- G4 o' g. o- ^+ ^' ?  H 9.798327 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [ACK] Seq=741 Ack=1408 Win=64292 Len=0

9.798775 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [ACK] Seq=741 Ack=1482 Win=65700 Len=0
& G8 ^8 ~% ~" K0 ^8 Q# a$ |) y
3 h! Q# H6 B* |  w' q" r2 V( G 9.799387 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [ACK] Seq=741 Ack=1564 Win=65616 Len=0
6 R& u. o: q3 z% I0 S3 o/ C1 j$ |0 ^, P
9.799910 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [ACK] Seq=741 Ack=1638 Win=65544 Len=0
9 H4 i" g. z# Z: D* G
! ~  K& c8 b0 A  f1 y- i( B$ s# W) Q 9.805078 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030G}\305\210\021s\244q\023k=\345R\232A\366B\360\202\320\361(x\344\027\003\001\000 \351W\350\377\362\2756\334\303\035+1l|{\304\277\224\326n\036d\213\217\b\216\023N\225\003a\274

9.810763 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030\203\354F\302\253\205\212\355\334$\321=\303h\276\302\350\320.\346\223\337BG\027\003\001\000 73\027\372#\232
) {8 T6 f* f4 I! E% ]
. P+ z( s3 L% K( {. { 9.813350 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030\203x`k\337RM\341w\022N\255|f\260U ?\354)A\301^\251\027\003\001\000 \031`\366\364He\030\266z)\373\265\237\261\3430\220\331\340Kv[\033\347\tXj\344\314\236\242
5 W4 \7 U" J3 y
9.814073 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030\307\2126sY\a\237\034\321\277!j\320\213\235\032\277e\345\361E>|)\027\003\001\000 \256\304}:-\365\034\aD~\fk`]\314\b\207\365-\217\305\244
' F; n$ T0 D6 ?8 y" T" I
; D% Q! d& C, i; V; q7 y; x* z3 } 9.838659 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030\300\272t&\t(\262\243\361\210\263\343\326\261\017$\317V\002\354\325\271\250\366\027\003\001\000 \350F\305\360\363\365\033\274W\207M\006\216\255\016\365\205z\033\002\032B\345,\3712\034\377\327[\272P

' H* C4 J: t/ P2 h. S0 t7 \ 9.851675 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [ACK] Seq=1071 Ack=2041 Win=65140 Len=0

9.856073 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030\f\357\000E/\372\333\247\016\344\315\345\346\271L\327\214CE0*i\316\332\027\003\001\000(8\220\341\316.*\234dM\235
* T' E( v8 P5 K- ~# b9 U8 J
10.061779 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [ACK] Seq=1145 Ack=2094 Win=65088 Len=0
# F# Z5 B- ~/ G4 I  f( A# Z; D
39.978110 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030=\032\322\022\216B\025O\016\034

% P! s# y; G0 d# e- L; y2 E% r; V 39.980672 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [FIN, ACK] Seq=1211 Ack=2139 Win=65040 Len=0
4 Z/ P1 N; w9 U- L+ ]' D
39.980725 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [RST, ACK] Seq=1212 Ack=2149 Win=0 Len=0
# Z; E- Z2 C" _# N* a
: c! @+ G$ g% f27 packets captured
4 |8 T: ~: G7 T, n$ F: M
[root@ftp ~]#