FTPS（FTP+SSL）

admin

FTPS（FTP+SSL）

4 @% ?7 p6 d( M" c( M4 P9 ]0 y   ftps是一种多传输协议，相当于加密版的FTP。当你在FTP服务器上收发文件的时候，你面临两个风险。第一个风险是在上载文件的时候为文件加密。第二个风险是，这些文件在你等待接收方下载的时候将停留在FTP服务器上，这时你如何保证这些文件的安全。你的第二个选择(创建一个支持SSL的FTP服务器)能够让你的主机使用一个FTPS连接上载这些文件。这包括使用一个在FTP协议下面的SSL层加密控制和数据通道。一种替代FTPS的协议是安全文件传输协议(SFTP)。这个协议使用SSH文件传输协议加密从客户机到服务器的FTP连接。

+ n8 g2 p, K8 _! m# R6 Y/ x
$ i: d* p# V0 k, ]4 `. s  ]FTPS是在安全套接层使用标准的FTP协议和指令的一种增强型TFP协议，为FTP协议和数据通道增加了SSL安全功能。FTPS也称作“FTP-SSL”和“FTP-over-SSL”。SSL是一个在客户机和具有SSL功能的服务器之间的安全连接中对数据进行加密和解密的协议。


和sftp连接方法类似，在windows中可以使用FileZilla等传输软件来连接FTPS进行上传，下载文件，建立，删除目录等操作,在FileZilla连接时，有显式和隐式TLS/SSL连接之分，连接时也有指纹提示。

% l$ ?+ k* Z% B- C5 u
$ u# H5 t( g! A. P0 g4 C7 g
安全：ftps ftp+ssl

准备工作：

准备一:关闭防火墙；

  ^$ H. O7 Z$ U5 m7 J准备二：挂载光盘；
  i/ E2 r" ^5 }5 A5 r4 n; b' y3 G2 X
4 B/ M( V& g. s/ ^4 [5 Q0 ?准备三：构建本地yum服务器。

FTP+SSL配置详细过程:
9 S' x, p3 b! j' X# z1 Y! h3 ^
①.安装配置FTP服务器和抓包工具：（ftp：192.168.101.210）

[root@ftp ~]# yum list all |grep vsftpd
[root@ftp ~]# yum install -y vsftpd

[root@ftp ~]# yum list all |grep wireshark
. Y4 Z9 G- P% E
[root@ftp ~]# yum install -y wireshark
; p3 A& e5 F/ g# c" s
; F. m: ]3 u2 g- G[root@ftp ~]# useradd user1
" \" X2 o& l+ X' c[root@ftp ~]# echo "123" |passwd --stdin user1

; K& Z' ~  l  i1 [- ]  B4 w) y[root@ftp ~]# service vsftpd start

' ?& Y; B; K& TStarting vsftpd for vsftpd:                                [ OK ]
/ ~1 b  Z4 {3 r$ W$ h! X
! ^, U9 j- x2 i; {; s  ~
[root@ftp ~]# tshark -ni eth0 -R "tcp.dstport eq 21"
$ v: M' J( ?0 W8 [( Y" y- T
% w; F0 P' [  N" H0 z% J
" y. _4 f5 y0 b$ e3 [! R4 `
②.配置本地CA证书服务器：
( N; `  ?' ]1 c1 G# O1 a* L0 u
% r0 _# F6 A5 C1 e, G+ K4 z+ c[root@ftp ~]# cd /etc/pki/
' q/ O7 f, ~+ S" d6 j7 W9 C[root@ftp pki]# ll
& J' b5 j+ F9 I& r& F$ i' u5 x[root@ftp pki]# vim tls/openssl.cnf
! z4 |, [; L0 W/ h0 F6 a6 J5 c9 w( r45 dir             = /etc/pki/CA
' f/ S. e, [# B6 l" T# H8 @6 m88 countryName             = optional

89 stateOrProvinceName     = optional
0 y7 D; u8 p8 Z9 W
90 organizationName        = optional

[root@ftp pki]# cd CA/
6 m& x% I1 l% e8 v4 ^[root@ftp CA]# mkdir certs newcerts crl
" ?* Y0 i% L9 b+ K. z- C" R; g) o/ F[root@ftp CA]# touch index.txt serial
$ G. K" Y! o' E; p' z[root@ftp CA]# echo "01" >serial

[root@ftp CA]# ll
# }4 ^' ?8 ]6 D9 k[root@ftp CA]# openssl genrsa 1024 > private/cakey.pem

Generating RSA private key, 1024 bit long modulus
7 q1 J4 G- U& y7 g
- V! x' J+ J; _- m2 t...........++++++
....++++++
e is 65537 (0x10001)
, T" S3 G  }: s- g; Q  W5 v6 e& S8 O
[root@ftp CA]# chmod 600 private/cakey.pem
[root@ftp CA]# ll private/cakey.pem
& y& M8 V( Z! X5 b-rw------- 1 root root 887 Feb 10 23:22 private/cakey.pem
[root@ftp CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650
4 x; ~% {) s' o. B. R
. a; M& V) L! z9 x# m; P/ W0 wYou are about to be asked to enter information that will be incorporated

into your certificate request.

4 y9 m4 N! @" @6 h: S, RWhat you are about to enter is what is called a Distinguished Name or a DN.
% o3 n9 Z9 b# o5 _
There are quite a few fields but you can leave some blank
( V9 B1 d! v; A, j
3 e+ A! R, q) d! k/ D3 UFor some fields there will be a default value,

If you enter '.', the field will be left blank.

4 H# R# k# Y0 a1 d-----
1 O; I+ T0 c* l$ b7 r4 \2 \* J5 RCountry Name (2 letter code) [GB]:cn

: M2 R5 p0 ~5 y0 Y" j) J: vState or Province Name (full name) [Berkshire]:henan

Locality Name (eg, city) [Newbury]:zhengzhou

8 k0 }' |2 B- O0 E) yOrganization Name (eg, company) [My Company Ltd]:junjie
) S# f( C0 w3 Q/ y, Y
Organizational Unit Name (eg, section) []:soft

Common Name (eg, your name or your server's hostname) []:ca.junjie.com

. \+ s3 Y$ W( }7 j0 x& a% i! J+ j. @4 cEmail Address []:junjie@junjie.com
[root@ftp CA]#ll
③.为ftp服务器创建证书：

% ]+ l  l- z* `9 ^- }' ^) W[root@ftp CA]# mkdir /etc/vsftpd/certs
[root@ftp CA]# cd /etc/vsftpd/certs
[root@ftp certs]# openssl genrsa 1024 >vsftpd.key
Generating RSA private key, 1024 bit long modulus
/ E  m2 m$ Y& j" u& u2 L0 `8 ?7 B9 U
....++++++
...++++++
# U& ~$ j$ Z8 P7 \& De is 65537 (0x10001)

6 i2 X0 S+ T7 k: S0 n+ ?9 k0 ][root@ftp certs]# openssl req -new -key vsftpd.key -out vsftpd.csr
$ e: s9 f3 z" ^7 \/ e+ N0 k
* O; e' Y. [! X4 K9 {, D7 nYou are about to be asked to enter information that will be incorporated

into your certificate request.
; u7 o* g& s$ k, ^( R- ^
What you are about to enter is what is called a Distinguished Name or a DN.
: }' ]  l% x/ X! g& R7 O. _
3 e$ }) O; ~3 gThere are quite a few fields but you can leave some blank
" D5 `! H: ^9 f
; x3 l. b$ j2 n+ j5 a6 w) fFor some fields there will be a default value,

$ E2 K0 o; a+ t5 f8 e8 I; ~, Q3 A- XIf you enter '.', the field will be left blank.
, h4 D  X7 [; v8 h" G5 ?
-----
Country Name (2 letter code) [GB]:cn
  u/ p& ^) D# r6 {' Y" e
State or Province Name (full name) [Berkshire]:henan
' n" n+ t% `2 F! g2 Q
Locality Name (eg, city) [Newbury]:zhengzhou
7 f1 m# X0 q! S5 M7 P( O
Organization Name (eg, company) [My Company Ltd]:junjie
+ E! H: r! u  [8 g
Organizational Unit Name (eg, section) []:ftp

Common Name (eg, your name or your server's hostname) []:ftp.junjie.com

Email Address []:ftp@junjie.com
! ^. [2 Q# u  ]2 p# c+ a$ e: C
Please enter the following 'extra' attributes
3 k/ J9 n6 I+ U& ~
to be sent with your certificate request
; Z# }, V( M# s/ J9 W
A challenge password []:
  ]0 L0 Z( F; k5 V
5 H1 `/ l: i4 _- M8 u/ nAn optional company name []:
2 c3 x: n4 D( f5 s: q0 ?
, O( t5 ^% z3 t; T+ q[root@ftp certs]# openssl ca -in vsftpd.csr -out vsftpd.crt
& x! V( `; I# s7 _Using configuration from /etc/pki/tls/openssl.cnf
4 R$ L% e6 F1 F, h3 d
* @0 s3 y1 b8 Y2 I1 A6 CCheck that the request matches the signature

Signature ok
5 Z' `0 c; g+ U1 ZCertificate Details:

        Serial Number: 1 (0x1)
        Validity
            Not Before: Feb 10 15:48:55 2012 GMT

+ z, o$ B/ V  i) W# E  h            Not After : Feb 9 15:48:55 2013 GMT
9 L9 F9 k2 m9 i- ^: T  D3 Y        Subject:
. U+ q. e- C  q: s2 M9 h' r! E  Y            countryName               = cn
            stateOrProvinceName       = henan
            organizationName          = junjie
) }/ O/ [/ z" m- }2 W' ^3 m3 K; c            organizationalUnitName    = ftp
            commonName                = ftp.junjie.com
            emailAddress              = junjie@junjie.com
        X509v3 extensions:
            X509v3 Basic Constraints:
% Z) c$ s$ G5 p7 I                CA:FALSE
            Netscape Comment:
% T! q9 u: ?( c: G4 ~5 s, i" `                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
& t$ p/ j9 Q& |' [                33:C5:01:33:A5:CF:42:9F:24:A9:0D:E9:41:8E:26:C3:1B:7B:18:11
. a* N- e$ V) ]* F3 k( g
            X509v3 Authority Key Identifier:
  R4 K; T& Q: Q% L) @- _( X3 A' b                keyid:501:A8:0A:1F:B7:CD:49:94:69:E3:70:E9:AE:93:73:2C:94:66:AC
. A' A6 A6 k- n  I! O
3 ^- j0 J# d8 b0 L5 j* a
" g; Z) S$ x  Y+ _Certificate is to be certified until Feb 9 15:48:55 2013 GMT (365 days)
% W; e: v: Q% b" v1 }! i
5 ~9 s; J% h1 ASign the certificate? [y/n]:y
) j  g: v# p7 x5 ^) _* q% O  v
2 J7 N* ^! k; t1 ~: N

" W9 B/ T7 Q0 Y4 H# A3 p; K1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

- ]. A" }# `8 Q$ S# ~Data Base Updated
- M, `0 g; M8 `2 f% `[root@ftp certs]# ll
4 R7 e+ s/ `1 ?* p# q8 T  ?[root@ftp certs]# chmod 600 *
[root@ftp certs]# ll
% r, Y  [0 W  w④.使ftp服务应用证书：
  m0 J, E4 V0 C8 Y+ C& K3 v! n
. P. D% n* J) E" N. i[root@ftp certs]# cd /etc/vsftpd/            
7 F8 F# n( J0 d: g[root@ftp vsftpd]# vim vsftpd.conf         #增加以下内容
! d  h! ?$ O: P4 q; b8 c7 f3 `118 rsa_cert_file=/etc/vsftpd/certs/vsftpd.crt

119 rsa_private_key_file=/etc/vsftpd/certs/vsftpd.key

+ w3 n5 I  R- A5 O120 force_local_data_ssl=YES
: n! b4 a9 m: I, w121 force_local_logins_ssl=YES
4 H% p! A2 J  X" c0 I$ d8 g122 ssl_enable=YES
2 N8 |* M: C8 `. z7 t! ^123 ssl_sslv2=YES
124 ssl_sslv3=YES
0 s+ y/ _8 j/ J. w125 ssl_tlsv1=YES
0 m, q# I5 g, J& q/ U9 k  I) v[root@ftp vsftpd]# service vsftpd restart

2 _0 u! H$ o& F+ X1 k% YShutting down vsftpd:                                      [ OK ]
Starting vsftpd for vsftpd:                                [ OK ]
' `4 B0 U9 h7 J5 v⑤客户端测试（已加密传输）：



% a# c: r8 n3 [# b! r, H

5 Q5 g4 s- G3 H8 i3 @) x从上面看出证书名称出现问题，但可是可以使用！选择接收一次！

; r1 M4 [, e# n5 n  z! D
1 a3 t3 }$ L/ j
$ g5 q, O* x9 F) K8 m该次登录抓包内容如下所示：传输已经经过加密！
) K1 x: b7 L7 z/ R[root@ftp ~]# tshark -ni eth0 -R "tcp.dstport eq 21"

0 w' e- F7 p9 t' E; d1 {9 B+ y
+ o8 S0 q" C% k$ j
) W- q* W& a" {5 Y: S  g4 u8 E[root@ftp ~]# tshark -ni eth0 -R "tcp.dstport eq 21"
3 d' ]/ @9 o; X' D4 S$ [
Running as user "root" and group "root". This could be dangerous.

Capturing on eth0

& L! Y) L0 |5 q: `8 @ 9.742109 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=2
4 A8 p: {. t- d8 _. F$ x) x/ H' m
9.742144 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [ACK] Seq=1 Ack=1 Win=65700 Len=0
. S0 m& [2 m% ?7 ?5 x
9.747458 192.168.101.113 -> 192.168.101.210 FTP Request: AUTH SSL

3 y; d, w# a" [+ q% R' {; a 9.755605 192.168.101.113 -> 192.168.101.210 FTP Request: \200\310\001\003\001\000\237\000\000\000 \000\300\024\000\300
7 B* W6 w  r8 [" w
9.758795 192.168.101.113 -> 192.168.101.210 FTP Request: \026\003\001\000\206\020\000\000\202\000\200n\257\315\204\324o
# p! A( O+ Z( ^- K8 u1 k0 w- ^
9.778662 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030\215\325t\357\277\001\376FZ\243D\373\003\367\231\207Q\324\003Q}/\335\025\027\003\001\000 \f\355b\270\355\325\020[\372\302s{^\375\307\364C\307\243\251v9\370\364\260\277\253\317\321gB]

9.779885 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030\324\000\267\312\0320\213\266y\311\025[\371\275?\254Y\257\024[\245vjM\027\003\001\000(\236\321\221Z\321Z(\316'\343.\235?\321=8\264b\270(j\336\231\210\265\207K\223A\037"\277\251\252t\252a`\374

9.782153 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030\257d\313mXZT\356\2366\334q\223\017gt\371\232\207\226\325

9.793165 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\0301\020S\237\372\210\004N4\370\366\377\2213m\356\233w:\275)>@%\027\003\001\000 Y\032\275BM=3J\313\240\241\372Z\371@\335\262\252\240\235\021\345\271\305\223\211\020\340\332\323Q\251
1 b: ]0 F$ A# B- a
9.795630 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030\302\016=LR\272\030{\034\277V\256]\230\247\363\355M\241\327U\207k\032\027\003\001\000 OYi\216=S\322\212)\271V\016\2519w\332f\213\222S\244\275M\316\025N\302:k\312b\331

9.796727 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [ACK] Seq=741 Ack=1260 Win=64440 Len=0

9.797542 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [ACK] Seq=741 Ack=1334 Win=64364 Len=0

: |* S/ f2 q) i  b6 {# l7 G. }# k7 U 9.798327 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [ACK] Seq=741 Ack=1408 Win=64292 Len=0
' y7 r/ T" X; @6 B7 K
  A" B4 w* [' i 9.798775 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [ACK] Seq=741 Ack=1482 Win=65700 Len=0

9.799387 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [ACK] Seq=741 Ack=1564 Win=65616 Len=0
3 `( W: B5 F- h) l, h0 G% R" G
9.799910 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [ACK] Seq=741 Ack=1638 Win=65544 Len=0

9.805078 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030G}\305\210\021s\244q\023k=\345R\232A\366B\360\202\320\361(x\344\027\003\001\000 \351W\350\377\362\2756\334\303\035+1l|{\304\277\224\326n\036d\213\217\b\216\023N\225\003a\274
0 {3 ~/ I; P, m
9 O5 Y' A$ \$ ~' p. [+ T; L) ` 9.810763 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030\203\354F\302\253\205\212\355\334$\321=\303h\276\302\350\320.\346\223\337BG\027\003\001\000 73\027\372#\232
9 t! l# ^) V) S0 A& v9 P
8 I3 S3 M+ M: |7 X6 F  z* D% [ 9.813350 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030\203x`k\337RM\341w\022N\255|f\260U ?\354)A\301^\251\027\003\001\000 \031`\366\364He\030\266z)\373\265\237\261\3430\220\331\340Kv[\033\347\tXj\344\314\236\242
$ T  Z, \% y$ R/ ]- f
# f8 E' ~( s" q! j) [) O9 a 9.814073 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030\307\2126sY\a\237\034\321\277!j\320\213\235\032\277e\345\361E>|)\027\003\001\000 \256\304}:-\365\034\aD~\fk`]\314\b\207\365-\217\305\244

9.838659 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030\300\272t&\t(\262\243\361\210\263\343\326\261\017$\317V\002\354\325\271\250\366\027\003\001\000 \350F\305\360\363\365\033\274W\207M\006\216\255\016\365\205z\033\002\032B\345,\3712\034\377\327[\272P
6 k6 C. e) }& q6 k% u8 A; `
9.851675 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [ACK] Seq=1071 Ack=2041 Win=65140 Len=0
  ?5 W6 N: f" r
3 ~7 Y2 }# U' w- N; n$ _ 9.856073 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030\f\357\000E/\372\333\247\016\344\315\345\346\271L\327\214CE0*i\316\332\027\003\001\000(8\220\341\316.*\234dM\235
# y4 O0 \! q* ~! O
/ r2 h$ Y$ D! n. n- w! ~- ] 10.061779 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [ACK] Seq=1145 Ack=2094 Win=65088 Len=0
5 a1 P7 R. z6 S
39.978110 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030=\032\322\022\216B\025O\016\034

/ Q/ k7 l- V- K! r 39.980672 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [FIN, ACK] Seq=1211 Ack=2139 Win=65040 Len=0

) i+ t* h, L& C, c# v5 a 39.980725 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [RST, ACK] Seq=1212 Ack=2149 Win=0 Len=0

27 packets captured
$ {# ?7 a; {1 r$ T. e$ R! o% |6 H
[root@ftp ~]#