FTPS（FTP+SSL）

admin

FTPS（FTP+SSL）

   ftps是一种多传输协议，相当于加密版的FTP。当你在FTP服务器上收发文件的时候，你面临两个风险。第一个风险是在上载文件的时候为文件加密。第二个风险是，这些文件在你等待接收方下载的时候将停留在FTP服务器上，这时你如何保证这些文件的安全。你的第二个选择(创建一个支持SSL的FTP服务器)能够让你的主机使用一个FTPS连接上载这些文件。这包括使用一个在FTP协议下面的SSL层加密控制和数据通道。一种替代FTPS的协议是安全文件传输协议(SFTP)。这个协议使用SSH文件传输协议加密从客户机到服务器的FTP连接。


. l6 v+ s1 T3 {- M  XFTPS是在安全套接层使用标准的FTP协议和指令的一种增强型TFP协议，为FTP协议和数据通道增加了SSL安全功能。FTPS也称作“FTP-SSL”和“FTP-over-SSL”。SSL是一个在客户机和具有SSL功能的服务器之间的安全连接中对数据进行加密和解密的协议。

, P2 @4 D( b. D. }1 d; i
0 c8 ~. x% A" |0 T: P和sftp连接方法类似，在windows中可以使用FileZilla等传输软件来连接FTPS进行上传，下载文件，建立，删除目录等操作,在FileZilla连接时，有显式和隐式TLS/SSL连接之分，连接时也有指纹提示。
/ l+ e- X0 c0 t  c6 h" Y) g0 s


安全：ftps ftp+ssl

8 C  ~- s( R! k8 k& }/ L准备工作：
* B/ i, T* I# N1 \, w# |1 R/ r
, x0 O" a/ b$ g4 f: [* }准备一:关闭防火墙；

准备二：挂载光盘；

: b/ a  G7 Y8 |" g& b7 [准备三：构建本地yum服务器。

FTP+SSL配置详细过程:

! {( X, h+ T# ]3 R+ s7 H1 n/ ]①.安装配置FTP服务器和抓包工具：（ftp：192.168.101.210）
+ V, K2 v- P! {( B  @: ~
[root@ftp ~]# yum list all |grep vsftpd
; h  M  w+ }7 G/ u! A7 Z8 x+ p[root@ftp ~]# yum install -y vsftpd

[root@ftp ~]# yum list all |grep wireshark
6 y) _1 k/ ]) K( ^# G
: H( w+ w, W" A- p) j. o. P) L) Z, n[root@ftp ~]# yum install -y wireshark

, T' R& [2 f; g: t. V. J: P/ c[root@ftp ~]# useradd user1
[root@ftp ~]# echo "123" |passwd --stdin user1
9 _/ C* `3 T$ F1 V
[root@ftp ~]# service vsftpd start

: y, m! E% @: L4 q. ?* kStarting vsftpd for vsftpd:                                [ OK ]

2 `9 I9 o1 u7 ^& m% R* P- p' a
  U9 d7 A5 y4 V, f  J- i[root@ftp ~]# tshark -ni eth0 -R "tcp.dstport eq 21"

8 T8 d& r: {$ Q& P2 |
4 N" o- G$ W& R- }% v! V* [' v
4 P3 |5 H; R  A  ?. |% u. `- |②.配置本地CA证书服务器：
( M0 e$ N' m/ s( e# ?/ N! F, z$ C
7 X, [. i" v1 A  }" S$ K[root@ftp ~]# cd /etc/pki/
[root@ftp pki]# ll
9 k) V2 i: }- ^3 }: `[root@ftp pki]# vim tls/openssl.cnf
45 dir             = /etc/pki/CA
88 countryName             = optional

89 stateOrProvinceName     = optional

: B/ T, U3 Q. D* k9 W1 _6 i90 organizationName        = optional

3 b* ?  y1 J; @1 c8 n) `5 e1 S3 [[root@ftp pki]# cd CA/
" y, X( O7 F* E. m[root@ftp CA]# mkdir certs newcerts crl
3 \1 }1 }/ c/ R" d( x[root@ftp CA]# touch index.txt serial
[root@ftp CA]# echo "01" >serial
1 {' j/ v  o, H* m# I1 Q
[root@ftp CA]# ll
5 s! S8 b3 M' F/ T' r1 ^[root@ftp CA]# openssl genrsa 1024 > private/cakey.pem

Generating RSA private key, 1024 bit long modulus

" A  S* c1 @5 h( O  i' L1 c/ d+ W! D$ I...........++++++
2 F. `0 W0 H# j% R- I....++++++
8 v& q! f6 q1 M, c; De is 65537 (0x10001)
6 t" p* D7 H: A9 E" }
[root@ftp CA]# chmod 600 private/cakey.pem
5 B3 I1 \1 n; ~1 h# v8 e* G& P[root@ftp CA]# ll private/cakey.pem
-rw------- 1 root root 887 Feb 10 23:22 private/cakey.pem
2 F/ Y" ?$ M9 p; n0 n" Y& l[root@ftp CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650
5 L0 H3 \# s( g+ Q! B
0 k+ _* |' @' P, F: z7 Y, _1 bYou are about to be asked to enter information that will be incorporated
/ P3 w/ a% b! F
into your certificate request.
3 v7 e# E  n& i, w) X3 V$ x
5 ]1 P2 O5 A0 W2 V7 WWhat you are about to enter is what is called a Distinguished Name or a DN.

. l7 z4 e) j8 D2 {* g. C1 eThere are quite a few fields but you can leave some blank
; G  A& I* @6 R. I, Z2 X3 _" x5 a% y
/ d" U! y; m  x4 M" Z( {" r: HFor some fields there will be a default value,
0 Z# q9 p2 J' U% P& _- g
If you enter '.', the field will be left blank.
' w  J0 k  @  T! J/ ^5 P
6 u# d/ R" Y* k* p+ c1 k-----
$ L0 X0 P* s0 Q* p4 dCountry Name (2 letter code) [GB]:cn

6 t. O- k2 K" b6 rState or Province Name (full name) [Berkshire]:henan

Locality Name (eg, city) [Newbury]:zhengzhou

Organization Name (eg, company) [My Company Ltd]:junjie

1 B1 e9 j# X: D+ YOrganizational Unit Name (eg, section) []:soft

% R; s6 g. ]  c, z; r( {7 cCommon Name (eg, your name or your server's hostname) []:ca.junjie.com
9 P/ W8 K% F+ m3 K, H2 D
Email Address []:junjie@junjie.com
[root@ftp CA]#ll
; P$ i, }- I1 W  ~③.为ftp服务器创建证书：
- {% u% m9 U( l+ I
) [8 J1 ^& ~$ [! k; p6 ~. r[root@ftp CA]# mkdir /etc/vsftpd/certs
/ @9 L1 S; B* b/ x$ z5 K% Z[root@ftp CA]# cd /etc/vsftpd/certs
[root@ftp certs]# openssl genrsa 1024 >vsftpd.key
" b- R' `' i% t- c* DGenerating RSA private key, 1024 bit long modulus
6 ^3 b& Z) j: X2 ?1 L; [
....++++++
& z% k2 o) K4 p6 J3 [...++++++
e is 65537 (0x10001)

& y9 J* O# o: ~# l[root@ftp certs]# openssl req -new -key vsftpd.key -out vsftpd.csr

You are about to be asked to enter information that will be incorporated
! L( d/ Z! N0 m( ]( a2 S  ?
, g& i1 u- W( ]- h' finto your certificate request.
! c8 k2 b$ a* G. c& D, ]4 A8 z
What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank
) Z+ `4 }0 [- b' z- J
( b' u/ P& F$ aFor some fields there will be a default value,

. P, d& \, E8 Y  tIf you enter '.', the field will be left blank.
( s: n* v2 P2 s& O
-----
$ K; r3 Z8 L- A! KCountry Name (2 letter code) [GB]:cn

State or Province Name (full name) [Berkshire]:henan

Locality Name (eg, city) [Newbury]:zhengzhou
8 H. B7 F# g( m$ f- o, V
% q: C( g& d9 Y2 Z9 {+ z" U: e5 UOrganization Name (eg, company) [My Company Ltd]:junjie
+ Y1 l3 g' f/ ?, w3 Q; C: a
7 e' p2 X) }: v) [' {Organizational Unit Name (eg, section) []:ftp
1 i5 ?5 Y: A) d- F: p( s
Common Name (eg, your name or your server's hostname) []:ftp.junjie.com
2 S# z: {2 b+ T# }8 s
- \4 a6 z- a$ a3 m+ O& A& f' xEmail Address []:ftp@junjie.com
6 A3 K0 I! _+ Z1 ^3 \0 M5 q' K
1 O9 q: P  ~. t" ePlease enter the following 'extra' attributes
9 ]! f0 k# v2 j/ e8 [" o7 @+ {
- x! Y/ y6 ~( T# x, J. o& {! D, wto be sent with your certificate request
% K% W2 h: O3 E
& J3 f) V; q; e0 v4 V$ P' YA challenge password []:
$ a5 ^" N0 Q& _- J" J
$ N$ Q& m2 l6 o2 L7 ]An optional company name []:

2 o$ D% G( d* n' l1 V( p, `[root@ftp certs]# openssl ca -in vsftpd.csr -out vsftpd.crt
Using configuration from /etc/pki/tls/openssl.cnf
& e( k8 \" O; N0 O% O/ H
+ A( M5 |# L' }0 @& [  b& U3 ?/ ~Check that the request matches the signature

; D/ z5 v& ]. M- A# F$ B) E  o3 hSignature ok
# r7 I/ }% j9 c* kCertificate Details:
5 a/ Y0 O6 H8 o$ u( }2 n3 k& n
        Serial Number: 1 (0x1)
        Validity
            Not Before: Feb 10 15:48:55 2012 GMT
7 {! I: z( \$ m
! O& f+ M1 u" w            Not After : Feb 9 15:48:55 2013 GMT
, q8 c# C6 u' Z# r, w/ P3 y& u        Subject:
            countryName               = cn
            stateOrProvinceName       = henan
; k; o% u8 L' x$ n. {- X$ L. u0 r            organizationName          = junjie
            organizationalUnitName    = ftp
            commonName                = ftp.junjie.com
            emailAddress              = junjie@junjie.com
0 c9 \  G( S7 z        X509v3 extensions:
            X509v3 Basic Constraints:
- d9 k* V9 P6 X0 O: P. W0 J                CA:FALSE
5 z7 v( d* H; p2 c. C, O            Netscape Comment:
. E5 O: j: K9 Q. W, H7 O                OpenSSL Generated Certificate
$ h8 m2 {$ y# A" u1 a' F  E            X509v3 Subject Key Identifier:
0 t( W! i9 C2 r' t- Q2 T                33:C5:01:33:A5:CF:42:9F:24:A9:0D:E9:41:8E:26:C3:1B:7B:18:11
1 p7 j$ I5 G, ^. E9 E, L+ }
            X509v3 Authority Key Identifier:
                keyid:501:A8:0A:1F:B7:CD:49:94:69:E3:70:E9:AE:93:73:2C:94:66:AC

7 A2 T' e. ~  ~( k7 i, }
2 Z! o  V* Y$ \4 {4 M! u: {' zCertificate is to be certified until Feb 9 15:48:55 2013 GMT (365 days)
. a- \; R( K2 U' F/ g* N/ r$ J
Sign the certificate? [y/n]:y



1 out of 1 certificate requests certified, commit? [y/n]y

: G2 g( M3 ]$ bWrite out database with 1 new entries
% {; X4 ^' `8 |7 K1 ]0 e& ~
Data Base Updated
  p7 Y4 M; s8 K. C' q; E/ C[root@ftp certs]# ll
[root@ftp certs]# chmod 600 *
[root@ftp certs]# ll
& k6 {9 T* q6 t: j7 T; M④.使ftp服务应用证书：

! T# \! N- i/ a9 P# q[root@ftp certs]# cd /etc/vsftpd/            
% J& P! \/ R3 V# P[root@ftp vsftpd]# vim vsftpd.conf         #增加以下内容
& P2 y) e0 g& Y118 rsa_cert_file=/etc/vsftpd/certs/vsftpd.crt

119 rsa_private_key_file=/etc/vsftpd/certs/vsftpd.key
7 ?4 V% @9 l& W0 _9 W+ ^6 ?
120 force_local_data_ssl=YES
$ t  I9 b# N; L- \121 force_local_logins_ssl=YES
( c1 e* G, K! ]9 h1 T! o122 ssl_enable=YES
123 ssl_sslv2=YES
124 ssl_sslv3=YES
0 s% z6 {4 O$ c. |: r125 ssl_tlsv1=YES
% ?1 l$ z8 K0 A2 p% O8 X# r& O[root@ftp vsftpd]# service vsftpd restart

7 J" T. B9 }7 d: WShutting down vsftpd:                                      [ OK ]
Starting vsftpd for vsftpd:                                [ OK ]
⑤客户端测试（已加密传输）：


* e. K) E# }( g4 ^5 T
8 K! R7 j0 H) x1 [; Z2 Q+ q7 r
0 _" w( d3 `# l
7 k1 B/ Y2 M4 Q) n4 k+ A) I从上面看出证书名称出现问题，但可是可以使用！选择接收一次！
1 e* q* q3 D1 o+ J; Y8 K( z


2 S9 |& w% B# D0 ]* n该次登录抓包内容如下所示：传输已经经过加密！
[root@ftp ~]# tshark -ni eth0 -R "tcp.dstport eq 21"
/ i" ^1 D  v( o7 l. K9 P% {
# t4 q0 }) V* A3 r0 U. l  l# ]
4 |, R1 N1 i2 {, a: D+ Q! t( U
[root@ftp ~]# tshark -ni eth0 -R "tcp.dstport eq 21"
# ^4 F0 Z+ F* i- X9 }& ~6 C
Running as user "root" and group "root". This could be dangerous.
3 w9 f$ D  q5 m$ T2 J# V
2 L1 B/ ~* D7 m/ x) Z5 A2 k; H* _Capturing on eth0

9.742109 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=2

9.742144 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [ACK] Seq=1 Ack=1 Win=65700 Len=0
( H* ~) h0 R' e1 Q6 E) w
9.747458 192.168.101.113 -> 192.168.101.210 FTP Request: AUTH SSL
3 S" o- l$ d9 V  K9 l& u
9.755605 192.168.101.113 -> 192.168.101.210 FTP Request: \200\310\001\003\001\000\237\000\000\000 \000\300\024\000\300
' e2 l( h5 C! c
, j- s7 Q9 m7 f1 w 9.758795 192.168.101.113 -> 192.168.101.210 FTP Request: \026\003\001\000\206\020\000\000\202\000\200n\257\315\204\324o

% x5 p  e- n" S) B- r 9.778662 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030\215\325t\357\277\001\376FZ\243D\373\003\367\231\207Q\324\003Q}/\335\025\027\003\001\000 \f\355b\270\355\325\020[\372\302s{^\375\307\364C\307\243\251v9\370\364\260\277\253\317\321gB]

( I  D7 Y) W# a 9.779885 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030\324\000\267\312\0320\213\266y\311\025[\371\275?\254Y\257\024[\245vjM\027\003\001\000(\236\321\221Z\321Z(\316'\343.\235?\321=8\264b\270(j\336\231\210\265\207K\223A\037"\277\251\252t\252a`\374

9.782153 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030\257d\313mXZT\356\2366\334q\223\017gt\371\232\207\226\325

9.793165 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\0301\020S\237\372\210\004N4\370\366\377\2213m\356\233w:\275)>@%\027\003\001\000 Y\032\275BM=3J\313\240\241\372Z\371@\335\262\252\240\235\021\345\271\305\223\211\020\340\332\323Q\251
3 H, _' a5 j  _$ Z# y
- b4 G. v" @( M, p. | 9.795630 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030\302\016=LR\272\030{\034\277V\256]\230\247\363\355M\241\327U\207k\032\027\003\001\000 OYi\216=S\322\212)\271V\016\2519w\332f\213\222S\244\275M\316\025N\302:k\312b\331

" H, z* e3 d" y: ^. d 9.796727 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [ACK] Seq=741 Ack=1260 Win=64440 Len=0
. V4 U0 n1 w/ ~* G
9.797542 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [ACK] Seq=741 Ack=1334 Win=64364 Len=0

% _: o6 A1 K% K1 y# D 9.798327 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [ACK] Seq=741 Ack=1408 Win=64292 Len=0

9.798775 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [ACK] Seq=741 Ack=1482 Win=65700 Len=0
$ X; X; t  q6 A3 t
5 B0 t: N; N* G- R 9.799387 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [ACK] Seq=741 Ack=1564 Win=65616 Len=0

2 c! i5 _# K) l; I 9.799910 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [ACK] Seq=741 Ack=1638 Win=65544 Len=0

9.805078 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030G}\305\210\021s\244q\023k=\345R\232A\366B\360\202\320\361(x\344\027\003\001\000 \351W\350\377\362\2756\334\303\035+1l|{\304\277\224\326n\036d\213\217\b\216\023N\225\003a\274

( l+ H( i; u3 P5 X/ R9 h3 R9 Q 9.810763 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030\203\354F\302\253\205\212\355\334$\321=\303h\276\302\350\320.\346\223\337BG\027\003\001\000 73\027\372#\232

2 i& B+ L9 i; f) n1 |& t  n/ H 9.813350 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030\203x`k\337RM\341w\022N\255|f\260U ?\354)A\301^\251\027\003\001\000 \031`\366\364He\030\266z)\373\265\237\261\3430\220\331\340Kv[\033\347\tXj\344\314\236\242

: r$ M5 |% T$ s* b/ j! v 9.814073 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030\307\2126sY\a\237\034\321\277!j\320\213\235\032\277e\345\361E>|)\027\003\001\000 \256\304}:-\365\034\aD~\fk`]\314\b\207\365-\217\305\244
4 C) Q  d& Q7 c3 i. A' n! [
- N* K& c$ M3 d! ^4 W 9.838659 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030\300\272t&\t(\262\243\361\210\263\343\326\261\017$\317V\002\354\325\271\250\366\027\003\001\000 \350F\305\360\363\365\033\274W\207M\006\216\255\016\365\205z\033\002\032B\345,\3712\034\377\327[\272P
, f9 f% r; l2 |5 {0 w
9.851675 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [ACK] Seq=1071 Ack=2041 Win=65140 Len=0
+ n2 v0 R& q: x
  m7 z7 }% @7 z 9.856073 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030\f\357\000E/\372\333\247\016\344\315\345\346\271L\327\214CE0*i\316\332\027\003\001\000(8\220\341\316.*\234dM\235

10.061779 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [ACK] Seq=1145 Ack=2094 Win=65088 Len=0

6 l$ D" q+ a: P( A$ O 39.978110 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030=\032\322\022\216B\025O\016\034

9 }) ?% n" p3 K% Z8 b 39.980672 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [FIN, ACK] Seq=1211 Ack=2139 Win=65040 Len=0
" N1 c6 \& V- `6 u
. k* x" N2 s' {0 i$ L 39.980725 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [RST, ACK] Seq=1212 Ack=2149 Win=0 Len=0

27 packets captured

[root@ftp ~]#