FTPS（FTP+SSL）

admin

FTPS（FTP+SSL）
4 P8 |: w7 z" @; t8 n
   ftps是一种多传输协议，相当于加密版的FTP。当你在FTP服务器上收发文件的时候，你面临两个风险。第一个风险是在上载文件的时候为文件加密。第二个风险是，这些文件在你等待接收方下载的时候将停留在FTP服务器上，这时你如何保证这些文件的安全。你的第二个选择(创建一个支持SSL的FTP服务器)能够让你的主机使用一个FTPS连接上载这些文件。这包括使用一个在FTP协议下面的SSL层加密控制和数据通道。一种替代FTPS的协议是安全文件传输协议(SFTP)。这个协议使用SSH文件传输协议加密从客户机到服务器的FTP连接。
3 C3 b$ e% C- ?( D8 J
0 P5 X2 b6 D$ ^
FTPS是在安全套接层使用标准的FTP协议和指令的一种增强型TFP协议，为FTP协议和数据通道增加了SSL安全功能。FTPS也称作“FTP-SSL”和“FTP-over-SSL”。SSL是一个在客户机和具有SSL功能的服务器之间的安全连接中对数据进行加密和解密的协议。
' O; K' \0 E9 r/ a  D# u8 g6 x
- s( D! \, g' R3 E$ {2 @
和sftp连接方法类似，在windows中可以使用FileZilla等传输软件来连接FTPS进行上传，下载文件，建立，删除目录等操作,在FileZilla连接时，有显式和隐式TLS/SSL连接之分，连接时也有指纹提示。



8 Q2 U9 m8 l& @& L安全：ftps ftp+ssl

准备工作：
7 O0 p( r. s4 D6 ~
准备一:关闭防火墙；

准备二：挂载光盘；
9 S1 e) D8 ]) U
准备三：构建本地yum服务器。

FTP+SSL配置详细过程:

0 q: h- ]7 {8 z3 w+ W. ~8 a! D①.安装配置FTP服务器和抓包工具：（ftp：192.168.101.210）

, x, }9 q* n; z[root@ftp ~]# yum list all |grep vsftpd
" T8 N1 Z! h$ g  o; N[root@ftp ~]# yum install -y vsftpd
# I, {7 V8 y9 R7 u3 V
; r* U6 [+ f& ~& e[root@ftp ~]# yum list all |grep wireshark

[root@ftp ~]# yum install -y wireshark
. @! D, I' Z: r4 I
5 f( |9 b) N* w' E[root@ftp ~]# useradd user1
[root@ftp ~]# echo "123" |passwd --stdin user1
, S% z( ^# ]! l8 G
[root@ftp ~]# service vsftpd start
% h( n' v: f+ s3 J/ r3 ^" _( r8 `: D
2 L+ j, ~5 M5 \2 X# DStarting vsftpd for vsftpd:                                [ OK ]
( ^- K3 c0 ~7 B! X
, R1 k3 H. b) a- ]3 x# I: S9 P
- b: e2 p) B- J6 s$ T[root@ftp ~]# tshark -ni eth0 -R "tcp.dstport eq 21"


& D0 H$ E$ M' g& m) b" j
/ ?4 s3 |; M% |% T/ ]* d②.配置本地CA证书服务器：

5 p5 q, d( d: p" g% s[root@ftp ~]# cd /etc/pki/
. d, N6 w: x/ f: o9 O[root@ftp pki]# ll
[root@ftp pki]# vim tls/openssl.cnf
45 dir             = /etc/pki/CA
( l& \# P2 k9 z, ]5 b% L% O( C3 ^88 countryName             = optional

89 stateOrProvinceName     = optional
6 Y9 S- N+ ]6 n4 ?4 N7 [
90 organizationName        = optional

' p6 K" I6 h4 G8 H: ?[root@ftp pki]# cd CA/
7 W+ E5 x9 H7 |6 x[root@ftp CA]# mkdir certs newcerts crl
[root@ftp CA]# touch index.txt serial
7 `$ G; P% C6 S1 n4 r& X# n[root@ftp CA]# echo "01" >serial

, l2 Z9 H( v2 O' B: B) e' k* U[root@ftp CA]# ll
[root@ftp CA]# openssl genrsa 1024 > private/cakey.pem
: p0 I  y+ m* Q4 d4 q* c0 ~
Generating RSA private key, 1024 bit long modulus

4 E& R$ [7 b& k...........++++++
....++++++
e is 65537 (0x10001)
! i) d/ @# D! Z7 T3 }) y3 v
. d* U8 _2 [3 e- `! G& f[root@ftp CA]# chmod 600 private/cakey.pem
4 B1 L3 A0 M. C0 k8 G[root@ftp CA]# ll private/cakey.pem
-rw------- 1 root root 887 Feb 10 23:22 private/cakey.pem
[root@ftp CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650

- V/ y5 m& u" Z7 _- BYou are about to be asked to enter information that will be incorporated
" G* |/ ?0 c& E
into your certificate request.

' {: ?) n9 ?( z/ [" G' C; CWhat you are about to enter is what is called a Distinguished Name or a DN.

6 k, H- G( ^$ n" f5 g( oThere are quite a few fields but you can leave some blank
8 q7 c# S# `# D9 v, }
* D" K2 @! H" K7 d3 g( o; u9 JFor some fields there will be a default value,
& C* y, Z' j" H, T, u
9 o8 r% A6 m9 q( K$ |If you enter '.', the field will be left blank.
1 S' j7 Y" {- p
-----
" v# J3 S2 J, r# I4 o) H) `Country Name (2 letter code) [GB]:cn

$ Y5 a. i; z! {State or Province Name (full name) [Berkshire]:henan

6 E" l4 n% O' m! H  sLocality Name (eg, city) [Newbury]:zhengzhou
6 m# O( F; i4 O1 ^6 u% T$ B3 z
8 y- H+ V3 Q/ r  H: g5 @1 I) kOrganization Name (eg, company) [My Company Ltd]:junjie
# g2 G1 x1 V+ N
Organizational Unit Name (eg, section) []:soft
. r$ S$ a2 O& K, |$ @
Common Name (eg, your name or your server's hostname) []:ca.junjie.com
% T- V* _& j1 M4 X1 O, P
) Y- `! o. Y! A1 }$ nEmail Address []:[email protected]
[root@ftp CA]#ll
1 ~, @  Y) D2 c9 W& Y5 n* v③.为ftp服务器创建证书：
2 a! f5 q! g; d* R: c. B8 M8 d
' w! e, j* R/ U8 ~& D4 m[root@ftp CA]# mkdir /etc/vsftpd/certs
- F6 u3 \6 d& D[root@ftp CA]# cd /etc/vsftpd/certs
[root@ftp certs]# openssl genrsa 1024 >vsftpd.key
, L: k1 ^$ V- x2 W! `  AGenerating RSA private key, 1024 bit long modulus
& K' C2 [# ^2 [; ]
- i. K& N! x/ A; K& n$ V....++++++
...++++++
e is 65537 (0x10001)
* y$ K/ I  Z+ a4 R# a: ?
[root@ftp certs]# openssl req -new -key vsftpd.key -out vsftpd.csr
8 I" m( V# i& N4 C, l" l% m
6 X5 m) J! E( [' \5 o$ _& M( EYou are about to be asked to enter information that will be incorporated
% @' ?: n3 M. H& p. n
into your certificate request.
: N6 U5 Q! X  Z+ k: b; H
. U+ E0 p" x  nWhat you are about to enter is what is called a Distinguished Name or a DN.
  k& T( \" L7 d+ u; s; b9 ]. N
0 K' u. A& k- K! z. G" zThere are quite a few fields but you can leave some blank
$ `; C' M! m: x% J2 h
9 B7 p& h" _4 I, t& `For some fields there will be a default value,

$ \8 W. {/ |6 `If you enter '.', the field will be left blank.

$ j( H! X8 S6 ]# ~4 ~+ V  p# ~-----
Country Name (2 letter code) [GB]:cn
1 t% ]3 s" \; z
) v6 ]# e8 b2 LState or Province Name (full name) [Berkshire]:henan

9 @6 w4 U- Y2 ~9 f3 C& l4 T. cLocality Name (eg, city) [Newbury]:zhengzhou

" l  ?7 V) O9 M  POrganization Name (eg, company) [My Company Ltd]:junjie

Organizational Unit Name (eg, section) []:ftp
) _/ b& M; O# ]1 q  l
  r) q; ^0 [; I' ~8 I3 o+ cCommon Name (eg, your name or your server's hostname) []:ftp.junjie.com
9 ]/ B6 o' m) o. f0 k( }
Email Address []:[email protected]

  m9 `6 [% v. A  pPlease enter the following 'extra' attributes
" W4 {9 y. ~7 C9 N
to be sent with your certificate request

A challenge password []:

& U' {1 t: m4 V' z1 h: cAn optional company name []:

[root@ftp certs]# openssl ca -in vsftpd.csr -out vsftpd.crt
Using configuration from /etc/pki/tls/openssl.cnf
5 @0 p6 n; C/ y. Y# F
Check that the request matches the signature
, L: o- n- C' T
: ~0 Y% M& C, A# U5 A2 ?Signature ok
Certificate Details:
9 m# |& F+ N6 o- f$ e+ {' _, S
        Serial Number: 1 (0x1)
) ~* k6 P# j0 ?        Validity
  G7 ?! O( Y6 x            Not Before: Feb 10 15:48:55 2012 GMT
$ b* a% h% s: ]
            Not After : Feb 9 15:48:55 2013 GMT
        Subject:
4 z6 p) ]; o  l5 W            countryName               = cn
8 }" ^  J0 Y1 N7 D/ ?8 s            stateOrProvinceName       = henan
  I" `% z6 u7 `$ T8 ^+ _( Q            organizationName          = junjie
' i% x, Y; C  ~; O6 v8 z- m' h            organizationalUnitName    = ftp
1 X+ ~1 i; `" Y/ F: _5 q. U5 z7 g            commonName                = ftp.junjie.com
            emailAddress              = [email protected]
        X509v3 extensions:
            X509v3 Basic Constraints:
" ]: f( r; b6 N+ a" A! R                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
8 S, A8 q& q  A1 Q                33:C5:01:33:A5:CF:42:9F:24:A9:0D:E9:41:8E:26:C3:1B:7B:18:11

$ a4 _4 |0 [  d* P$ S            X509v3 Authority Key Identifier:
" f5 k- x  i; z* u* L                keyid:501:A8:0A:1F:B7:CD:49:94:69:E3:70:E9:AE:93:73:2C:94:66:AC

4 h& [  }4 ]  Z! B
. H0 e4 Q" m. Z* \Certificate is to be certified until Feb 9 15:48:55 2013 GMT (365 days)

0 H; J) B8 C& D2 |3 y8 s% c4 jSign the certificate? [y/n]:y
0 J5 k) f' B7 ~3 o

0 }5 q8 I- O" [( w8 n$ {' `
1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated
[root@ftp certs]# ll
[root@ftp certs]# chmod 600 *
" Q/ v1 G& M/ S6 n" t. I$ I1 D[root@ftp certs]# ll
④.使ftp服务应用证书：

[root@ftp certs]# cd /etc/vsftpd/            
) X/ Z8 N8 h" A. V- y, y+ U[root@ftp vsftpd]# vim vsftpd.conf         #增加以下内容
2 @9 h" V& K+ U/ U. r6 H& v; @118 rsa_cert_file=/etc/vsftpd/certs/vsftpd.crt

" s) R$ K% ^9 C3 [& c, X- M119 rsa_private_key_file=/etc/vsftpd/certs/vsftpd.key

120 force_local_data_ssl=YES
121 force_local_logins_ssl=YES
+ d" G* p. r1 L# o% x! ]122 ssl_enable=YES
123 ssl_sslv2=YES
+ @; M6 O4 q8 L) |" g% w$ c( s124 ssl_sslv3=YES
125 ssl_tlsv1=YES
[root@ftp vsftpd]# service vsftpd restart

0 D/ q9 U# k5 V) U3 c* a6 D. uShutting down vsftpd:                                      [ OK ]
: y" t# Y2 _& [% }9 G  E& y* IStarting vsftpd for vsftpd:                                [ OK ]
" ]/ y, ~$ Y7 @! Z7 w$ v⑤客户端测试（已加密传输）：
7 N, L# f# o1 [0 Q
: H: s; d9 E$ Q$ }0 Y- X! v& M  E
; f1 R: M* [% u! a4 K2 F4 H- g
& A& X9 Q  s6 K3 y; @
4 Q# Y6 s& q5 l/ e4 G0 P2 c
从上面看出证书名称出现问题，但可是可以使用！选择接收一次！


) j) A2 q9 w" W8 a9 i2 k3 b
该次登录抓包内容如下所示：传输已经经过加密！
[root@ftp ~]# tshark -ni eth0 -R "tcp.dstport eq 21"
7 }7 D: Z( d% C; }
2 ~3 M" y7 C& O8 }/ L
+ f! z( Y- i3 |. i
[root@ftp ~]# tshark -ni eth0 -R "tcp.dstport eq 21"

+ @  Z0 }8 x6 z8 X8 I& lRunning as user "root" and group "root". This could be dangerous.
( [) a1 v* o/ |( B% x- [
Capturing on eth0

* h3 _$ D' U2 i  h- {1 p. m4 g 9.742109 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=2
4 d8 T  g" T9 s
9.742144 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [ACK] Seq=1 Ack=1 Win=65700 Len=0
% q* e2 ~0 {  z& ?0 F) G3 S
( x5 R/ T  G! L% V1 b% m+ b 9.747458 192.168.101.113 -> 192.168.101.210 FTP Request: AUTH SSL

9.755605 192.168.101.113 -> 192.168.101.210 FTP Request: \200\310\001\003\001\000\237\000\000\000 \000\300\024\000\300
% i* f* O* ~# `5 N$ X' P8 y
9.758795 192.168.101.113 -> 192.168.101.210 FTP Request: \026\003\001\000\206\020\000\000\202\000\200n\257\315\204\324o

9.778662 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030\215\325t\357\277\001\376FZ\243D\373\003\367\231\207Q\324\003Q}/\335\025\027\003\001\000 \f\355b\270\355\325\020[\372\302s{^\375\307\364C\307\243\251v9\370\364\260\277\253\317\321gB]
0 G, V5 j! O6 r( }$ I9 ]% m
$ S! s# U$ R9 @, U0 F1 I, Q0 D 9.779885 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030\324\000\267\312\0320\213\266y\311\025[\371\275?\254Y\257\024[\245vjM\027\003\001\000(\236\321\221Z\321Z(\316'\343.\235?\321=8\264b\270(j\336\231\210\265\207K\223A\037"\277\251\252t\252a`\374

+ R/ ]' |" T# A8 ^! j 9.782153 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030\257d\313mXZT\356\2366\334q\223\017gt\371\232\207\226\325
* @2 h, p6 h9 z
9.793165 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\0301\020S\237\372\210\004N4\370\366\377\2213m\356\233w:\275)>@%\027\003\001\000 Y\032\275BM=3J\313\240\241\372Z\371@\335\262\252\240\235\021\345\271\305\223\211\020\340\332\323Q\251
+ e8 i6 f; x1 B: T
  K1 F4 d- j7 Z8 K6 P2 b! S  i 9.795630 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030\302\016=LR\272\030{\034\277V\256]\230\247\363\355M\241\327U\207k\032\027\003\001\000 OYi\216=S\322\212)\271V\016\2519w\332f\213\222S\244\275M\316\025N\302:k\312b\331
  \& G+ i( q* o5 @3 f) ~0 c# Y
4 z+ [. x7 P0 ~0 A" m4 z( i 9.796727 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [ACK] Seq=741 Ack=1260 Win=64440 Len=0

9.797542 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [ACK] Seq=741 Ack=1334 Win=64364 Len=0

+ X0 \) a  K4 {' N! G5 m' Z) S+ Z3 h 9.798327 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [ACK] Seq=741 Ack=1408 Win=64292 Len=0
3 {  c& }% y# q6 {. _
: _& z4 g1 B- m& o5 ~ 9.798775 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [ACK] Seq=741 Ack=1482 Win=65700 Len=0

9.799387 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [ACK] Seq=741 Ack=1564 Win=65616 Len=0

9.799910 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [ACK] Seq=741 Ack=1638 Win=65544 Len=0
- A' P. l/ e' S! S9 |
9.805078 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030G}\305\210\021s\244q\023k=\345R\232A\366B\360\202\320\361(x\344\027\003\001\000 \351W\350\377\362\2756\334\303\035+1l|{\304\277\224\326n\036d\213\217\b\216\023N\225\003a\274

9.810763 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030\203\354F\302\253\205\212\355\334$\321=\303h\276\302\350\320.\346\223\337BG\027\003\001\000 73\027\372#\232
0 S* [) w/ I  w9 c' o
0 z, J) S7 E: U# \0 y& V* F* F  ` 9.813350 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030\203x`k\337RM\341w\022N\255|f\260U ?\354)A\301^\251\027\003\001\000 \031`\366\364He\030\266z)\373\265\237\261\3430\220\331\340Kv[\033\347\tXj\344\314\236\242
: Z# y4 f% A# q4 Y. F: U" {0 ^; ]
0 x/ r( c" o" q7 {; n3 c 9.814073 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030\307\2126sY\a\237\034\321\277!j\320\213\235\032\277e\345\361E>|)\027\003\001\000 \256\304}:-\365\034\aD~\fk`]\314\b\207\365-\217\305\244

; o& R- K# r4 {; s  n 9.838659 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030\300\272t&\t(\262\243\361\210\263\343\326\261\017$\317V\002\354\325\271\250\366\027\003\001\000 \350F\305\360\363\365\033\274W\207M\006\216\255\016\365\205z\033\002\032B\345,\3712\034\377\327[\272P
( X" d. c3 s( M8 @9 d8 H. o
9.851675 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [ACK] Seq=1071 Ack=2041 Win=65140 Len=0
3 j# L# L: A- F9 O
: a+ a0 k8 n3 k5 U7 y2 C 9.856073 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030\f\357\000E/\372\333\247\016\344\315\345\346\271L\327\214CE0*i\316\332\027\003\001\000(8\220\341\316.*\234dM\235

10.061779 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [ACK] Seq=1145 Ack=2094 Win=65088 Len=0
; s4 u: R, f1 l6 s- \8 \9 I2 _
6 J( A" M  U8 f* o& P7 Z3 U 39.978110 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030=\032\322\022\216B\025O\016\034
7 h1 \  e3 }* Q6 }3 l$ W
39.980672 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [FIN, ACK] Seq=1211 Ack=2139 Win=65040 Len=0

39.980725 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [RST, ACK] Seq=1212 Ack=2149 Win=0 Len=0

27 packets captured
$ O* Q. t* l! R
- T& Q7 R2 a2 `& a, ~9 y/ S[root@ftp ~]#