FTPS（FTP+SSL）

admin

FTPS（FTP+SSL）
$ W7 \) Q0 Q9 t! z5 U2 @# |
" i  D+ j( m* P. s   ftps是一种多传输协议，相当于加密版的FTP。当你在FTP服务器上收发文件的时候，你面临两个风险。第一个风险是在上载文件的时候为文件加密。第二个风险是，这些文件在你等待接收方下载的时候将停留在FTP服务器上，这时你如何保证这些文件的安全。你的第二个选择(创建一个支持SSL的FTP服务器)能够让你的主机使用一个FTPS连接上载这些文件。这包括使用一个在FTP协议下面的SSL层加密控制和数据通道。一种替代FTPS的协议是安全文件传输协议(SFTP)。这个协议使用SSH文件传输协议加密从客户机到服务器的FTP连接。


FTPS是在安全套接层使用标准的FTP协议和指令的一种增强型TFP协议，为FTP协议和数据通道增加了SSL安全功能。FTPS也称作“FTP-SSL”和“FTP-over-SSL”。SSL是一个在客户机和具有SSL功能的服务器之间的安全连接中对数据进行加密和解密的协议。
3 z1 N' [( L6 q' L1 g$ ?1 d0 L' H
: L& x2 d9 W# W' j* P6 ?9 c
和sftp连接方法类似，在windows中可以使用FileZilla等传输软件来连接FTPS进行上传，下载文件，建立，删除目录等操作,在FileZilla连接时，有显式和隐式TLS/SSL连接之分，连接时也有指纹提示。
) V5 w# z+ a5 g5 w( i6 r7 D


安全：ftps ftp+ssl

准备工作：

5 p/ q+ \- t! i准备一:关闭防火墙；
, t4 H+ G7 M) G* [
准备二：挂载光盘；
- l* w) F9 j# M+ K& I6 W
' Y( X" z# C: S; s) K$ Q准备三：构建本地yum服务器。
: ~; e3 Q9 ~2 ~6 c' {' v! G* l
" v6 A, }: G- N! f! `FTP+SSL配置详细过程:

①.安装配置FTP服务器和抓包工具：（ftp：192.168.101.210）

- j1 x, f% g& B: T  |2 E4 E2 F+ l[root@ftp ~]# yum list all |grep vsftpd
[root@ftp ~]# yum install -y vsftpd

6 S7 T" V3 [# G" U; R1 t[root@ftp ~]# yum list all |grep wireshark
' H, W0 y! M3 L$ R) Y8 d  O3 ]
: O1 u7 u% ^* R  x0 b$ s* Y5 {[root@ftp ~]# yum install -y wireshark

[root@ftp ~]# useradd user1
0 G5 Z$ F$ P) `6 @7 t4 K7 ][root@ftp ~]# echo "123" |passwd --stdin user1

: L3 W# [) q0 i9 G( V+ N, C[root@ftp ~]# service vsftpd start

9 ]" q5 L" ^1 T! M. v0 s. P+ U) \Starting vsftpd for vsftpd:                                [ OK ]

3 R, C' p! V" X/ `/ u& Q
[root@ftp ~]# tshark -ni eth0 -R "tcp.dstport eq 21"



②.配置本地CA证书服务器：
% p$ D1 N$ S4 o) z2 M
[root@ftp ~]# cd /etc/pki/
[root@ftp pki]# ll
+ s) q* \& a$ M  e- m5 ~8 k# A! N[root@ftp pki]# vim tls/openssl.cnf
45 dir             = /etc/pki/CA
88 countryName             = optional

89 stateOrProvinceName     = optional
( L, q5 K* I1 x$ Q( l6 l& |0 f
90 organizationName        = optional
/ s- R; y. d% q. G. S, v" ]
5 `+ s' |0 S1 q" y6 o5 \& [[root@ftp pki]# cd CA/
[root@ftp CA]# mkdir certs newcerts crl
[root@ftp CA]# touch index.txt serial
% ?3 I# a6 \) Z+ F+ |[root@ftp CA]# echo "01" >serial
5 F, T% Z5 K( v& U, O
3 t& f; ^* g- l3 }$ f+ S[root@ftp CA]# ll
[root@ftp CA]# openssl genrsa 1024 > private/cakey.pem
! k7 }# n" ^: n8 `4 x
, y9 u. m6 E. ^# D; m$ s' |5 \: ^; wGenerating RSA private key, 1024 bit long modulus
+ r, n! g3 N6 ]# |, s4 L4 m
9 M  ~- F* k  B+ @! u3 j1 |/ o+ T/ e...........++++++
' K4 `1 C& g. r1 R....++++++
; O" T1 u% r- a- Ie is 65537 (0x10001)

% j. q' C) T( v  W1 P0 S[root@ftp CA]# chmod 600 private/cakey.pem
[root@ftp CA]# ll private/cakey.pem
-rw------- 1 root root 887 Feb 10 23:22 private/cakey.pem
[root@ftp CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650

# O9 |) G9 ~* u7 p. K# ~! l0 h. [You are about to be asked to enter information that will be incorporated

5 F! H5 e! X5 p( U6 rinto your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank
3 n' n# V( f, B$ B0 b' a$ E
# F, F8 K. m0 K" uFor some fields there will be a default value,

* |8 I5 y. T7 ]. t! MIf you enter '.', the field will be left blank.
  ]: N1 }1 a0 |! K! J
-----
& d  O5 I7 o9 I/ }3 `8 @Country Name (2 letter code) [GB]:cn
* P" V% q' `+ t5 |( @' v) d
( b3 R) ~# p6 S4 }; E+ qState or Province Name (full name) [Berkshire]:henan

% I, U' u& a" B, b# h. n$ uLocality Name (eg, city) [Newbury]:zhengzhou

Organization Name (eg, company) [My Company Ltd]:junjie
, y/ T' ~* ]5 D; Y" j
( G' W6 J/ l5 v+ ]# COrganizational Unit Name (eg, section) []:soft

1 w( K6 c5 j- u  x( o  Q9 W- |' |Common Name (eg, your name or your server's hostname) []:ca.junjie.com
: a  h3 T& k) T4 E3 q
; l- A, S: _5 PEmail Address []:junjie@junjie.com
[root@ftp CA]#ll
- k) s2 D" T- P, M③.为ftp服务器创建证书：
$ E: P/ s( @/ L$ M* I
[root@ftp CA]# mkdir /etc/vsftpd/certs
[root@ftp CA]# cd /etc/vsftpd/certs
+ e& U; P7 |+ b( g; _% w# u) T[root@ftp certs]# openssl genrsa 1024 >vsftpd.key
! ]" H+ m, R8 u9 ?Generating RSA private key, 1024 bit long modulus

....++++++
0 z& v' ?& W, q" u...++++++
e is 65537 (0x10001)
4 H2 n7 U3 {( X% j  l# u+ V: F( a
. p0 t; d/ I' p) ~$ n2 o" e; s3 a[root@ftp certs]# openssl req -new -key vsftpd.key -out vsftpd.csr
, h% G9 U/ L1 y) \! R) c9 N
You are about to be asked to enter information that will be incorporated
% b+ S- n. B; L6 v! r/ Y! e
into your certificate request.
& e) `2 ]4 q5 t6 [; q5 d4 V( Z, z
What you are about to enter is what is called a Distinguished Name or a DN.

9 Q  F. u& i8 K2 k4 o4 XThere are quite a few fields but you can leave some blank
0 ?5 k/ g+ {) D1 Y" b( }
# C" Z1 h! `, }For some fields there will be a default value,

: f! a" ^* j# u, f$ F" UIf you enter '.', the field will be left blank.

  |+ P5 K9 C# w-----
7 s( i' E; p" a! |2 `! uCountry Name (2 letter code) [GB]:cn

5 B9 y$ Z5 k" y$ K  w; |; C' tState or Province Name (full name) [Berkshire]:henan

Locality Name (eg, city) [Newbury]:zhengzhou

Organization Name (eg, company) [My Company Ltd]:junjie

5 q* L7 Q1 P1 q- L3 \$ l( N2 oOrganizational Unit Name (eg, section) []:ftp

" E  G" p. f7 M1 Z' aCommon Name (eg, your name or your server's hostname) []:ftp.junjie.com
8 l4 ]. i& j# t, B& d+ A3 x- B
8 I- f5 U8 Q0 g) LEmail Address []:ftp@junjie.com

Please enter the following 'extra' attributes

to be sent with your certificate request
% {: O9 N; K- \4 w
A challenge password []:

, z+ T+ C/ y6 ?7 W) u1 iAn optional company name []:

2 T7 ^2 \" ~  \3 B8 a7 J! w1 m+ a[root@ftp certs]# openssl ca -in vsftpd.csr -out vsftpd.crt
Using configuration from /etc/pki/tls/openssl.cnf
( @, Z  s% Q, n% H0 z, v) M1 T
Check that the request matches the signature

: k. [$ l- p, E9 m% O$ t% SSignature ok
Certificate Details:
' E; t' H+ B1 U& q3 g6 k
0 v: G3 L2 i% T" P6 [3 A5 [4 H        Serial Number: 1 (0x1)
  \) T; `3 u( H& p4 F. W        Validity
2 Q4 v1 K2 j" E0 ?5 W" v( S            Not Before: Feb 10 15:48:55 2012 GMT

            Not After : Feb 9 15:48:55 2013 GMT
9 E: L7 r  `$ X: D. i8 y9 [        Subject:
" Y# S0 ~& N7 R            countryName               = cn
" j. ^# n$ \! T. p3 D* f# F* {1 v            stateOrProvinceName       = henan
            organizationName          = junjie
* L. O$ T/ {% h  @+ \2 f6 n" u( M" L            organizationalUnitName    = ftp
            commonName                = ftp.junjie.com
            emailAddress              = junjie@junjie.com
2 r; e: b3 \& B2 y3 s& D        X509v3 extensions:
5 u) k) K: s% h$ n6 N            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
  K" E0 j# c/ h- d* n' S                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                33:C5:01:33:A5:CF:42:9F:24:A9:0D:E9:41:8E:26:C3:1B:7B:18:11
! c! k1 B3 x! a
            X509v3 Authority Key Identifier:
                keyid:501:A8:0A:1F:B7:CD:49:94:69:E3:70:E9:AE:93:73:2C:94:66:AC


$ Y/ P' f1 m2 J6 t; w$ i2 r+ TCertificate is to be certified until Feb 9 15:48:55 2013 GMT (365 days)
, t% I7 _, N( }
Sign the certificate? [y/n]:y
( H6 H. g" k' v8 ]5 M% n" t

0 W# c2 U, X5 B2 P; b- ~0 b
; A! t7 Z. k2 u1 out of 1 certificate requests certified, commit? [y/n]y

' q, E" Y8 S  Z& _) JWrite out database with 1 new entries
3 s$ o, W5 q7 T# m  k* f
Data Base Updated
[root@ftp certs]# ll
[root@ftp certs]# chmod 600 *
[root@ftp certs]# ll
④.使ftp服务应用证书：

[root@ftp certs]# cd /etc/vsftpd/            
[root@ftp vsftpd]# vim vsftpd.conf         #增加以下内容
, ^" j  O5 L# \0 R118 rsa_cert_file=/etc/vsftpd/certs/vsftpd.crt
/ c- S4 o, D; D5 H5 C6 i
119 rsa_private_key_file=/etc/vsftpd/certs/vsftpd.key
$ O3 I. [. V- d: r4 D% o* i9 j1 E. N
7 y; G1 R4 q3 `120 force_local_data_ssl=YES
121 force_local_logins_ssl=YES
122 ssl_enable=YES
) x" N. c! i; w0 a2 b/ ]123 ssl_sslv2=YES
3 M2 f* Z1 W& o& F. m4 V! H' {2 R! e124 ssl_sslv3=YES
125 ssl_tlsv1=YES
% D' b3 |' V. u. A0 A- r8 k[root@ftp vsftpd]# service vsftpd restart

Shutting down vsftpd:                                      [ OK ]
+ t  H! \2 n* s) \Starting vsftpd for vsftpd:                                [ OK ]
⑤客户端测试（已加密传输）：
% C6 t6 l1 l" M/ j


; S# T" ?$ }  Z* u

8 j9 `7 x% v( J7 P3 U从上面看出证书名称出现问题，但可是可以使用！选择接收一次！
4 F: }  S/ q$ z0 s4 t0 H
( C8 Y1 E1 w4 R: w3 Q
" f$ e' @3 \5 W, D, e
该次登录抓包内容如下所示：传输已经经过加密！
[root@ftp ~]# tshark -ni eth0 -R "tcp.dstport eq 21"

+ Z( B: ^1 K: r% P: ^* a1 l" |

[root@ftp ~]# tshark -ni eth0 -R "tcp.dstport eq 21"
" W8 v5 W# W5 Q4 H
. h9 X' `; l3 h* z) Q0 y4 b1 _Running as user "root" and group "root". This could be dangerous.
6 T; j; r% ]) c) [6 F# e8 \
, \& O& u# _, SCapturing on eth0
6 R: L) o& f' F' t! D  \
9.742109 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=2

; H& Y  I! g" F0 b" j* }; @ 9.742144 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [ACK] Seq=1 Ack=1 Win=65700 Len=0

9.747458 192.168.101.113 -> 192.168.101.210 FTP Request: AUTH SSL
2 n+ m; C9 b2 J- G; @# O; ~' e2 I
6 }0 R0 z/ a( Y: ~! I 9.755605 192.168.101.113 -> 192.168.101.210 FTP Request: \200\310\001\003\001\000\237\000\000\000 \000\300\024\000\300
( W9 B$ M$ B3 }
8 s' W( [3 R; x8 \3 j! y 9.758795 192.168.101.113 -> 192.168.101.210 FTP Request: \026\003\001\000\206\020\000\000\202\000\200n\257\315\204\324o

- L. C# O( [/ m- B+ `& p 9.778662 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030\215\325t\357\277\001\376FZ\243D\373\003\367\231\207Q\324\003Q}/\335\025\027\003\001\000 \f\355b\270\355\325\020[\372\302s{^\375\307\364C\307\243\251v9\370\364\260\277\253\317\321gB]
& |6 ]2 @. p3 D
9.779885 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030\324\000\267\312\0320\213\266y\311\025[\371\275?\254Y\257\024[\245vjM\027\003\001\000(\236\321\221Z\321Z(\316'\343.\235?\321=8\264b\270(j\336\231\210\265\207K\223A\037"\277\251\252t\252a`\374
, U5 g8 Z" q0 i  s6 p4 W
9 s+ u* t% [/ ~. d9 x6 O 9.782153 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030\257d\313mXZT\356\2366\334q\223\017gt\371\232\207\226\325
& u" a; u" v  o
8 }( q2 G1 z. C2 R 9.793165 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\0301\020S\237\372\210\004N4\370\366\377\2213m\356\233w:\275)>@%\027\003\001\000 Y\032\275BM=3J\313\240\241\372Z\371@\335\262\252\240\235\021\345\271\305\223\211\020\340\332\323Q\251
8 I; h( ]3 I- E) [/ B
9.795630 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030\302\016=LR\272\030{\034\277V\256]\230\247\363\355M\241\327U\207k\032\027\003\001\000 OYi\216=S\322\212)\271V\016\2519w\332f\213\222S\244\275M\316\025N\302:k\312b\331
; I6 C" g" u3 i& S1 ]3 A
9.796727 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [ACK] Seq=741 Ack=1260 Win=64440 Len=0

+ P9 d7 O/ O) d/ I5 m 9.797542 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [ACK] Seq=741 Ack=1334 Win=64364 Len=0
9 z% a2 h3 i0 H& n; X1 z9 Z8 X9 R
9.798327 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [ACK] Seq=741 Ack=1408 Win=64292 Len=0
0 F3 Y7 n7 P6 g0 y8 O/ }/ d
0 l; z; [4 R5 u+ h1 O( k* H1 A3 R6 }2 N 9.798775 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [ACK] Seq=741 Ack=1482 Win=65700 Len=0
1 V3 G+ y6 R' B: K3 u' E3 z/ C
, P; E6 u! K8 u0 X0 x 9.799387 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [ACK] Seq=741 Ack=1564 Win=65616 Len=0

+ N7 a& F0 r$ G& n# G) j 9.799910 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [ACK] Seq=741 Ack=1638 Win=65544 Len=0

( x, D9 Z: N% V: y  s  I% ~* a+ w 9.805078 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030G}\305\210\021s\244q\023k=\345R\232A\366B\360\202\320\361(x\344\027\003\001\000 \351W\350\377\362\2756\334\303\035+1l|{\304\277\224\326n\036d\213\217\b\216\023N\225\003a\274

  v5 B! f  p% [ 9.810763 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030\203\354F\302\253\205\212\355\334$\321=\303h\276\302\350\320.\346\223\337BG\027\003\001\000 73\027\372#\232
7 o$ i% H0 k) f( I" w$ C, L
% \# d2 c3 c* V9 s6 z$ c* { 9.813350 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030\203x`k\337RM\341w\022N\255|f\260U ?\354)A\301^\251\027\003\001\000 \031`\366\364He\030\266z)\373\265\237\261\3430\220\331\340Kv[\033\347\tXj\344\314\236\242

  l( n% l2 z! h 9.814073 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030\307\2126sY\a\237\034\321\277!j\320\213\235\032\277e\345\361E>|)\027\003\001\000 \256\304}:-\365\034\aD~\fk`]\314\b\207\365-\217\305\244

9.838659 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030\300\272t&\t(\262\243\361\210\263\343\326\261\017$\317V\002\354\325\271\250\366\027\003\001\000 \350F\305\360\363\365\033\274W\207M\006\216\255\016\365\205z\033\002\032B\345,\3712\034\377\327[\272P
' j5 R! F% I% V+ }+ ?+ M' f0 m
9.851675 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [ACK] Seq=1071 Ack=2041 Win=65140 Len=0

9.856073 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030\f\357\000E/\372\333\247\016\344\315\345\346\271L\327\214CE0*i\316\332\027\003\001\000(8\220\341\316.*\234dM\235
; U% i; X  S) s/ f* d: F8 g6 ]* e
/ v* ~/ t1 K2 p* c4 M+ J5 m 10.061779 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [ACK] Seq=1145 Ack=2094 Win=65088 Len=0

" p$ X7 `, g5 @' J 39.978110 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030=\032\322\022\216B\025O\016\034
4 z. f5 X  V% X# Z3 V/ `
8 J9 `6 h/ \1 x9 W% D/ y 39.980672 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [FIN, ACK] Seq=1211 Ack=2139 Win=65040 Len=0
( T# m9 _0 c5 j' y7 ^9 z
39.980725 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [RST, ACK] Seq=1212 Ack=2149 Win=0 Len=0

27 packets captured

[root@ftp ~]#