FTPS（FTP+SSL）

admin

FTPS（FTP+SSL）
+ _- D: s1 `0 D$ |9 v9 I
   ftps是一种多传输协议，相当于加密版的FTP。当你在FTP服务器上收发文件的时候，你面临两个风险。第一个风险是在上载文件的时候为文件加密。第二个风险是，这些文件在你等待接收方下载的时候将停留在FTP服务器上，这时你如何保证这些文件的安全。你的第二个选择(创建一个支持SSL的FTP服务器)能够让你的主机使用一个FTPS连接上载这些文件。这包括使用一个在FTP协议下面的SSL层加密控制和数据通道。一种替代FTPS的协议是安全文件传输协议(SFTP)。这个协议使用SSH文件传输协议加密从客户机到服务器的FTP连接。


! u7 q# l1 F7 f, d9 ?7 WFTPS是在安全套接层使用标准的FTP协议和指令的一种增强型TFP协议，为FTP协议和数据通道增加了SSL安全功能。FTPS也称作“FTP-SSL”和“FTP-over-SSL”。SSL是一个在客户机和具有SSL功能的服务器之间的安全连接中对数据进行加密和解密的协议。

7 Q& Z3 @, d+ B3 [, A( r: u$ h
和sftp连接方法类似，在windows中可以使用FileZilla等传输软件来连接FTPS进行上传，下载文件，建立，删除目录等操作,在FileZilla连接时，有显式和隐式TLS/SSL连接之分，连接时也有指纹提示。

: ?" y' Z$ D) _4 R) p
; S" K) ?3 P# Z
安全：ftps ftp+ssl
3 A  _# E* M) n" O& U
$ w% M% S6 S/ ?! Y  J5 p4 T准备工作：
# K. }8 F0 O1 P) r
准备一:关闭防火墙；

! j- `  O2 Q* H' m准备二：挂载光盘；
$ N1 C' p% n; q* z2 t
5 v. u+ o0 k1 M0 g准备三：构建本地yum服务器。
4 Y: w$ H; M  n
' Y( L- N% V* H! y3 NFTP+SSL配置详细过程:
7 J; A% n# r$ V- Z5 N& O
2 p4 f# m/ ]4 c/ P①.安装配置FTP服务器和抓包工具：（ftp：192.168.101.210）
- e" o0 G4 E9 s, q0 j
5 A* D# m8 v9 I% }/ B2 N' o. s[root@ftp ~]# yum list all |grep vsftpd
[root@ftp ~]# yum install -y vsftpd

5 o! ~5 v" l$ ^( W$ r5 b[root@ftp ~]# yum list all |grep wireshark

[root@ftp ~]# yum install -y wireshark

9 s: ]/ O8 A3 F, ?2 ~[root@ftp ~]# useradd user1
1 N  i. ]2 ^4 T) N# H, g[root@ftp ~]# echo "123" |passwd --stdin user1
; p4 e8 r' ~5 z0 q# B' [
; m. X  K, p/ y6 Z" C[root@ftp ~]# service vsftpd start
) a+ J8 G( Z; X7 o  L5 O
6 j. X, n% A0 F( {5 BStarting vsftpd for vsftpd:                                [ OK ]
& P  U& c2 z! O9 B
2 f  a) y6 @: A& _& e
[root@ftp ~]# tshark -ni eth0 -R "tcp.dstport eq 21"
' T( ^. G' v$ O; P7 x# [
, y5 ?0 E9 r- Z$ Z# }) V4 g! b

②.配置本地CA证书服务器：

& B9 L7 {! A* p- M[root@ftp ~]# cd /etc/pki/
[root@ftp pki]# ll
1 ?) b  q5 e9 |2 T0 \2 X4 C[root@ftp pki]# vim tls/openssl.cnf
45 dir             = /etc/pki/CA
" z" m/ j# ^* L; N1 N88 countryName             = optional
' o' I8 V2 W7 t3 u* V
1 }+ k8 ^0 v/ R% Q89 stateOrProvinceName     = optional
4 E: Q) M6 {/ x, ?% f
1 M5 A8 z( S( H% p* Z' M6 `1 A90 organizationName        = optional

0 S, @3 S' }: a. ?; L5 M[root@ftp pki]# cd CA/
* [- g4 }: M% k4 H* i+ n3 Y[root@ftp CA]# mkdir certs newcerts crl
9 _3 p! p; f- F: c% y$ O2 X[root@ftp CA]# touch index.txt serial
[root@ftp CA]# echo "01" >serial

[root@ftp CA]# ll
$ g7 K% Q) o* w, R5 e[root@ftp CA]# openssl genrsa 1024 > private/cakey.pem

& g5 g) ]6 F% j7 ~& m$ `( ]+ pGenerating RSA private key, 1024 bit long modulus
$ I3 V9 R6 h* N  K. e
...........++++++
....++++++
) u: s1 u  f9 w2 ?5 S# U, be is 65537 (0x10001)

' M1 f" L' ^3 f; E[root@ftp CA]# chmod 600 private/cakey.pem
[root@ftp CA]# ll private/cakey.pem
* `6 w# b/ R7 ?$ D" P-rw------- 1 root root 887 Feb 10 23:22 private/cakey.pem
  C. Y0 w" Q9 |$ U3 A5 L[root@ftp CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

0 d6 D) x( R1 _4 sFor some fields there will be a default value,

If you enter '.', the field will be left blank.
8 S: r# R2 i5 e9 G
-----
  V- a3 r" P- x$ mCountry Name (2 letter code) [GB]:cn
% O3 B# x6 L, \# H
State or Province Name (full name) [Berkshire]:henan

Locality Name (eg, city) [Newbury]:zhengzhou

Organization Name (eg, company) [My Company Ltd]:junjie

Organizational Unit Name (eg, section) []:soft

2 L& y# ]9 c7 _7 C& f5 f7 v& t- rCommon Name (eg, your name or your server's hostname) []:ca.junjie.com
! }- s* Z  `0 C% I& p; v: f
8 `0 h6 F7 C- ZEmail Address []:junjie@junjie.com
/ p1 O! t1 H5 O* Z9 @[root@ftp CA]#ll
③.为ftp服务器创建证书：

  ^7 v( P) P. n[root@ftp CA]# mkdir /etc/vsftpd/certs
[root@ftp CA]# cd /etc/vsftpd/certs
2 d; K% k  _( D[root@ftp certs]# openssl genrsa 1024 >vsftpd.key
* z: l) R. d& ZGenerating RSA private key, 1024 bit long modulus
/ a( G; H9 G( h- ~0 M( e$ _
....++++++
...++++++
: [7 g  b; P( n2 d4 J  h! de is 65537 (0x10001)
, ^$ k8 U0 j8 Q7 y! ?. w, J1 e
[root@ftp certs]# openssl req -new -key vsftpd.key -out vsftpd.csr

8 L7 Y5 f. ?; h  L1 rYou are about to be asked to enter information that will be incorporated

$ I, F# k9 R" Dinto your certificate request.
4 z3 S9 m3 f+ Z* N" J! D  b9 j& K
1 N0 y) l& F/ h6 v7 \. `What you are about to enter is what is called a Distinguished Name or a DN.

4 ?, w7 y1 l& W% ?6 qThere are quite a few fields but you can leave some blank

. s+ ?- v; G$ j& e; RFor some fields there will be a default value,

& B6 h) X: Z9 r3 Y- h0 a0 S8 D) lIf you enter '.', the field will be left blank.

-----
- W1 a' ?; O5 a* B& M4 KCountry Name (2 letter code) [GB]:cn
/ n& q' @. @/ i$ T1 D$ ~
State or Province Name (full name) [Berkshire]:henan
3 Y+ T5 B) ^. G
1 t8 H. p, Y7 H- u, KLocality Name (eg, city) [Newbury]:zhengzhou
7 B( D0 Z: a  a
! B2 t+ [8 Z. W* h) G* D$ wOrganization Name (eg, company) [My Company Ltd]:junjie

& ~% i2 s2 K8 |9 vOrganizational Unit Name (eg, section) []:ftp

4 @! g5 M( T6 u" B( Y+ b3 t. nCommon Name (eg, your name or your server's hostname) []:ftp.junjie.com
& ^  L+ w/ `- d  y
Email Address []:ftp@junjie.com
* V( q; Z- \$ Q; X6 N
% g# a% Y! B1 x: q0 o. \Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:
- I' K  ?4 h0 F0 ?' q3 W- `
" G2 x& U% g4 e  {* R' M4 N# D2 q" e6 vAn optional company name []:
& V, T% r* e" m) r% Y# O
4 X2 D# L2 _7 n1 U4 }! @0 A[root@ftp certs]# openssl ca -in vsftpd.csr -out vsftpd.crt
7 A5 C4 ~' u4 e0 ?- xUsing configuration from /etc/pki/tls/openssl.cnf
: u. Y9 C9 T; j7 ]6 t& _9 `
5 s2 X5 L4 p; H8 TCheck that the request matches the signature

) [8 r  s) H  Z/ T9 D" Y( `. MSignature ok
& z$ R9 @! e# K" u/ ^Certificate Details:
( A9 s" m5 j6 f/ I% a9 v8 I$ j
( G+ v1 y* K. v& F' t  X1 N* ?        Serial Number: 1 (0x1)
        Validity
% q: R" L" b2 K( q) I            Not Before: Feb 10 15:48:55 2012 GMT
8 L" d+ a5 C, H- f9 Y5 |
6 h7 i6 c4 L- }& Y" s            Not After : Feb 9 15:48:55 2013 GMT
! f! \2 a1 u0 w! L2 [% Q4 C0 w6 {5 c        Subject:
+ `* ]) k3 f' D: A# \            countryName               = cn
            stateOrProvinceName       = henan
' Z5 r' [* j+ S; C* Y0 y            organizationName          = junjie
4 R( c% l' v9 k6 J            organizationalUnitName    = ftp
            commonName                = ftp.junjie.com
            emailAddress              = junjie@junjie.com
        X509v3 extensions:
            X509v3 Basic Constraints:
% b) {# K" P' v% W" i                CA:FALSE
            Netscape Comment:
: \( v& s" }/ K                OpenSSL Generated Certificate
5 O. f6 R4 h4 D7 {5 ?, [/ j4 K  o            X509v3 Subject Key Identifier:
3 O. j4 l( S3 Y                33:C5:01:33:A5:CF:42:9F:24:A9:0D:E9:41:8E:26:C3:1B:7B:18:11
( y$ Z$ i8 T+ g& [  k4 B6 C
            X509v3 Authority Key Identifier:
5 t8 w( i  \+ ~, [; x2 r7 s                keyid:501:A8:0A:1F:B7:CD:49:94:69:E3:70:E9:AE:93:73:2C:94:66:AC
6 `" @; ^% W5 ^; B  Q
1 ]. }6 M% g" i: T
Certificate is to be certified until Feb 9 15:48:55 2013 GMT (365 days)
# V: Z! G0 T1 V
. v8 L% Z# m( x& _7 V. s2 x0 HSign the certificate? [y/n]:y
# J" P# L+ i! W$ {7 o
1 E% a( k* f4 e

1 J4 x& O0 Y  d% N" S! V$ v1 out of 1 certificate requests certified, commit? [y/n]y
: {$ U  z& e' n2 l. e
Write out database with 1 new entries
' E  |8 i# K  m0 W
& K! ]* M7 ?* T& HData Base Updated
[root@ftp certs]# ll
/ a- W, N* Z* L- `: A[root@ftp certs]# chmod 600 *
[root@ftp certs]# ll
) s4 F3 p5 a: j8 y5 f; ~1 g④.使ftp服务应用证书：
: w' a* Z7 r6 J+ ?* f7 O; z
[root@ftp certs]# cd /etc/vsftpd/            
, }: U. Z' |% E8 r[root@ftp vsftpd]# vim vsftpd.conf         #增加以下内容
- {  D5 z6 g  X: X. [8 \3 i118 rsa_cert_file=/etc/vsftpd/certs/vsftpd.crt
! P2 j' ]/ J6 i# b( I/ ^
119 rsa_private_key_file=/etc/vsftpd/certs/vsftpd.key
3 F- s" t- L  a4 n" N
% d6 `+ |4 t1 K. ^0 x- T. w0 b: |120 force_local_data_ssl=YES
121 force_local_logins_ssl=YES
122 ssl_enable=YES
3 L% ^) Y: h* ]  G! E123 ssl_sslv2=YES
+ R4 R0 A! T4 ]1 k124 ssl_sslv3=YES
2 M+ b7 a" ^7 h* Z7 z* W9 t125 ssl_tlsv1=YES
[root@ftp vsftpd]# service vsftpd restart
; O% J7 l1 t* O2 T* A
; S! h3 [* k& M( q6 Y! |Shutting down vsftpd:                                      [ OK ]
5 s- V3 {5 ]  o8 ^6 L0 nStarting vsftpd for vsftpd:                                [ OK ]
⑤客户端测试（已加密传输）：
( Z" {' A/ N, a3 s. ]7 R
. P" ^" f( K8 f' ]
* `% b+ \$ }/ z) O$ g
1 J. y! u) M0 X0 Y
6 r% h, u, Q. [' Q; B! h
2 a6 `  i) w/ p( _从上面看出证书名称出现问题，但可是可以使用！选择接收一次！
' {. I4 H7 q; T) G4 T0 O7 [; P; q
* Z* t* n/ R$ v9 J: S1 k

2 n8 {$ d! a. S3 S7 }5 r; z7 s) i该次登录抓包内容如下所示：传输已经经过加密！
- q2 X% c* x9 T9 ^0 J[root@ftp ~]# tshark -ni eth0 -R "tcp.dstport eq 21"

- {, m3 L$ J) {

& S2 {* f- W' ^( ?# u[root@ftp ~]# tshark -ni eth0 -R "tcp.dstport eq 21"

Running as user "root" and group "root". This could be dangerous.
, ]! ^$ M9 t/ m" |! c3 Q4 R# m
Capturing on eth0

1 V5 U% V) l8 s# s 9.742109 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=2
: i* M  }7 A- R2 s7 X
9.742144 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [ACK] Seq=1 Ack=1 Win=65700 Len=0

9.747458 192.168.101.113 -> 192.168.101.210 FTP Request: AUTH SSL
: \5 M& R8 g( l  x
% j4 o9 v$ H9 T* v2 \ 9.755605 192.168.101.113 -> 192.168.101.210 FTP Request: \200\310\001\003\001\000\237\000\000\000 \000\300\024\000\300
& Z9 L8 U( d, \: L- S! ]# C0 m
9.758795 192.168.101.113 -> 192.168.101.210 FTP Request: \026\003\001\000\206\020\000\000\202\000\200n\257\315\204\324o

) y! s% e* y- M) K$ y$ }- s% k  u. l 9.778662 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030\215\325t\357\277\001\376FZ\243D\373\003\367\231\207Q\324\003Q}/\335\025\027\003\001\000 \f\355b\270\355\325\020[\372\302s{^\375\307\364C\307\243\251v9\370\364\260\277\253\317\321gB]
$ w, w$ M* ~9 p5 q: q( A
& J( J, }  F1 X 9.779885 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030\324\000\267\312\0320\213\266y\311\025[\371\275?\254Y\257\024[\245vjM\027\003\001\000(\236\321\221Z\321Z(\316'\343.\235?\321=8\264b\270(j\336\231\210\265\207K\223A\037"\277\251\252t\252a`\374
1 Q) M0 j/ ^, z3 z1 r- T
9.782153 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030\257d\313mXZT\356\2366\334q\223\017gt\371\232\207\226\325

9.793165 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\0301\020S\237\372\210\004N4\370\366\377\2213m\356\233w:\275)>@%\027\003\001\000 Y\032\275BM=3J\313\240\241\372Z\371@\335\262\252\240\235\021\345\271\305\223\211\020\340\332\323Q\251

" Q* P/ g% }7 v+ @ 9.795630 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030\302\016=LR\272\030{\034\277V\256]\230\247\363\355M\241\327U\207k\032\027\003\001\000 OYi\216=S\322\212)\271V\016\2519w\332f\213\222S\244\275M\316\025N\302:k\312b\331

/ B) p2 [8 x+ k. J7 r" Z" O# i/ R; ] 9.796727 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [ACK] Seq=741 Ack=1260 Win=64440 Len=0
. |( s6 L3 v" E0 a, J$ b
9.797542 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [ACK] Seq=741 Ack=1334 Win=64364 Len=0

. V, }" H# [, B! r 9.798327 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [ACK] Seq=741 Ack=1408 Win=64292 Len=0

4 ^8 Y/ z) X- n" E  h: [( |' F9 F 9.798775 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [ACK] Seq=741 Ack=1482 Win=65700 Len=0

9.799387 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [ACK] Seq=741 Ack=1564 Win=65616 Len=0

. c8 i7 M" B$ P7 e; _5 V3 } 9.799910 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [ACK] Seq=741 Ack=1638 Win=65544 Len=0

9.805078 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030G}\305\210\021s\244q\023k=\345R\232A\366B\360\202\320\361(x\344\027\003\001\000 \351W\350\377\362\2756\334\303\035+1l|{\304\277\224\326n\036d\213\217\b\216\023N\225\003a\274

9.810763 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030\203\354F\302\253\205\212\355\334$\321=\303h\276\302\350\320.\346\223\337BG\027\003\001\000 73\027\372#\232

9.813350 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030\203x`k\337RM\341w\022N\255|f\260U ?\354)A\301^\251\027\003\001\000 \031`\366\364He\030\266z)\373\265\237\261\3430\220\331\340Kv[\033\347\tXj\344\314\236\242

9.814073 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030\307\2126sY\a\237\034\321\277!j\320\213\235\032\277e\345\361E>|)\027\003\001\000 \256\304}:-\365\034\aD~\fk`]\314\b\207\365-\217\305\244
( A6 i" G8 l9 @; ~% e  Z
/ ~' c3 _* O$ n/ j) y 9.838659 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030\300\272t&\t(\262\243\361\210\263\343\326\261\017$\317V\002\354\325\271\250\366\027\003\001\000 \350F\305\360\363\365\033\274W\207M\006\216\255\016\365\205z\033\002\032B\345,\3712\034\377\327[\272P
& ]$ Z: @6 u) z4 U
4 Z# ?4 m# Q; F7 u- ~2 M! I8 P 9.851675 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [ACK] Seq=1071 Ack=2041 Win=65140 Len=0

* F$ S) F  n6 b1 S 9.856073 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030\f\357\000E/\372\333\247\016\344\315\345\346\271L\327\214CE0*i\316\332\027\003\001\000(8\220\341\316.*\234dM\235

$ `" P9 g" S. c5 K0 {; ~1 Z" m, D' t 10.061779 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [ACK] Seq=1145 Ack=2094 Win=65088 Len=0
0 a4 V9 S4 E( O/ y( I
39.978110 192.168.101.113 -> 192.168.101.210 FTP Request: \027\003\001\000\030=\032\322\022\216B\025O\016\034
0 F& c' k# w. r; t- p
39.980672 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [FIN, ACK] Seq=1211 Ack=2139 Win=65040 Len=0

4 Z1 y" e/ w4 N4 ^2 g 39.980725 192.168.101.113 -> 192.168.101.210 TCP 52572 > 21 [RST, ACK] Seq=1212 Ack=2149 Win=0 Len=0

8 [1 a4 U% q" N# e1 d27 packets captured
% i* V0 B, O7 x& v! A+ ]
[root@ftp ~]#