惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

A
About on SuperTechFans
D
DataBreaches.Net
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
V
Visual Studio Blog
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
B
Blog RSS Feed
Recent Announcements
Recent Announcements
The Register - Security
The Register - Security
S
Secure Thoughts
Y
Y Combinator Blog
The Last Watchdog
The Last Watchdog
L
LINUX DO - 最新话题
V2EX - 技术
V2EX - 技术
腾讯CDC
GbyAI
GbyAI
G
Google Developers Blog
博客园 - 司徒正美
博客园 - 三生石上(FineUI控件)
T
The Exploit Database - CXSecurity.com
T
Threat Research - Cisco Blogs
P
Proofpoint News Feed
Schneier on Security
Schneier on Security
Microsoft Security Blog
Microsoft Security Blog
Jina AI
Jina AI
WordPress大学
WordPress大学
aimingoo的专栏
aimingoo的专栏
MyScale Blog
MyScale Blog
Help Net Security
Help Net Security
K
Kaspersky official blog
P
Privacy & Cybersecurity Law Blog
www.infosecurity-magazine.com
www.infosecurity-magazine.com
AI
AI
MongoDB | Blog
MongoDB | Blog
Scott Helme
Scott Helme
J
Java Code Geeks
Engineering at Meta
Engineering at Meta
H
Heimdal Security Blog
H
Help Net Security
D
Darknet – Hacking Tools, Hacker News & Cyber Security
云风的 BLOG
云风的 BLOG
Microsoft Azure Blog
Microsoft Azure Blog
S
Security Affairs
TaoSecurity Blog
TaoSecurity Blog
The GitHub Blog
The GitHub Blog
Hacker News: Ask HN
Hacker News: Ask HN
Martin Fowler
Martin Fowler
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Project Zero
Project Zero
T
The Blog of Author Tim Ferriss
Last Week in AI
Last Week in AI

博客园 - py哥

rabbitmq集群docker部署 MongoDB副本集docker部署 MySQL8.0单实例部署 prometheus 监控 eureka 里面的服务状态 Redis管理平台 k8s网络与本地开发环境网络互通方案 数据库运维平台 基于Docker构建Jenkins CI平台 KeepLived + nginx 高可用 k8s-1.16 二进制安装 Ansible自动化部署K8S集群 Kubernetes1.16下部署Prometheus+node-exporter+Grafana+AlertManager 监控系统 在Kubernetes下部署Prometheus docker部署coredns kubeadm部署多master节点高可用k8s1.16.2 二进制搭建一个完整的K8S集群部署文档 kubeadm部署k8s集群 Keepalived+LVS+nginx搭建nginx高可用集群 centos7 dns(bind)安装配置
CentOS7 FTP结合ssl/tls实现加密通信安装与配置
py哥 · 2022-08-24 · via 博客园 - py哥

1、FTP的安装

复制代码

#安装
yum install -y vsftpd

#设置开机启动
systemctl enable vsftpd.service

#启动
systemctl start vsftpd.service

#停止
systemctl stop vsftpd.service

#查看状态
systemctl status vsftpd.service

复制代码

2、配置FTP 

复制代码

#打开配置文件
vim /etc/vsftpd/vsftpd.conf

#显示行号
:set number

#修改配置 12 行
anonymous_enable=NO

#修改配置 33 行
anon_mkdir_write_enable=YES

#修改配置48行
chown_uploads=YES

#修改配置72行
async_abor_enable=YES

#修改配置82行
ascii_upload_enable=YES

#修改配置83行
ascii_download_enable=YES

#修改配置86行
ftpd_banner=Welcome to blah FTP service.

#修改配置100行
chroot_local_user=YES #添加下列内容到vsftpd.conf末尾 use_localtime=YES listen_port=21 idle_session_timeout=300 guest_enable=YES guest_username=vsftpd user_config_dir=/etc/vsftpd/vconf data_connection_timeout=1 virtual_use_local_privs=YES pasv_min_port=40000 pasv_max_port=40010 accept_timeout=5 connect_timeout=1
allow_writeable_chroot=YES

 

复制代码

3、建立用户文件

复制代码

#创建编辑用户文件
vim /etc/vsftpd/virtusers
#第一行为用户名,第二行为密码。不能使用root作为用户名 

leo
12345

复制代码

4、生成用户数据文件

db_load -T -t hash -f /etc/vsftpd/virtusers /etc/vsftpd/virtusers.db

#设定PAM验证文件,并指定对虚拟用户数据库文件进行读取

chmod 600 /etc/vsftpd/virtusers.db 

5、修改 /etc/pam.d/vsftpd 文件

复制代码

# 修改前先备份 

cp /etc/pam.d/vsftpd /etc/pam.d/vsftpd.bak

vi /etc/pam.d/vsftpd
#先将配置文件中原有的 auth 及 account 的所有配置行均注释掉
auth sufficient /lib64/security/pam_userdb.so db=/etc/vsftpd/virtusers 
account sufficient /lib64/security/pam_userdb.so db=/etc/vsftpd/virtusers

# 如果系统为32位,上面改为lib

复制代码

6、新建系统用户vsftpd,用户目录为/home/vsftpd

#用户登录终端设为/bin/false(即:使之不能登录系统)
useradd vsftpd -d /home/vsftpd -s /bin/false
chown -R vsftpd:vsftpd /home/vsftpd

7、建立虚拟用户个人配置文件

复制代码

mkdir /etc/vsftpd/vconf
cd /etc/vsftpd/vconf

#这里建立虚拟用户leo配置文件
touch leo
#编辑leo用户配置文件,内容如下,其他用户类似 vi leo local_root=/home/vsftpd/leo/ write_enable=YES anon_world_readable_only=NO anon_upload_enable=YES anon_mkdir_write_enable=YES anon_other_write_enable=YES
#建立leo用户根目录
mkdir -p /home/vsftpd/leo/

复制代码

8、防火墙设置

复制代码

IPtables 的设置方式:
vi /etc/sysconfig/iptables #编辑iptables文件,添加如下内容,开启21端口 -A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 40000:40010 -j ACCEPT

firewall 的设置方式:

firewall-cmd --zone=public --add-service=ftp --permanent

firewall-cmd --zone=public --add-port=21/tcp --permanent

firewall-cmd --zone=public --add-port=40000-40010/tcp --permanent 

复制代码

9、重启vsftpd服务器

systemctl restart vsftpd.service

10、使用ftp工具连接测试

这个时候,使用ftp的工具连接时,我们发现是可以连接的。传输文件的时候,会发现文件上传和下载都会出现

500、503 、200等问题。这个时候,可以进行以下操作:

方式一、关闭SELINUX

复制代码

#打开SELINUX配置文件
vim /etc/selinux/config


#修改配置参数
#注释  
SELINUX=enforcing

#增加  
SELINUX=disabled


#修改完成后,需要重启!

复制代码

方式二、修改SELINUX

复制代码

setenforce 0 #暂时让SELinux进入Permissive模式


#列出与ftp相关的设置
getsebool -a|grep ftp


#以下是显示出来的权限,off是关闭权限,on是打开权限。不同的机器显示的可能不一样。我看了我的显示的,和网上其他教程就不太一样
ftp_home_dir --> off
ftpd_anon_write --> off
ftpd_connect_all_unreserved --> off
ftpd_connect_db --> off
ftpd_full_access --> off
ftpd_use_cifs --> off
ftpd_use_fusefs --> off
ftpd_use_nfs --> off
ftpd_use_passive_mode --> off
httpd_can_connect_ftp --> off
httpd_enable_ftp_server --> off
sftpd_anon_write --> off
sftpd_enable_homedirs --> off
sftpd_full_access --> off
sftpd_write_ssh_home --> off
tftp_anon_write --> off
tftp_home_dir --> off


#将包含有 ftp_home_dir 和 ftpd_full_access 相关的都设置为 1

setsebool -P ftp_home_dir 1
setsebool -P allow_ftpd_anon_write 1 setsebool -P ftp_home_dir 1 setenforce 1 #进入Enforcing模式

复制代码

方式三、 SELINUX不对vsftp不做任何限制

setsebool -P ftpd_connect_all_unreserved 1

这个时候再使用工具连接,你发现,就可以正常的上传和下载文件了。

如果还是有问题尝试给我们用户的ftp目录,设置一下操作权限

chmod -R 775 /home/vsftpd/leo

接下来期望提供vsftpd结合ssl/tls实现加密通信


首先生成私钥
[root@server23 CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
...........................................+++
................+++
e is 65537 (0x10001)
其次生成自签名证书
[root@server23 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:SS
Locality Name (eg, city) [Default City]:XX
Organization Name (eg, company) [Default Company Ltd]:TE
Organizational Unit Name (eg, section) []:TEC
Common Name (eg, your name or your server's hostname) []:ca.linux.com
Email Address []:
接下来配置vsftpd
首先创建目录,然后生成私钥
[root@server23 CA]# cd /etc/vsftpd/ssl/
[root@server23 ssl]# (umask 077;openssl genrsa -out vsftpd.key 2048)Generating RSA private key, 2048 bit long modulus
...........................+++
......+++
e is 65537 (0x10001)
接下来生成证书签署请求
[root@server23 ssl]# openssl req -new -key vsftpd.key -out vsftpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:SX
Locality Name (eg, city) [Default City]:XA
Organization Name (eg, company) [Default Company Ltd]:LINUX
Organizational Unit Name (eg, section) []:TECH
Common Name (eg, your name or your server's hostname) []:ftp.server23.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
CA签署请求
[root@server23 ssl]# openssl ca -in vsftpd.csr -out vsftpd.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Apr 16 08:35:09 2018 GMT
Not After : Apr 16 08:35:09 2019 GMT
Subject:
countryName = CN
stateOrProvinceName = SX
organizationName = LINUX
organizationalUnitName = TECH
commonName = ftp.server23.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
40:26:AB:BD:6C:FE:50:82:44:7D:41:A8:E7:43:7F:5E:55:7C:DC:7A
X509v3 Authority Key Identifier:
keyid:B3:C1:80:F2:07:25:42:C1:82:96:FE:C7:70:F1:46:63:7B:2E:16:B1

Certificate is to be certified until Apr 16 08:35:09 2019 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
编辑vsftpd.conf配置文件来使用生成的证书
# ssl or tls
ssl_enable=YES
ssl_sslv3=YES
ssl_tlsv1=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
rsa_cert_file=/etc/vsftpd/ssl/vsftpd.crt
rsa_private_key_file=/etc/vsftpd/ssl/vsftpd.key
然后需要重启vsftpd服务
[root@my Desktop]# ftp 172.25.23.23
Connected to 172.25.23.23 (172.25.23.23).
220 (vsFTPd 2.2.2)
Name (172.25.23.23:root): hadoop
530 Non-anonymous sessions must use encryption.
Login failed.
ftp> hadoop
?Invalid command
上面提示的信息表示非匿名用户必须使用encryption来进行连接,这里如果需要进行连接ftp服务器,就不能够使用Linux lftp命令来进行连接了,暂时只能够使用Windows FileZilla等软件来进行连接;