如何在Amazon EC2 Ubuntu安装vsftp并开启TLS

tealcwu

已于 2024-10-10 23:35:27 修改

阅读量325

点赞数 11

分类专栏： IT运维文章标签： ubuntu 服务器 linux

于 2024-10-10 23:19:16 首次发布

本文链接：https://blog.csdn.net/tealcwu/article/details/142834506

版权

IT运维专栏收录该内容

8 篇文章 0 订阅

订阅专栏

环境：Ubuntu 24.04.1 LTS (在本地虚拟机和Amazon EC2测试）

#1. 更新系统并安装filezilla和vsftpd
sudo apt-get update
sudo apt install filezilla
sudo apt-get install vsftpd

#2. 备份vsftpd.conf
sudo cp /etc/vsftpd.conf /etc/vsftpd.conf.orig

#3. 启用防火墙Check and enable firewall
sudo ufw status
sudo ufw enable

#4. 打开端口：20 and 21 for FTP, port 990 for TLS, 端口40000-50000 用于被动模式
sudo ufw allow 20/tcp
sudo ufw allow 21/tcp
sudo ufw allow 990/tcp
sudo ufw allow 40000:50000/tcp
sudo ufw status

#5. 添加ftp用户
sudo adduser ftpuser

#6. 添加文件夹并设置权限
sudo mkdir /home/ftpuser/ftp
sudo chown nobody:nogroup /home/ftpuser/ftp
sudo chmod a-w /home/ftpuser
sudo chmod a-w /home/ftpuser/ftp

#检查权限
sudo ls -la /home/ftpuser/ftp

#7. 添加文件夹用于上传
sudo mkdir /home/ftpuser/ftp/files
sudo chown ftpuser:ftpuser /home/ftpuser/ftp/files

#检查权限
sudo ls -la /home/ftpuser/ftp

#新增测试文件test.txt
echo "vsftpd test file" | sudo tee /home/ftpuser/ftp/files/test.txt

#8. 编辑FTP设置
sudo nano /etc/vsftpd.conf

# 新增下面内容
anonymous_enable=NO
local_enable=YES
write_enable=YES
chroot_local_user=YES
user_sub_token=$USER
local_root=/home/$USER/ftp
allow_writeable_chroot=YES
pasv_min_port=40000
pasv_max_port=50000
userlist_enable=YES
userlist_file=/etc/vsftpd.userlist
userlist_deny=NO

#解决500-illegal-port-command错误
port_promiscuous=YES

#9. 将用户ftpuser添加到userlist
echo "ftpuser" | sudo tee -a /etc/vsftpd.userlist

#检查一下
cat /etc/vsftpd.userlist

#10. 重启vsftpd服务
sudo systemctl restart vsftpd

#11. 测试FTP功能
ftp -p localhost

#测试文件下载
cd files
get test.txt

#测试文件上传
put test.txt upload.txt

#关闭FTP
bye

##Securing Transactions
#12. 创建证书，有效期一年
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem

#13. 更新vsftpd设置
sudo nano /etc/vsftpd.conf

#更新这三项如下
rsa_cert_file=/etc/ssl/private/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem
ssl_enable=YES

#新增以下内容
#新增add the following lines to explicitly deny anonymous connections over SSL
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES

#Add the following lines to use TLS, the preferred successor to SSL
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO

#Add the following lines to make sure that key lengths equal to or greater than 128 bits
require_ssl_reuse=NO
ssl_ciphers=HIGH

#保存并关闭vsftpd.conf

#14. 重启vsftpd服务
sudo systemctl restart vsftpd

##Testing TLS with FileZilla
#15. 使用filezilla访问FTP
#fill out the “Host” field with the name or IP address. Under the “Encryption” drop down menu, select “Require explicit FTP over TLS”.
#For “Logon Type”, select “Ask for password”. Fill in the FTP user you created in the “User” field
#download the file test.txt to the left and rename it to upload.txt and drag it to right

##禁止使用ftp账号登录系统
#16. open a file called ftponly
sudo nano /bin/ftponly

#17. Add following lines
echo "This account is limited to FTP access only."

#18. Change the permissions to make the file executable
sudo chmod a+x /bin/ftponly

#19. Open the list of valid shells
sudo nano /etc/shells

#At the bottom, add:
/etc/shells

#20. Update the user’s shell
sudo usermod ftpuser -s /bin/ftponly

#Now try logging in as ftpuser:
ssh ftpuser@localhost

参考：https://gist.github.com/linuxoracledev/554f76ad9cc9bdd0fbe14f574d9e1fb8