简介:
ftps是一种多传输协议,相当于加密版的FTP。当你在FTP服务器上收发文件的时候,你面临两个风险。第一个风险是在上载文件的时候为文件加密。第二个风险是,这些文件在你等待接收方下载的时候将停留在FTP服务器上,这时你如何保证这些文件的安全。你的第二个选择(创建一个支持SSL的FTP服务器)能够让你的主机使用一个FTPS连接上载这些文件。这包括使用一个在FTP协议下面的SSL层加密控制和数据通道。一种替代FTPS的协议是安全文件传输协议(SFTP)。这个协议使用SSH文件传输协议加密从客户机到服务器的FTP连接。
FTPS是在安全套接层使用标准的FTP协议和指令的一种增强型TFP协议,为FTP协议和数据通道增加了SSL安全功能。FTPS也称作“FTP-SSL”和“FTP-over-SSL”。SSL是一个在客户机和具有SSL功能的服务器之间的安全连接中对数据进行加密和解密的协议。
首先安装抓包工具:
[root@localhost ~]# yum list all |grep wireshark 搜索wireshark包
wireshark.i386 1.0.8-1.el5_3.1 rhel-server
wireshark-gnome.i386 (在桌面环境下)1.0.8-1.el5_3.1 rhel-server
安装包:wireshark
[root@localhost ~]# yum install -y wireshark
[root@localhost ~]# rpm -ql wireshark |less
实现抓包功能在:/usr/sbin/tshark
一定要启动vsftpd:service vsftpd start
[root@localhost ~]# tshark –ni eth0 –R “tcp.dsport eq 21”
在windows上的命令行模式下输入:
在linux上也可以登录:
ftps的步骤:
建立CA
[root@localhost ~]# cd /etc/pki/
[root@localhost pki]# ll
total 36
drwx------ 3 root root 4096 Feb 9 00:16 CA
drwxr-xr-x 4 root root 4096 Mar 20 10:27 dovecot
drwxr-xr-x 2 root root 4096 Feb 9 00:15 nssdb
drwxr-xr-x 2 root root 4096 Feb 9 00:15 rpm-gpg
drwxr-xr-x 5 root root 4096 Mar 20 19:37 tls
[root@localhost pki]# vim tls/openssl.cnf
[root@localhost pki]# cd CA 切换到CA目录
[root@localhost CA]# mkdir certs crl newcerts 创建3个目录
[root@localhost CA]# touch index.txt serial 创建2个文档
[root@localhost CA]# echo "01" >serial 赋予serial初始值
[root@localhost CA]# ll 查看
total 24
drwxr-xr-x 2 root root 4096 Mar 20 20:08 certs
drwxr-xr-x 2 root root 4096 Mar 20 20:08 crl
-rw-r--r-- 1 root root 0 Mar 20 20:08 index.txt
drwxr-xr-x 2 root root 4096 Mar 20 20:08 newcerts
drwx------ 2 root root 4096 Jun 30 2009 private
-rw-r--r-- 1 root root 3 Mar 20 20:09 serial
创建CA的私钥:
[root@localhost CA]# openssl genrsa 1024 >private/cakey.pem
Generating RSA private key, 1024 bit long modulus
..........++++++
.++++++
e is 65537 (0x10001)
创建CA的证书:
[root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:BEIJING
Locality Name (eg, city) [Newbury]:BEIJING
Organization Name (eg, company) [My Company Ltd]:SECCENTER
Organizational Unit Name (eg, section) []:tec
Common Name (eg, your name or your server's hostname) []:rootca.net.net
Email Address []:
[root@localhost CA]# ll
total 28
-rw-r--r-- 1 root root 1155 Mar 20 20:17 cacert.pem
drwxr-xr-x 2 root root 4096 Mar 20 20:08 certs
drwxr-xr-x 2 root root 4096 Mar 20 20:08 crl
-rw-r--r-- 1 root root 0 Mar 20 20:08 index.txt
drwxr-xr-x 2 root root 4096 Mar 20 20:08 newcerts
drwx------ 2 root root 4096 Mar 20 20:11 private
-rw-r--r-- 1 root root 3 Mar 20 20:09 serial
[root@localhost CA]# chmod 600 private/cakey.pem 更改钥匙权限
[root@localhost CA]# mkdir /etc/vsftpd/certs 创建目录
[root@localhost CA]# cd /etc/vsftpd/certs/ 切换到目录
[root@localhost certs]# ll 查看
total 0
产生钥匙:
[root@localhost certs]# openssl genrsa 1024 >vsftpd.key
Generating RSA private key, 1024 bit long modulus
...........++++++
.++++++
e is 65537 (0x10001)
根据钥匙做请求文件:
[root@localhost certs]# openssl req -new -key vsftpd.key -out vsftpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:HENAN
Locality Name (eg, city) [Newbury]:ZHENGZHOU
Organization Name (eg, company) [My Company Ltd]:zzdx
Organizational Unit Name (eg, section) []:tec
Common Name (eg, your name or your server's hostname) []:ftp.zzdx.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
根据钥匙请求文件得到证书:
[root@localhost certs]# openssl ca -in vsftpd.csr -out vsftpd.cert
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Mar 20 12:27:04 2012 GMT
Not After : Mar 20 12:27:04 2013 GMT
Subject:
countryName = CN
stateOrProvinceName = HENAN
organizationName = zzdx
organizationalUnitName = tec
commonName = ftp.zzdx.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
54:FA:EA:A7:E0:8B:72:DF:57:37:4E:41:84:AA:BA:1A:AB:C4:B7:C9
X509v3 Authority Key Identifier:
keyid:8F:9B:34:8D:DA:DD:63:D5:0B:07:AF:F4:E4:E0:C9:6C:04:44:65:CC
Certificate is to be certified until Mar 20 12:27:04 2013 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@localhost certs]# ll 查看证书
total 12
-rw-r--r-- 1 root root 3075 Mar 20 20:27 vsftpd.cert
-rw-r--r-- 1 root root 647 Mar 20 20:23 vsftpd.csr
-rw-r--r-- 1 root root 887 Mar 20 20:19 vsftpd.key
[root@localhost certs]# chmod 600 * 更改证书的权限
[root@localhost certs]# ll
总计 12
-rw------- 1 root root 3075 03-21 11:01 vsftpd.cert
-rw------- 1 root root 647 03-21 10:57 vsftpd.csr
-rw------- 1 root root 887 03-21 10:52 vsftpd.key
ftp服务器+证书
[root@localhost certs]# vim /etc/vsftpd/vsftpd.conf
[root@localhost certs]# service vsftpd restart
Shutting down vsftpd: [ OK ]
Starting vsftpd for vsftpd: [ OK ]
用户登陆:
[root@localhost ~]# tshark -ni eth0 -R "tcp.dstport eq 21"
转载于:https://blog.51cto.com/1184394769/811915
2412
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
