在LINUX系统上建立FTP加密传输SSL(proftpd和vsftpd)

1、下载最新的软件版本:

# wget [url]ftp://ftp.proftpd.org/distrib/source/proftpd-1.3.0rc3.tar.gz[/url]

2、创建FTP组和用户

首先创建ROFTPD运行的用户和组:

# groupadd nogroup

# useradd �Cg nogroup �Cd /dev/null �Cs /sbin/nologin nobody


  首先创建上传下载的用户和组:

# groupadd ftp

# useradd �Cg ftp �Cd /home/down �Cs /sbin/nologin down

# useradd �Cg ftp �Cd /home/upload �Cs /sbin/nologin upload

  用户密码设置略


3、编译安装PROFRPD:

# tar �Czxvf proftpd-1.3.0rc3.tar.gz

# cd proftpd-1.3.0rc3

# ./configure

--prefix=/usr/local/proftpd

--sysconfdir=/etc

--enable-autoshadow

--localstatedir=/var/run

--enable-ctrls

--with-modules=mod_tls


# make

# make install


4、配置PROFTPD服务器:

# vi /etc/proftpd.conf

================+================+================# This is a basic ProFTPD configuration file (rename it to

# 'proftpd.conf' for actual use.  It establishes a single server

# and a single anonymous login.  It assumes that you have a user/group

# "nobody" and "ftp" for normal operation and anon.

ServerName                                      "jekay"

ServerType                                      standalone

DefaultServer                                   on

AllowRetrieveRestart                            on

AllowStoreRestart                               on

ServerType                                      standalone

ServerIdent                                     on

SystemLog                                       /var/log/proftpd.log

UseReverseDNS                                   off

IdentLookups                                    off

RequireValidShell                               off

# Port 21 is the standard FTP port.

Port                                            21

# Umask 022 is a good standard umask to prevent new dirs and files

# from being group and world writable.

Umask                                           022

MaxInstances                                    100

# Set the user and group under which the server will run.

User                                            nobody

Group                                           nogroup

# To cause every FTP user to be "jailed" (chrooted) into their home

# directory, uncomment this line.

DefaultRoot ~

# Normally, we want files to be overwriteable.

<Directory />

AllowOverwrite                                  on

</Directory>

# We want 'welcome.msg' displayed at login, and '.message' displayed

# in each newly chdired directory.

DisplayLogin                                    .welcome

DisplayFirstChdir                               .message

# Limit User of being enbled login ftp server

<Limit LOGIN>

AllowGroup ftp

DenyAll

</Limit>

SSL加密的参数在这里,重点!

#########################ssl/tls####################### MOD_TLS SETTING

<IfModule mod_tls.c>

TLSEngine on

TLSLog /var/log/proftpd-tls.log

TLSProtocol SSLv23

# Are clients required to use FTP over TLS when talking to this server?

TLSRequired ctrl

# Server's certificate

TLSRSACertificateFile /etc/proftpd.crt

TLSRSACertificateKeyFile /etc/proftpd.key

# Authenticate clients that want to use FTP over TLS

TLSVerifyClient off

#########################ssl/tls######################<Directory /home/down>

<Limit WRITE>

DenyGroup ftp

</Limit>

TransferRate RETR 150 group ftp

</Directory>

<Directory /home/upload>

<Limit RMD RNFR DELE RETR>

DenyGroup ftp

</Limit>

TransferRate STOR 150 group ftp

</Directory>

MaxClientsPerHost 200

PassivePorts 55000 56000

================+================+================创建PROFTPD的日志文件:

# touch /var/log/proftpd.log

# touch /var/log/proftpd-tls.log

# chown nobody:nogroup /var/log/proftpd.log /var/log/proftpd-tls.log


创建SSL传输的证书和密匙:

# cp /usr/share/ssl/openssl.cnf ./

# openssl req -new -x509 -nodes -config openssl.cnf -out proftpd.crt �Ckeyout  proftpd.key

这里安装提示需要输入证书信息略


把证书和密匙复制到指定目录:

# cp proftpd.crt proftpd.key /etc/


最后创建PROFTPD启动脚本:

# vi /etc/init.d/proftpd

================+================+================

#!/bin/sh

# Startup script for ProFTPD

# chkconfig: 345 85 15

# description: ProFTPD is an enhanced FTP server

# processname: proftpd

# config: /etc/proftpd.conf

# Source function library.

. /etc/rc.d/init.d/functions


if [ -f /etc/sysconfig/proftpd ]; then

     . /etc/sysconfig/proftpd

fi

PATH="$PATH:/usr/local/proftpd/sbin"

# See how we were called.

case "$1" in

       start)

               echo -n "Starting proftpd: "

               daemon proftpd $OPTIONS

               echo

               touch /var/lock/subsys/proftpd

               ;;

       stop)

               echo -n "Shutting down proftpd: "

               killproc proftpd

               echo

               rm -f /var/lock/subsys/proftpd

               ;;

       status)

               status proftpd

               ;;

       restart)

               $0 stop

               $0 start

               ;;

       reread)

               echo -n "Re-reading proftpd config: "

               killproc proftpd -HUP

               echo

               ;;

       suspend)

               hash ftpshut >/dev/null 2>&1

               if [ $? = 0 ]; then

                       if [ $# -gt 1 ]; then

                               shift

                               echo -n "Suspending with '$*' "

                               ftpshut $*

                       else

                               echo -n "Suspending NOW "

                               ftpshut now "Maintanance in progress"

                       fi

               else

                       echo -n "No way to suspend "

               fi

               echo

               ;;

       resume)

               if [ -f /etc/shutmsg ]; then

                       echo -n "Allowing sessions again "

                       rm -f /etc/shutmsg

               else

                       echo -n "Was not suspended "

               fi

               echo

               ;;

       *)

               echo -n "Usage: $0 {start|stop|restart|status|reread|resume"

               hash ftpshut

               if [ $? = 1 ]; then

                       echo '}'

               else

                       echo '|suspend}'

                       echo 'suspend accepts additional arguments which are passed to ftpshut(8)'

               fi

               exit 1

esac


if [ $# -gt 1 ]; then

       shift

       $0 $*

fi

exit 0

================+================+================# chomd 755 /etc/init.d/proftpd

# chkconfig �C-add proftpd

# chkconfig proftpd on


5、客户端连接测试

到这里ftp服务器端安装设置完毕,登陆服务器的客户端我用了完全免费的FileZilla

本服务器支持两种客户端加密连接方式:

1.  FTP over ssl (显示加密)方式连接。

2.  FTP over tls (显示加密) 方式连接



建立在LINUX系统上的VSFTP加密传输

参考文档:[url]ftp://vsftpd.beasts.org/users/ce[/url] ... pd-2.0.1/README.ssl


在众多的FTP服务器中VSFTP以安全,小巧著称。近年来一直受到人们的喜爱。通常情况下FTP包括认证过程,传输是明文传输的,在传输一些敏感数据时总是不能让人放心。

1、             下载

最新的VSFTPD:

# wget [url]ftp://vsftpd.beasts.org/users/cevans/vsftpd-2.0.3.tar.gz[/url]


2、 编译安装VSFTPD:

# tar �Czxvf vsftpd-2.0.3.tar.gz

# cd vsftpd-2.0.3


3、修改VSFTPD使其支持SSL传输:

修改builddefs.h文件中的:

#undef VSF_BUILD_TCPWRAPPERS

#define VSF_BUILD_PAM

#undef VSF_BUILD_SSL

为:

#define VSF_BUILD_TCPWRAPPERS

#undef VSF_BUILD_PAM

#define VSF_BUILD_SSL


4、开始编译安装:

# make

# make install

# cp vsftpd.conf /etc/


创建SSL证书:

# openssl req -new -x511 -nodes -out vsftpd.pem -keyout vsftpd.pem

# cp vsftpd.pem /usr/share/ssl/certs/vsftpd.pem


创建需要的帐号和目录:

# useradd �Cd /dev/null �Cs /sbin/nologin nobody

# mkdir /usr/share/empty

# mkdir /var/ftp

# useradd -d /var/ftp �Cs /sbin/nologin ftp

# chown root:root /var/ftp

# chmod og-w /var/ftp


5、配置VSFTPD:

# vi /etc/vsftpd.conf

===========+=============+===========

anonymous_enable=NO

local_enable=YES

write_enable=YES

local_umask=022

#anon_upload_enable=YES

#anon_mkdir_write_enable=YES

dirmessage_enable=YES

xferlog_enable=YES

connect_from_port_20=YES

#chown_uploads=YES

#chown_username=whoever

#xferlog_file=/var/log/vsftpd.log

#xferlog_std_format=YES

#idle_session_timeout=600

#data_connection_timeout=120

#nopriv_user=ftpsecure

#async_abor_enable=YES

ascii_upload_enable=YES

ascii_download_enable=YES

ftpd_banner=Welcome to Serv-U FTP Server v5.0 for WinSock.

#deny_email_enable=YES

#banned_email_file=/etc/vsftpd.banned_emails

chroot_list_enable=YES

chroot_list_file=/etc/vsftpd.chroot_list

ls_recurse_enable=NO

hide_ids=YES

userlist_enable=NO

use_localtime=YES

listen=YES

listen_port=21

tcp_wrappers=YES

ssl_enable=YES

ssl_sslv2=YES

allow_anon_ssl=YES

force_local_data_ssl=YES

force_local_logins_ssl=YES

rsa_cert_file=/usr/share/ssl/certs/vsftpd.pem

===========+=============+===========

# touch /etc/vsftpd.chroot_list


写一个VSFTPD启动教本:

# vi /etc/init.d/vsftpd

===========+=============+===========

#!/bin/sh

# Copyright (c) 2004 by LLZQQ

# All rights reserved.

#

# chkconfig: - 110 30

# description: Starts and stops the Vsftpd Service

# config:  /etc/vsftpd.conf

#


case "$1" in

start)

       /usr/local/sbin/vsftpd &

;;

stop)

       pkill vsftpd

;;

*)

       echo "Usage: $0 { start | stop }"

       exit 1

;;

esac

exit 0

===========+=============+===========


# chmod 755 /etc/init.d/vsftpd

# chkconfig �C-add vsftpd

# chkconfig vsftpd on



6、测试

到这里ftp服务器端安装设置完毕,登陆服务器的客户端我用了完全免费的FileZilla


你可能感兴趣的:(linux,proFTPD,软件版本,nobody)