邵珠庆の博客 生命只有一次,你可以用它来做些更多伟大的事情–Make the world a little better and easier

144月/170

linux下详解ftp的常用功能

一、简介:

FTP(File Transfer Protocol, FTP)是TCP/IP网络上两台计算机传送文件的协议,FTP是在TCP/IP网络和INTERNET上最早使用的协议之一,它属于网络协议组的应用层。FTP客户机可以给服务器发出命令来下载文件,上载文件,创建或改变服务器上的目录。

image 概述:

FTP是应用层的协议,它基于传输层,为用户服务,它们负责进行文件的传输。FTP是一个8位的客户端-服务器协议,能操作任何类型的文件而不需要进一步处理,就像MIME或Unencode一样。但是,FTP有着极高的延时,这意味着,从开始请求到第一次接收需求数据之间的时间会非常长,并且不时的必需执行一些冗长的登陆进程。

image

FTP服务一般运行在20和21两个端口。端口20用于在客户端和服务器之间传输数据流,而端口21用于传输控制流,并且是命令通向ftp服务器的进口。当数据通过数据流传输时,控制流处于空闲状态。而当控制流空闲很长时间后,客户端的防火墙会将其会话置为超时,这样当大量数据通过防火墙时,会产生一些问题。此时,虽然文件可以成功的传输,但因为控制会话会被防火墙断开,传输会产生一些错误。

主动和被动模式

FTP有两种使用模式:主动和被动。主动模式要求客户端服务器端同时打开并且监听一个端口以建立连接。在这种情况下,客户端由于安装了防火墙会产生一些问题。所以,创立了被动模式。被动模式只要求服务器端产生一个监听相应端口的进程,这样就可以绕过客户端安装了防火墙的问题。

一个主动模式的FTP连接建立要遵循以下步骤:

1.客户端打开一个随机的端口(端口号大于1024,在这里,我们称它为x),同时一个FTP进程连接至服务器的21号命令端口。此时,源端口为随机端口x,在客户端,远程端口为21,在服务器。

2.客户端开始监听端口(x+1),同时向服务器发送一个端口命令(通过服务器的21号命令端口),此命令告诉服务器客户端正在监听的端口号并且已准备好从此端口接收数据。这个端口就是我们所知的数据端口。

3.服务器打开20号源端口并且建立和客户端数据端口的连接。此时,源端口为20,远程数据端口为(x+1)。

4.客户端通过本地的数据端口建立一个和服务器20号端口的连接,然后向服务器发送一个应答,告诉服务器它已经建立好了一个连接。

被动模式FTP:

为了解决服务器发起到客户的连接的问题,人们开发了一种不同的FTP连接方式。这就是所谓的被动方式,或者叫做PASV,当客户端通知服务器它处于被动模式时才启用。

在被动方式FTP中,命令连接和数据连接都由客户端发起,这样就可以解决从服务器到客户端的数据端口的入方向连接被防火墙过滤掉的问题。

当开启一个 FTP连接时,客户端打开两个任意的非特权本地端口(N > 1024和N+1)。第一个端口连接服务器的21端口,但与主动方式的FTP不同,客户端不会提交PORT命令并允许服务器来回连它的数据端口,而是提交 PASV命令。这样做的结果是服务器会开启一个任意的非特权端口(P > 1024),并发送PORT P命令给客户端。然后客户端发起从本地端口N+1到服务器的端口P的连接用来传送数据。

对于服务器端的防火墙来说,必须允许下面的通讯才能支持被动方式的FTP:

1. 从任何大于1024的端口到服务器的21端口 (客户端的初始化连接)

2. 服务器的21端口到任何大于1024的端口 (服务器响应到客户端的控制端口的连接)

3. 从任何大于1024端口到服务器的大于1024端口 (客户端初始化数据连接到服务器指定的任意端口)

4. 服务器的大于1024端口到远程的大于1024的端口(服务器发送ACK响应和数据到客户端的数据端口)

二、常用举例:

(注意:以下根据配置文档举出常见实例)

1.安装ftp

[root@gjp99 ~]# mkdir /mnt/cdrom
[root@gjp99 ~]# mount /dev/cdrom /mnt/cdrom
mount: block device /dev/cdrom is write-protected, mounting read-only
[root@gjp99 ~]# cd /mnt/cdrom/Server
[root@gjp99 Server]# ll vsftp*
-r--r--r-- 86 root root 143838 Jul 24  2009 vsftpd-2.0.5-16.el5.i386.rpm
[root@gjp99 Server]# rpm -qip vsftpd-2.0.5-16.el5.i386.rpm
warning: vsftpd-2.0.5-16.el5.i386.rpm: Header V3 DSA signature: NOKEY, key ID 37017186
Name        : vsftpd                       Relocations: (not relocatable)
Version     : 2.0.5                             Vendor: Red Hat, Inc.
Release     : 16.el5                        Build Date: Wed 13 May 2009 08:47:15 PM CST
Install Date: (not installed)               Build Host: hs20-bc1-2.build.redhat.com
Group       : System Environment/Daemons    Source RPM: vsftpd-2.0.5-16.el5.src.rpm
Size        : 291690                           License: GPL
Signature   : DSA/SHA1, Fri 24 Jul 2009 08:34:20 PM CST, Key ID 5326810137017186
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://vsftpd.beasts.org/
Summary     : vsftpd - Very Secure Ftp Daemon
Description :
vsftpd is a Very Secure FTP daemon. It was written completely from
scratch.

[root@gjp99 Server]# rpm -ivh vsftpd-2.0.5-16.el5.i386.rpm
warning: vsftpd-2.0.5-16.el5.i386.rpm: Header V3 DSA signature: NOKEY, key ID 37017186
Preparing...                ################################# [100%]
1:vsftpd                   ################################# [100%]
[root@gjp99 Server]# rpm -ql vsftpd |less

/etc/pam.d/vsftpd    可插拔验证模块
/etc/rc.d/init.d/vsftpd   控制脚本

/etc/vsftpd/vsftpd.conf  主配置文档

/var/ftp    匿名账号的默认目录
/var/ftp/pub

[root@gjp99 Server]# man 5 vsftpd.conf    配置手册

[root@gjp99 Server]# service vsftpd start
Starting vsftpd for vsftpd:                                [  OK  ]
[root@gjp99 Server]# chkconfig vsftpd on    开机启动

2. 关于账号的详细配置

2.1.匿名账号:

无需输入用户名和口令! 用户名:anonymous 密码:回车或者邮箱账号

支持匿名账号:配置文档

[root@gjp99 ~]# vim /etc/vsftpd/vsftpd.conf
12 anonymous_enable=YES
image

2.2 本地账号:

有一定的危害性, 存放在:/etc/passwd     /etc/shadow

14 # Uncomment this to allow local users to log in.
15 local_enable=YES

[root@gjp99 ~]# useradd gjp1
[root@gjp99 ~]# passwd gjp1
Changing password for user gjp1.
New UNIX password:
BAD PASSWORD: it is WAY too short
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
[root@gjp99 ~]# cd /home/gjp1
[root@gjp99 gjp1]# ll
total 0
[root@gjp99 gjp1]# echo "welcome to access me " >>index.html
[root@gjp99 gjp1]# ll
total 4
-rw-r--r-- 1 root root 22 Aug  3 14:36 index.html

image

image

2.3 用户通过网络访问资源,

网络权限[ftp  http]   本地权限[相当于windows下的ntfs]

网络权限与本地权限 如果相同 ,则相同,如果不同,则选择最小的!

 

image 网络权限可写

如果本地权限也可写,则访问时可写!

[root@gjp99 home]# ll
total 4
drwx------ 3 gjp1 gjp1 4096 Aug  3 15:00 gjp1

image

还可以删除!

2.4 屏蔽某些权限

文件的权限默认是666,目录的权限默认是777

image 屏蔽掉某些权限: 所有者   用户   组

刚才上传的文件在666的基础上屏蔽022 则结果是644,查看

[root@gjp99 gjp1]# ll
total 108
-rw-r--r-- 1 root root     22 Aug  3 14:36 index.html
-rw-r--r-- 1 gjp1 gjp1 100864 Aug  3 15:00 ??目实训2.doc

网络权限已可写,为什么匿名账号还不能上传呀?

image

[root@gjp99 home]# ll -d /var/ftp/pub
drwxr-xr-x 2 root root 4096 May 13  2009 /var/ftp/pub

pub文件夹的所有者及组都是root,只有管理员可写,其他用户不可写,由于网络权限与本地权限不同,所以选择范围比较小的,

2.5 上传功能

image

[root@gjp99 home]# service vsftpd restart
Shutting down vsftpd:                                      [  OK  ]
Starting vsftpd for vsftpd:                                [  OK  ]
[root@gjp99 home]# ll -d /var/ftp/pub
drwxr-xr-x 2 root root 4096 May 13  2009 /var/ftp/pub
[root@gjp99 home]# chmod o+wt /var/ftp/pub  注意权限不仅加w,还加t
[root@gjp99 home]# ll -d /var/ftp/pub
drwxr-xrwt 2 root root 4096 May 13  2009 /var/ftp/pub   加t是仅有创建者能够删除文件!

image

改名,删除,创建文件夹都不可以了?

2.6 匿名用户可以创建文件夹

31 anon_mkdir_write_enable=YES   匿名用户创建文件夹

man 5 vsftpd.conf

image

32 anon_other_write_enable=YES  增加此行!  //文件夹可以重命名,可以删除文件,上传

image

image 文件却无法下载

2.7  文件如何下载?

[root@gjp99 home]# ll  /var/ftp/pub    //发现文件没有读取权限
[root@gjp99 home]# ll  /var/ftp/pub
total 56
-rw------- 1 ftp ftp 23040 Aug  3 15:32 ??业????.doc
-rw------- 1 ftp ftp   753 Aug  3 15:47 ???.lnk
-rw------- 1 ftp ftp 24774 Aug  3 15:55 tec.docx

任意一个文件给他个读取权限测试!

[root@gjp99 home]# chmod o+r /var/ftp/pub/tec.docx  给其他用户读权限
[root@gjp99 home]# ll  /var/ftp/pub
total 56
-rw------- 1 ftp ftp 23040 Aug  3 15:32 ??业????.doc
-rw------- 1 ftp ftp   753 Aug  3 15:47 ???.lnk
-rw----r-- 1 ftp ftp 24774 Aug  3 15:55 tec.docx

24 anon_umask=073    增加此行,问题简化

现在在上传点文件做测试!

image

[root@gjp99 home]# ll  /var/ftp/pub   自动带了一个r(刚上传过来的文件)
total 256
-rw------- 1 ftp ftp  23040 Aug  3 15:32 ??业????.doc
-rw----r-- 1 ftp ftp 165835 Aug  3 16:10 guo.docx
-rw----r-- 1 ftp ftp  32272 Aug  3 16:10 ji.docx
-rw------- 1 ftp ftp    753 Aug  3 15:47 ???.lnk
-rw----r-- 1 ftp ftp  24774 Aug  3 15:55 tecnology.docx

2.8 如何备份交换机上的系统?

imageimage

只支持命令行方式访问!

image

2.9 如何访问ftp服务器?

image image

image

2.10  如何提示友好信息?

37 dirmessage_enable=YES

测试:友好提示!

image

 2.11 如何开启ftp的日志功能?

日志文件默认目录   /var/log/却找不到!因为日志功能默认未打开!

打开日志功能:

image

image

image

service vsftpd restart

[root@gjp99 pub]# lftp 127.0.0.1  //无需验证就可以登录
lftp 127.0.0.1:~&gt; dir
drwxr-xrwt    2 0        0            4096 Aug 03 08:38 pub
lftp 127.0.0.1:/&gt; bye

[root@gjp99 pub]# ftp 127.0.0.1    // 需要用户验证
Connected to 127.0.0.1.
220 (vsFTPd 2.0.5)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (127.0.0.1:root): anonymous
331 Please specify the password.
Password:

[root@gjp99 pub]# ll /var/log/vsftpd.log        该日志文件已存在!
-rw------- 1 root root 0 Aug  3 16:52 /var/log/vsftpd.log

2.12 如何让日志功能生效?

查手册  man 5 vsftpd.conf

image

56 log_ftp_protocol=YES      增加此行
57 #
58 # Switches between logging into vsftpd_log_file and xferlog_file files.
59 # NO writes to vsftpd_log_file, YES to xferlog_file
60 xferlog_std_format=NO  日志格式禁掉

image

[root@gjp99 pub]# tail -f /var/log/vsftpd.log    //才能使用
Fri Aug  3 09:38:52 2012 [pid 21331] CONNECT: Client "192.168.10.2"
Fri Aug  3 09:38:52 2012 [pid 21331] FTP response: Client "192.168.10.2", "220 (vsFTPd 2.0.5)"
Fri Aug  3 09:38:55 2012 [pid 21331] FTP command: Client "192.168.10.2", "USER gjp1"
Fri Aug  3 09:38:55 2012 [pid 21331] [gjp1] FTP response: Client "192.168.10.2", "331 Please specify the password."
Fri Aug  3 09:38:57 2012 [pid 21331] [gjp1] FTP command: Client "192.168.10.2", "PASS <password>"
Fri Aug  3 09:38:57 2012 [pid 21330] [gjp1] OK LOGIN: Client "192.168.10.2"
Fri Aug  3 09:38:57 2012 [pid 21332] [gjp1] FTP response: Client "192.168.10.2", "230 Login successful."

2.13 拒绝服务攻击的一种方法:

拒绝某人利用某个邮箱账号作为匿名账号的密码进行登录

[root@gjp99 ~]# ftp 127.0.0.1
Connected to 127.0.0.1.
220 (vsFTPd 2.0.5)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (127.0.0.1:root): anonymous
331 Please specify the password.
Password:   密码为: gjp@sina.com (即使不知道是否存在就能登录)
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp&gt; dir
227 Entering Passive Mode (127,0,0,1,88,15)
150 Here comes the directory listing.
drwxr-xrwt    2 0        0            4096 Aug 03 09:11 pub
226 Directory send OK

image

[root@gjp99 pub]# echo gjp@sina.com >>/etc/vsftpd/banned_emails

[root@gjp99 ~]# service vsftpd restart
Shutting down vsftpd:                                      [  OK  ]
Starting vsftpd for vsftpd:                                [  OK  ]
[root@gjp99 ~]# ftp 127.0.0.1
Connected to 127.0.0.1.
220 (vsFTPd 2.0.5)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (127.0.0.1:root): anonymous
331 Please specify the password.
Password:
530 Login incorrect.
Login failed.

[root@gjp99 ~]# useradd user1
[root@gjp99 ~]# passwd
Changing password for user root.
New UNIX password:
BAD PASSWORD: it is WAY too short
Retype new UNIX password:
passwd: all authentication tokens updated successfully.

[root@gjp99 ~]# ftp 127.0.0.1
Connected to 127.0.0.1.
220 (vsFTPd 2.0.5)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (127.0.0.1:root): user1
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp&gt; pwd
257 "/home/user1"
ftp&gt; cd /
250 Directory successfully changed.
ftp&gt; dir
227 Entering Passive Mode (127,0,0,1,201,20)
150 Here comes the directory listing.
drwxr-xr-x    2 0        0            4096 Aug 03 04:05 bin
drwxr-xr-x    4 0        0            1024 Aug 02 13:26 boot
drwxr-xr-x   11 0        0            4260 Aug 03 05:42 dev
drwxr-xr-x   93 0        0           12288 Aug 03 10:06 etc

ftp> cd boot
250 Directory successfully changed.
ftp&gt; dir
227 Entering Passive Mode (127,0,0,1,89,202)
150 Here comes the directory listing.
-rw-r--r--    1 0        0          954947 Aug 18  2009 System.map-2.6.18-164.el5
-rw-r--r--    1 0        0           68663 Aug 18  2009 config-2.6.18-164.el5
drwxr-xr-x    2 0        0            1024 Aug 02 13:30 grub
-rw-------    1 0        0         2601298 Aug 02 13:26 initrd-2.6.18-164.el5.img
drwx------    2 0        0           12288 Aug 02 21:18 lost+found
-rw-r--r--    1 0        0          107405 Aug 18  2009 symvers-2.6.18-164.el5.gz
-rw-r--r--    1 0        0         1855956 Aug 18  2009 vmlinuz-2.6.18-164.el5
226 Directory send OK.

可以查看许多内容,而且可以下载,没有安全性!

2.14 如何提高 ftp的安全性?

[root@gjp99 ~]# vim /etc/vsftpd/vsftpd.conf

image

[root@gjp99 ~]# vim /etc/vsftpd/chroot_list
[root@gjp99 ~]# cat /etc/vsftpd/chroot_list
user1     //写入到该文件的账号都被禁锢了,没有写进来的可随意切换!

[root@gjp99 ~]# service vsftpd restart
Shutting down vsftpd:                                      [  OK  ]
Starting vsftpd for vsftpd:                                [  OK  ]

[root@gjp99 ~]# su – user1      该账号下存在属于自己的东西
[user1@gjp99 ~]$ ll
total 0
[user1@gjp99 ~]$ touch gjp.txt
[user1@gjp99 ~]$ vim gjp.txt
[user1@gjp99 ~]$ ll
total 4
-rw-rw-r-- 1 user1 user1 32 Sep 26 14:40 gjp.txt

[root@gjp99 ~]# ftp 127.0.0.1
Connected to 127.0.0.1.
220 (vsFTPd 2.0.5)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (127.0.0.1:root): user1
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp&gt; pwd
257 "/"
ftp&gt; cd /
250 Directory successfully changed.
ftp&gt; dir
227 Entering Passive Mode (127,0,0,1,119,140)
150 Here comes the directory listing.
-rw-rw-r--    1 501      501            32 Sep 26 06:40 gjp.txt
226 Directory send OK.
ftp&gt; bye
221 Goodbye.

[root@gjp99 ~]# useradd user2
[root@gjp99 ~]# passwd
Changing password for user root.
New UNIX password:
BAD PASSWORD: it is WAY too short
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
[root@gjp99 ~]# su - user2
[user2@gjp99 ~]$ echo "user2" &gt;&gt; gjp2.txt
[user2@gjp99 ~]$ ll
total 4
-rw-rw-r-- 1 user2 user2 6 Sep 26 14:45 gjp2.txt
[user2@gjp99 ~]$ logout

[root@gjp99 ~]# ftp 127.0.0.1
Connected to 127.0.0.1.
220 (vsFTPd 2.0.5)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (127.0.0.1:root): user2
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp&gt; pwd
257 "/home/user2"
ftp&gt; cd /
250 Directory successfully changed.
ftp&gt; dir
227 Entering Passive Mode (127,0,0,1,68,60)
150 Here comes the directory listing.
drwxr-xr-x    2 0        0            4096 Aug 03 04:05 bin
drwxr-xr-x    4 0        0            1024 Aug 02 13:26 boot
drwxr-xr-x   11 0        0            4220 Sep 26 06:26 dev
drwxr-xr-x   93 0        0           12288 Sep 26 06:48 etc
drwxr-xr-x    5 0        0            4096 Sep 26 06:44 home

(没有写入该文件的账号,如user2,则可以随意切换)

实现:放入该文件里的账号能够切换目录,没放进来的不能够切换目录,man 5 vsftpd.conf

image

[root@gjp99 ~]# vim /etc/vsftpd/vsftpd.conf

增加此功能; chroot_local_user=YES

[root@gjp99 ~]# service vsftpd restart
Shutting down vsftpd:                                      [  OK  ]
Starting vsftpd for vsftpd:                                [  OK  ]
[root@gjp99 ~]# ftp 127.0.0.1
Connected to 127.0.0.1.
220 (vsFTPd 2.0.5)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (127.0.0.1:root): user1 放进去的却没有禁锢掉
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
257 "/home/user1"
ftp&gt; cd /
250 Directory successfully changed.
ftp&gt; quit
221 Goodbye.
[root@gjp99 ~]# ftp 127.0.0.1
Connected to 127.0.0.1.
220 (vsFTPd 2.0.5)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (127.0.0.1:root): user2  没放进去的被禁锢了
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp&gt; pwd
257 "/"
ftp&gt; cd /
250 Directory successfully changed.
ftp&gt; dir
227 Entering Passive Mode (127,0,0,1,98,84)
150 Here comes the directory listing.
-rw-rw-r--    1 502      502             6 Sep 26 06:45 gjp2.txt
226 Directory send OK.

 ftp 的特性:

独立进程存放在: /etc/init.c    /etc/rc.d/init.d 目录下!

超级守护进程:xinetd

112 listen=YES    表明独立的,不再依赖于超级守护进程

119 pam_service_name=vsftpd   //ftp支持pam验证

可参考ftp的接口文件

[root@gjp99 pam.d]# vim  /etc/pam.d/vsftpd  里面有相应的系统调用及参数

[root@gjp99 pam.d]# cd /etc/vsftpd
[root@gjp99 vsftpd]# ll
total 28
-rw-r--r-- 1 root root   13 Aug  3 18:00 banned_emails
-rw-r--r-- 1 root root    7 Sep 26 14:37 chroot_list
-rw------- 1 root root  125 May 13  2009 ftpusers  存入该文件的账号不能登录ftp
-rw------- 1 root root  361 May 13  2009 user_list  存入该文件的账号不能登录ftp
-rw------- 1 root root 4640 Sep 26 14:59 vsftpd.conf
-rwxr--r-- 1 root root  338 May 13  2009 vsftpd_conf_migrate.sh

[root@gjp99 vsftpd]# cat ftpusers
# Users that are not allowed to login via ftp
root
bin
daemon
adm
lp
sync
shutdown
halt
mail
news
uucp
operator
games
nobody
user1   把user1添加进来作为测试!

[root@gjp99 vsftpd]# ftp 127.0.0.1
Connected to 127.0.0.1.
220 (vsFTPd 2.0.5)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (127.0.0.1:root): user1
331 Please specify the password.
Password:     需要输入密码,如果网络上有人抓包,则很不安全!
530 Login incorrect.
Login failed.   登录失败

  把ftpusers中存放的账号user1删除,在user_list中输入user1测试!

[root@gjp99 vsftpd]# cat user_list
# vsftpd userlist
# If userlist_deny=NO, only allow users in this file
# If userlist_deny=YES (default), never allow users in this file, and
# do not even prompt for a password.
# Note that the default vsftpd pam config also checks /etc/vsftpd/ftpusers
# for users that are denied.
root
bin
daemon
adm
lp
sync
shutdown
halt
mail
news
uucp
operator
games
nobody
user1

[root@gjp99 vsftpd]# ftp 127.0.0.1
Connected to 127.0.0.1.
220 (vsFTPd 2.0.5)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (127.0.0.1:root): user1
530 Permission denied.  没有提示让输入密码,直接拒绝掉了
Login failed.
为了防止管理员的密码被捕获,则不允许管理员ftp

[root@gjp99 vsftpd]# ftp 127.0.0.1
Connected to 127.0.0.1.
220 (vsFTPd 2.0.5)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (127.0.0.1:root): root
530 Permission denied.
Login failed.

[root@gjp99 vsftpd]# vim user_list
# vsftpd userlist
# If userlist_deny=NO, only allow users in this file

在 /etc/vsftpd/vsftpd.conf中增加此功能: service vsftpd restart
下面测试:user1在这个文件下所以可以登录,user2不在该文件里,因此直接拒绝!

[root@gjp99 vsftpd]# ftp 127.0.0.1
Connected to 127.0.0.1.
220 (vsFTPd 2.0.5)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (127.0.0.1:root): user1
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp&gt; dir
227 Entering Passive Mode (127,0,0,1,42,166)
150 Here comes the directory listing.
-rw-rw-r--    1 501      501            32 Sep 26 06:40 gjp.txt
226 Directory send OK.
ftp&gt; quit
221 Goodbye.
[root@gjp99 vsftpd]# ftp 127.0.0.1
Connected to 127.0.0.1.
220 (vsFTPd 2.0.5)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (127.0.0.1:root): user2
530 Permission denied.
Login failed.

/etc/vsftpd/vsftpd.conf 下的

122 tcp_wrappers=YES

查看某些应用支持的链接库:

[root@gjp99 vsftpd]# ldd /usr/sbin/vsftpd
linux-gate.so.1 =&gt;  (0x00164000)
libssl.so.6 =&gt; /lib/libssl.so.6 (0x00a33000)
libwrap.so.0 =&gt; /lib/libwrap.so.0 (0x0067c000)

出现此文件,即说明支持tcp_wrappers=YES

需修改 /etc/hosts.allow  /etc/hosts.deny

先看hosts.allow   再看hosts.deny   默认是允许的!

image

[root@gjp99 vsftpd]# cat /etc/hosts.allow
#
# hosts.allow    This file describes the names of the hosts which are
#        allowed to use the local INET services, as decided
#        by the '/usr/sbin/tcpd' server.
#
vsftpd:192.168.10.2:allow   仅有192.168.10.2允许
[root@gjp99 vsftpd]# vim /etc/hosts.deny
[root@gjp99 vsftpd]# cat /etc/hosts.deny
#
# hosts.deny    This file describes the names of the hosts which are
#        *not* allowed to use the local INET services, as decided
#        by the '/usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow.  In particular
# you should know that NFS uses portmap!
vsftpd:all :deny   其他人拒绝

测试:windows下ftp

image

linux 下测试:

[root@gjp99 vsftpd]# ftp 127.0.0.1
Connected to 127.0.0.1.
421 Service not available.
ftp&gt; quit

只有192.168.10.2不可以,其他的都可以!

[root@gjp99 vsftpd]# vim /etc/hosts.allow    只在该文件下操作,hosts.deny 空着

6 vsftpd:192.168.10.2:deny
7 vsftpd:all:allow

测试:windows下:

image

linux下:

[root@gjp99 vsftpd]# ftp 127.0.0.1
Connected to 127.0.0.1.
220 (vsFTPd 2.0.5)
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (127.0.0.1:root): user1
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp&gt; dir
227 Entering Passive Mode (127,0,0,1,208,223)
150 Here comes the directory listing.
-rw-rw-r--    1 501      501            32 Sep 26 06:40 gjp.txt
226 Directory send OK.
ftp&gt; quit

ftp的安全性

1. 协议   ftp  明文

2. 账号  匿名  本地账号(抓包,危险性较大) 最好选用虚拟账号

删除原有的安全特性,安装tshark

挂载光盘,安装抓包工具:

[root@gjp99 vsftpd]# mount /dev/cdrom /mnt/cdrom
mount: block device /dev/cdrom is write-protected, mounting read-only
[root@gjp99 vsftpd]# cd /mnt/cdrom/Server/
[root@gjp99 Server]# ll wireshark-*
-r--r--r-- 220 root root 11130359 Jun 11  2009 wireshark-1.0.8-1.el5_3.1.i386.rpm
-r--r--r-- 220 root root   686650 Jun 11  2009 wireshark-gnome-1.0.8-1.el5_3.1.i386.rpm
[root@gjp99 Server]# rpm -ivh libsmi-0.4.5-2.el5.i386.rpm  必须先安装此软件
warning: libsmi-0.4.5-2.el5.i386.rpm: Header V3 DSA signature: NOKEY, key ID 37017186
Preparing...                ################################# [100%]
1:libsmi                 ################################# [100%]
[root@gjp99 Server]# rpm -ivh wire
wireless-tools-28-2.el5.i386.rpm
wireless-tools-devel-28-2.el5.i386.rpm
wireshark-1.0.8-1.el5_3.1.i386.rpm
wireshark-gnome-1.0.8-1.el5_3.1.i386.rpm
[root@gjp99 Server]# rpm -ivh wireshark-1.0.8-1.el5_3.1.i386.rpm
warning: wireshark-1.0.8-1.el5_3.1.i386.rpm: Header V3 DSA signature: NOKEY, key ID 37017186
Preparing...                ################################# [100%]
1:wireshark              ############################### [100%]

[root@gjp99 Server]# tshark -ni eth0 -R "tcp.dstport eq 21 "
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0  已经在eth0上可以抓包了~

Xshell:\&gt; ftp 192.168.10.98

Connecting to 192.168.10.98:21...
Connection established.
Escape character is '^@]'.
220 (vsFTPd 2.0.5)
Name (192.168.10.98:Administrator): user1
331 Please specify the password.
Password:
230 Login successful.
ftp:/home/user1&gt;

抓包抓到的情况:

115.297511 192.168.10.2 -&gt; 192.168.10.98 FTP Request: USER user1   用户名
115.497920 192.168.10.2 -&gt; 192.168.10.98 TCP 53368 &gt; 21 [ACK] Seq=13 Ack=55 Win=65536 Len=0
116.968029 192.168.10.2 -&gt; 192.168.10.98 FTP Request: PASS 123 密码
116.996447 192.168.10.2 -&gt; 192.168.10.98 FTP Request: PWD
117.196785 192.168.10.2 -&gt; 192.168.10.98 TCP 53368 &gt; 21 [ACK] Seq=28 Ack=97 Win=65536 Len=0

测试,是否能抓到管理员密码?

Xshell:\&gt; ftp  192.168.10.98

Connecting to 192.168.10.98:21...
Connection established.
Escape character is '^@]'.
220 (vsFTPd 2.0.5)
Name (192.168.10.98:Administrator): root
530 Permission denied.

抓包抓不到密码:

243.383605 192.168.10.2 -&gt; 192.168.10.98 FTP Request: USER root
243.583142 192.168.10.2 -&gt; 192.168.10.98 TCP 53369 &gt; 21 [ACK] Seq=12 Ack=45 Win=65536 Len=0
291.498211 192.168.10.2 -&gt; 192.168.10.98 FTP Request: PWD
291.698623 192.168.10.2 -&gt; 192.168.10.98 TCP 53368 &gt; 21 [ACK] Seq=43 Ack=154 Win=65536 Len=0

ftps的搭建:

ftps=ftp+ssl

创建CA

[root@gjp99 Server]# cd /etc/pki
[root@gjp99 pki]# ll
total 32
drwx------ 3 root root 4096 Aug  2 21:22 CA
drwxr-xr-x 2 root root 4096 Aug  2 21:20 nssdb
drwxr-xr-x 2 root root 4096 Aug  2 21:21 rpm-gpg
drwxr-xr-x 5 root root 4096 Aug  2 21:22 tls
[root@gjp99 pki]# vim tls/openssl.cnf

45 dir             = /etc/pki/CA           # Where everything is kept
46 certs           = $dir/certs            # Where the issued certs are kept
47 crl_dir         = $dir/crl              # Where the issued crl are kept
48 database        = $dir/index.txt        # database index file.
49 #unique_subject = no                    # Set to 'no' to allow creation of
50                                         # several ctificates with same subject.
51 new_certs_dir   = $dir/newcerts         # default place for new certs.
52
53 certificate     = $dir/cacert.pem       # The CA certificate
54 serial          = $dir/serial           # The current serial number
55 crlnumber       = $dir/crlnumber        # the current crl number
56                                         # must be commented out to leave a V1 CRL
57 crl             = $dir/crl.pem          # The current CRL
58 private_key     = $dir/private/cakey.pem# The private key

底行模式:image

88 countryName             = optonal
89 stateOrProvinceName     = optonal
90 organizationName        = optonal

image

[root@gjp99 pki]# ll
total 32
drwx------ 3 root root 4096 Aug  2 21:22 CA
drwxr-xr-x 2 root root 4096 Aug  2 21:20 nssdb
drwxr-xr-x 2 root root 4096 Aug  2 21:21 rpm-gpg
drwxr-xr-x 5 root root 4096 Sep 26 17:04 tls
[root@gjp99 pki]# cd CA
[root@gjp99 CA]# ll
total 8
drwx------ 2 root root 4096 Jun 30  2009 private
[root@gjp99 CA]# mkdir crl certs newcerts
[root@gjp99 CA]# touch index.txt  serial
[root@gjp99 CA]# echo "01"&gt;serial
[root@gjp99 CA]# openssl genrsa 1024 &gt;private/cakey.pem
Generating RSA private key, 1024 bit long modulus
....++++++
......++++++
e is 65537 (0x10001)
[root@gjp99 CA]# chmod 600 private/*
[root@gjp99 CA]# openssl req -new -key private/cakey.pem -x509 -out cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Shang Hai]:
Locality Name (eg, city) [Shang Hai]:
Organization Name (eg, company) [My Company Ltd]:sec center
Organizational Unit Name (eg, section) []:tec
Common Name (eg, your name or your server's hostname) []:ca.net.net
Email Address []:
私钥   请求文件   证书

[root@gjp99 CA]# mkdir /etc/vsftpd/certs
[root@gjp99 CA]# cd /etc/vsftpd/certs/
[root@gjp99 certs]# openssl genrsa 1024 &gt;vsftpd.key  创建钥匙
Generating RSA private key, 1024 bit long modulus
.......++++++
................................................................+++
e is 65537 (0x10001)
[root@gjp99 certs]# openssl req -new -key vsftpd.key -out vsftpd.csr   产生请求
You are about to be asked to enter information that will be inco
into your certificate request.
What you are about to enter is what is called a Distinguished Na
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Shang Hai]:
Locality Name (eg, city) [Shang Hai]:
Organization Name (eg, company) [My Company Ltd]:bht
Organizational Unit Name (eg, section) []:tec
Common Name (eg, your name or your server's hostname) []:ftp.bht.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

[root@gjp99 certs]# ll
total 8
-rw-r--r-- 1 root root 651 Sep 26 17:17 vsftpd.csr
-rw-r--r-- 1 root root 887 Sep 26 17:15 vsftpd.key
[root@gjp99 certs]# openssl ca -in vsftpd.csr -out vsftpd.cert   生成证书
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Sep 26 09:35:33 2012 GMT
Not After : Sep 26 09:35:33 2013 GMT
Subject:
countryName               = CN
stateOrProvinceName       = Shang Hai
organizationName          = bht
organizationalUnitName    = tec
commonName                = ftp.bht.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
4E:10:2C:A8:BA:A8:5E:16:D1:8E:BD:85:53:87:5C:5E:1D:B6:04:C1
X509v3 Authority Key Identifier:
keyid:DF:8C:0F:8C:D0:65:31:42:FB:AF:29:7A:52:51:4C:86:09:25:91:F4

Certificate is to be certified until Sep 26 09:35:33 2013 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

证书在哪?私钥在哪?

用man 5 vsftpd.conf

[root@gjp99 certs]# vim /etc/vsftpd/vsftpd.conf

增加以下功能:

rsa_cert_file=/etc/vsftpd/certs/vsftpd.cert
rsa_private_key_file=/etc/vsftpd/certs/vsftpd.key
ssl_tlsv1=YES
ssl_sslv3=YES
ssl_sslv2=YES
ssl_enable=YES
force_local_logins_ssl=YES
force_local_data_ssl=YES

[root@gjp99 certs]# service vsftpd restart
Shutting down vsftpd:                                      [  OK  ]
Starting vsftpd for vsftpd:                                [  OK  ]

[root@gjp99 certs]# tshark -ni eth0  -R "tcp.dstport eq 21 "
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0

C:\Users\Administrator&gt;ftp 192.168.10.98   命令行下无法登录(由于使用了身份验证)
连接到 192.168.10.98。
220 (vsFTPd 2.0.5)
用户(192.168.10.98:(none)): user1
530 Non-anonymous sessions must use encryption.
登录失败。

使用客户端软件:

image imageimage

点击应用   点击连接!

image

点击  “接受一次”

image

1331.140451 192.168.10.2 -&gt; 192.168.10.98 FTP Request: AUTH SSL
1331.147508 192.168.10.2 -&gt; 192.168.10.98 FTP Request: \200\310\001\003\001\000

下面都是已加密的信息,已看不到密码!

邵珠庆推荐文章

博文加载中...

anyShare分享到:

喜欢这个文章吗?

考虑订阅我们的RSS Feed吧!

发布在 邵珠庆

评论 (0) 引用 (0)

还没有评论.


Leave a comment

*

引用被禁用.