分享
 
 
 

Pure-FTPd[TLS]服务器

王朝other·作者佚名  2008-05-18
窄屏简体版  字體: |||超大  

原创Pure-FTPd [TLS]

FTP服务是公司最长用的服务之一。

Pure-FTPD 1.0.16 开始支持TLS

有关SSL/TLS

请参考 http://www.openssl.org

OS -FreeBSD 4,8 Production Release

选择最小安装

1)先安装OPENSSL LIB

openssl openssl-0.9.7b.tar.gz

gzip -dc openssl-0.9.7b.tar.gz

cd openssl-0.9.7b

./config

make

make test

make install

2)设置OPENSSL 证书

mkdir -p /etc/ssl/private

openssl req -x509 -nodes -newkey rsa:1024 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem

chmod 600 /etc/ssl/private/*.pem

2.1) 设置认证请求

openssl req -new -key /etc/ssl/provate/pure-ftp.pem -out cert.csr

根据提示设置 Country ..Unit Org ......

做好之后是这样的。

-----BEGIN RSA PRIVATE KEY-----

MIICXAIBAAKBgQDMbTESomB5hILhjnlmSsAal6CAIFk5q33ifpmPF/rAxGv3NnJi

9AI/771bvKQ4ECUvjZaAgDTfvxAf4Kyl7s0csOToKh6GsogIp3uTc+rGMA4pxIg9

KIupddZYKnhS5oYqvYnYP+5eu4Yehq3t3/q+FVcvMv1yiIYVNJJgpBODWwIDAQAB

AoGBAMYuiWeGUb8c7wGabSj1CN3+51OviLC3B7h/gYFO/wLIqd6lQymZY2D2m34H

GLFdPZ+nRSPYpunPQeOVnerT4rXS25VDlUIy+Fg0+vbNhBRDOinVkPqVHA3P65a3

nFw9XU1zAwKaqRZITRN3AhuYQQJ18xcNWVFjBYIAGTGMytNRAkEA/mkuto7XPCkT

YrMmMiCqn1ZQWPomNSZeHz0Db99yEFqtMHrV2/5xbDeduGTuhiLtoetsi311aRNy

tDhbocw5kwJBAM20FNa3MX1+FFllYECpaTdc/SgoeYnpJQMM4UTq+KimI2cb67He

YTXYHrVvLjOv+EvpY544E0hRMRMoUeM1DBkCQFWfvuoQTx5fULfyRZOvbN1tpmMb

5coTnK/0z/hSAsjAS/O6E8oT68aZPUr3JVQd406QtpqH4gE4W22OXkCpRGMCQFuG

jN8ck8CqoJNGMBWVS2N+1IVRvQJH4lgBGxp3Ejy373ipS63QrKAwkTlZRs1otqnQ

Jqr3eFztA1Dq18SojcECQHYOnRBfOhoaYMqlakMUj/h4+/6Uxt47nErRHnLR+RVR

7rND/QH/+WPkJ3ngrN/OKwsGXzX03Z/EytMkxt3rOZs=

-----END RSA PRIVATE KEY-----

-----BEGIN CERTIFICATE-----

MIIDaDCCAtGgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBhTELMAkGA1UEBhMCQ04x

DTALBgNVBAgTBEVBU1QxETAPBgNVBAcTCFNIQU5HSEFJMQ4wDAYDVQQKEwVIVUFZ

QTELMAkGA1UECxMCSUMxEDAOBgNVBAMTB1JJQ0hBUkQxJTAjBgkqhkiG9w0BCQEW

FlJJQ0hBUkRASFVBWUFNSUNSTy5DT00wHhcNMDMwOTIyMTA0OTEyWhcNMDMxMDIy

MTA0OTEyWjCBhTELMAkGA1UEBhMCQ04xDTALBgNVBAgTBEVBU1QxETAPBgNVBAcT

CFNIQU5HSEFJMQ4wDAYDVQQKEwVIVUFZQTELMAkGA1UECxMCSUMxEDAOBgNVBAMT

B1JJQ0hBUkQxJTAjBgkqhkiG9w0BCQEWFlJJQ0hBUkRASFVBWUFNSUNSTy5DT00w

gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMxtMRKiYHmEguGOeWZKwBqXoIAg

WTmrfeJ+mY8X+sDEa/c2cmL0Aj/vvVu8pDgQJS+NloCANN+/EB/grKXuzRyw5Ogq

HoayiAine5Nz6sYwDinEiD0oi6l11lgqeFLmhiq9idg/7l67hh6Gre3f+r4VVy8y

/XKIhhU0kmCkE4NbAgMBAAGjgeUwgeIwHQYDVR0OBBYEFOQpxMkT47cZq19AOxtm

vQqwi1rFMIGyBgNVHSMEgaowgaeAFOQpxMkT47cZq19AOxtmvQqwi1rFoYGLpIGI

MIGFMQswCQYDVQQGEwJDTjENMAsGA1UECBMERUFTVDERMA8GA1UEBxMIU0hBTkdI

QUkxDjAMBgNVBAoTBUhVQVlBMQswCQYDVQQLEwJJQzEQMA4GA1UEAxMHUklDSEFS

RDElMCMGCSqGSIb3DQEJARYWUklDSEFSREBIVUFZQU1JQ1JPLkNPTYIBADAMBgNV

HRMEBTADAQH/MA0GCSqGSIb3DQEBBAUAA4GBAKdSaI3Y1F/6FyrD8lMlkvSsZRvA

g7GXja0IchLGce0alkoxaARH849U7GEueA695wd7KFeHfJ5klFe7kMY4BkRYVshj

JBweRRZ1u9OjcKHbVufFunKMBY12Qoe0s6IC/HgDHHiJ5ocaYmew3vNQkTKrIQES

atP6AvLTcPoPVT3T

-----END CERTIFICATE-----

————用FTP

CLIENT

连接时候

回提示你安装证书。

3)安装Pure-FTPD 1.0.16a

download pure-ftpd-1.0.16a.tar.bz2

bzip2 pure-ftpd-1.0.16a.tar.bz2

tar xvf pure-ftpd-1.0.16a.tar

cd pure-ftpd-1.0.16a

#./configure --with-puredb --with-altlog --with-ratios --with-ftpwho --with-largefile --with-virtualhosts --with-virtualchroot

--with-quotas --with-tls

````

make ; make check make installl

添加FPT

用户

pw groupadd ftpgroup

pw useradd ftpuser -g ftpgroup -d /dev/null -s /etc

添加PURE-FTP

用户

pure-pw useradd test -u ftpuser -d /export/ftphost/test

4 设置Pure-FTP

############################################################

# #

# Configuration file for pure-ftpd wrappers #

# #

############################################################

# If you want to run Pure-FTPd with this configuration

# instead of command-line options, please run the

# following command :

#

# /usr/local/sbin/pure-config.pl /usr/local/etc/pure-ftpd.conf

#

# Please don't forget to have a look at documentation at

# http://www.pureftpd.org/documentation.html for a complete list of

# options.

# Cage in every user in his home directory

ChrootEveryone yes

# If the previous option is set to "no", members of the following group

# won't be caged. Others will be. If you don't want chroot()ing anyone,

# just comment out ChrootEveryone and TrustedGID.

TrustedGID 100

# Turn on compatibility hacks for broken clients

BrokenClientsCompatibility no

# Maximum number of simultaneous users

MaxClientsNumber 50

# Fork in background

Daemonize yes

# Maximum number of sim clients with the same IP address

MaxClientsPerIP 8

# If you want to log all client commands, set this to "yes".

# This directive can be duplicated to also log server responses.

VerboseLog no

# List dot-files even when the client doesn't send "-a".

DisplayDotFiles yes

# Don't allow authenticated users - have a public anonymous FTP only.

AnonymousOnly no

# Disallow anonymous connections. Only allow authenticated users.

NoAnonymous yes

# Syslog facility (auth, authpriv, daemon, ftp, security, user, local*)

# The default facility is "ftp". "none" disables logging.

SyslogFacility ftp

# Display fortune cookies

# FortunesFile /usr/share/fortune/zippy

# Don't resolve host names in log files. Logs are less verbose, but

# it uses less bandwidth. Set this to "yes" on very busy servers or

# if you don't have a working DNS.

DontResolve yes

# Maximum idle time in minutes (default = 15 minutes)

MaxIdleTime 15

# LDAP configuration file (see README.LDAP)

# LDAPConfigFile /etc/pureftpd-ldap.conf

# MySQL configuration file (see README.MySQL)

# MySQLConfigFile /etc/pureftpd-mysql.conf

# Postgres configuration file (see README.PGSQL)

# PGSQLConfigFile /etc/pureftpd-pgsql.conf

# PureDB user database (see README.Virtual-Users)

PureDB /etc/pureftpd.pdb

(这里选用 PUREDB 做用户认证

# Path to pure-authd socket (see README.Authentication-Modules)

# ExtAuth /var/run/ftpd.sock

# If you want to enable PAM authentication, uncomment the following line

# PAMAuthentication yes

# If you want simple Unix (/etc/passwd) authentication, uncomment this

# UnixAuthentication yes

# Please note that LDAPConfigFile, MySQLConfigFile, PAMAuthentication and

# UnixAuthentication can be used only once, but they can be combined

# together. For instance, if you use MySQLConfigFile, then UnixAuthentication,

# the SQL server will be asked. If the SQL authentication fails because the

# user wasn't found, another try # will be done with /etc/passwd and

# /etc/shadow. If the SQL authentication fails because the password was wrong,

# the authentication chain stops here. Authentication methods are chained in

# the order they are given.

# 'ls' recursion limits. The first argument is the maximum number of

# files to be displayed. The second one is the max subdirectories depth

LimitRecursion 2000 8

# Are anonymous users allowed to create new directories ?

AnonymousCanCreateDirs no

# If the system is more loaded than the following value,

# anonymous users aren't allowed to download.

MaxLoad 4

# Port range for passive connections replies. - for firewalling.

# PassivePortRange 30000 50000

# Force an IP address in PASV/EPSV/SPSV replies. - for NAT.

# Symbolic host names are also accepted for gateways with dynamic IP

# addresses.

# ForcePassiveIP 192.168.0.1

# Upload/download ratio for anonymous users.

# AnonymousRatio 1 10

# Upload/download ratio for all users.

# This directive superscedes the previous one.

# UserRatio 1 10

# Disallow downloading of files owned by "ftp", ie.

# files that were uploaded but not validated by a local admin.

AntiWarez yes

# IP address/port to listen to (default=all IP and port 21).

# Bind 127.0.0.1,21

# Maximum bandwidth for anonymous users in KB/s

# AnonymousBandwidth 8

# Maximum bandwidth for *all* users (including anonymous) in KB/s

# Use AnonymousBandwidth *or* UserBandwidth, both makes no sense.

# UserBandwidth 8

# File creation mask. <umask for files>:<umask for dirs> .

# 177:077 if you feel paranoid.

Umask 133:022

# Minimum UID for an authenticated user to log in.

MinUID 100

# Allow FXP transfers for authenticated users only.

#AllowUserFXP yes

# Allow anonymous FXP for anonymous and non-anonymous users.

AllowAnonymousFXP no

# Users can't delete/write files beginning with a dot ('.')

# even if they own them. If TrustedGID is enabled, this group

# will have access to dot-files, though.

ProhibitDotFilesWrite no

# Prohibit *reading* of files beginning with a dot (.history, .ssh...)

ProhibitDotFilesRead no

# Never overwrite files. When a file whoose name already exist is uploaded,

# it get automatically renamed to file.1, file.2, file.3, ...

AutoRename no

# Disallow anonymous users to upload new files (no = upload is allowed)

AnonymousCantUpload no

# Only connections to this specific IP address are allowed to be

# non-anonymous. You can use this directive to open several public IPs for

# anonymous FTP, and keep a private firewalled IP for remote administration.

# You can also only allow a non-routable local IP (like 10.x.x.x) to

# authenticate, and keep a public anon-only FTP server on another IP.

TrustedIP 10.1.1.1

(这里添加你信任的IP )

# If you want to add the PID to every logged line, uncomment the following

# line.

#LogPID yes

# Create an additional log file with transfers logged in a Apache-like format :

# fw.c9x.org - jedi [13/Dec/1975:19:36:39] "GET /ftp/linux.tar.bz2" 200 21809338

# This log file can then be processed by www traffic analyzers.

# AltLog clf:/var/log/pureftpd.log

# Create an additional log file with transfers logged in a format optimized

# for statistic reports.

# AltLog stats:/var/log/pureftpd.log

# Create an additional log file with transfers logged in the standard W3C

# format (compatible with most commercial log analyzers)

# AltLog w3c:/var/log/pureftpd.log

# Disallow the CHMOD command. Users can't change perms of their files.

#NoChmod yes

# Allow users to resume and upload files, but *NOT* to delete them.

#KeepAllFiles yes

# Automatically create home directories if they are missing

#CreateHomeDir yes

# Enable virtual quotas. The first number is the max number of files.

# The second number is the max size of megabytes.

# So 1000:10 limits every user to 1000 files and 10 Mb.

#Quota 1000:10

# If your pure-ftpd has been compiled with standalone support, you can change

# the location of the pid file. The default is /var/run/pure-ftpd.pid

#PIDFile /var/run/pure-ftpd.pid

# If your pure-ftpd has been compiled with pure-uploadscript support,

# this will make pure-ftpd write info about new uploads to

# /var/run/pure-ftpd.upload.pipe so pure-uploadscript can read it and

# spawn a script to handle the upload.

#CallUploadScript yes

# This option is useful with servers where anonymous upload is

# allowed. As /var/ftp is in /var, it save some space and protect

# the log files. When the partition is more that X percent full,

# new uploads are disallowed.

MaxDiskUsage 99

# Set to 'yes' if you don't want your users to rename files.

#NoRename yes

# Be 'customer proof' : workaround against common customer mistakes like

# 'chmod 0 public_html', that are valid, but that could cause ignorant

# customers to lock their files, and then keep your technical support busy

# with silly issues. If you're sure all your users have some basic Unix

# knowledge, this feature is useless. If you're a hosting service, enable it.

CustomerProof yes

# Per-user concurrency limits. It will only work if the FTP server has

# been compiled with --with-peruserlimits (and this is the case on

# most binary distributions) .

# The format is : <max sessions per user>:<max anonymous sessions>

# For instance, 3:20 means that the same authenticated user can have 3 active

# sessions max. And there are 20 anonymous sessions max.

# PerUserLimits 3:20

# This option can accept three values :

# 0 : disable SSL/TLS encryption layer (default).

# 1 : accept both traditional and encrypted sessions.

# 2 : refuse connections that don't use SSL/TLS security mechanisms,

# including anonymous sessions.

# Do _not_ uncomment this blindly. Be sure that :

# 1) Your server has been compiled with SSL/TLS support (--with-tls),

# 2) A valid certificate is in place,

# 3) Only compatible clients will log in.

TLS 2

(这里选2 --明文的USERNAME 和 PASSWD 都是禁止的 )

启动

PUREFTP

220---------- Welcome to Pure-FTPd [TLS] ----------

220-You are user number 1 of 50 allowed.

220-Local time is now 13:27. Server port: 21.

220-This is a private system - No anonymous login

220-IPv6 connections are also welcome on this server.

220 You will be disconnected after 15 minutes of inactivity.

USER test

421 Sorry, cleartext sessions are not accepted on this server.

连接失败

正在延迟 120 秒,在重新连接尝试第 1 次之前

如果你用明文USERNAME

服务器

将拒绝。

4 FTP client 的设置

SmartFTP (Windows)

URL: http://www.smartftp.com/

(Tools->Settings->SSL) is set to

"clear data connection" while the AUTH mode (also in Tools->Settings->SSL) is

set to "TLS".

* IglooFTP Pro (Windows, Linux)

URL: http://www.iglooftp.com/

SSL/TLS is automatically detected and works when Preferences->Security->

Encrypt is set to "Commands [if possible], Transfers [if possible]".

连接的时候你都会让你确认证书的。

证书的图片我没办法上传。。

0 You will be disconnected after 15 minutes of inactivity.

AUTH TLS

234 AUTH TLS OK.

Connected. Exchanging encryption keys...

Session Cipher: 128 bit RC4

SSL encrypted session established.

PBSZ 0

200 PBSZ=0

USER test

总结--方便经济。实用

安全的FTP

就这样做成了。

很适合做软件设计的公司使用。

8-)

没什么成本。也做到了相对安全。

 
 
 
免责声明:本文为网络用户发布,其观点仅代表作者个人观点,与本站无关,本站仅提供信息存储服务。文中陈述内容未经本站证实,其真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
2023年上半年GDP全球前十五强
 百态   2023-10-24
美众议院议长启动对拜登的弹劾调查
 百态   2023-09-13
上海、济南、武汉等多地出现不明坠落物
 探索   2023-09-06
印度或要将国名改为“巴拉特”
 百态   2023-09-06
男子为女友送行,买票不登机被捕
 百态   2023-08-20
手机地震预警功能怎么开?
 干货   2023-08-06
女子4年卖2套房花700多万做美容:不但没变美脸,面部还出现变形
 百态   2023-08-04
住户一楼被水淹 还冲来8头猪
 百态   2023-07-31
女子体内爬出大量瓜子状活虫
 百态   2023-07-25
地球连续35年收到神秘规律性信号,网友:不要回答!
 探索   2023-07-21
全球镓价格本周大涨27%
 探索   2023-07-09
钱都流向了那些不缺钱的人,苦都留给了能吃苦的人
 探索   2023-07-02
倩女手游刀客魅者强控制(强混乱强眩晕强睡眠)和对应控制抗性的关系
 百态   2020-08-20
美国5月9日最新疫情:美国确诊人数突破131万
 百态   2020-05-09
荷兰政府宣布将集体辞职
 干货   2020-04-30
倩女幽魂手游师徒任务情义春秋猜成语答案逍遥观:鹏程万里
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案神机营:射石饮羽
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案昆仑山:拔刀相助
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案天工阁:鬼斧神工
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案丝路古道:单枪匹马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:与虎谋皮
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:李代桃僵
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:指鹿为马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:小鸟依人
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:千金买邻
 干货   2019-11-12
 
推荐阅读
 
 
 
>>返回首頁<<
 
靜靜地坐在廢墟上,四周的荒凉一望無際,忽然覺得,淒涼也很美
© 2005- 王朝網路 版權所有