原创Pure-FTPd [TLS]
FTP服务是公司最长用的服务之一。
Pure-FTPD 1.0.16 开始支持TLS
有关SSL/TLS
请参考 http://www.openssl.org
OS -FreeBSD 4,8 Production Release
选择最小安装
1)先安装OPENSSL LIB
openssl openssl-0.9.7b.tar.gz
gzip -dc openssl-0.9.7b.tar.gz
cd openssl-0.9.7b
./config
make
make test
make install
2)设置OPENSSL 证书
mkdir -p /etc/ssl/private
openssl req -x509 -nodes -newkey rsa:1024 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
chmod 600 /etc/ssl/private/*.pem
2.1) 设置认证请求
openssl req -new -key /etc/ssl/provate/pure-ftp.pem -out cert.csr
根据提示设置 Country ..Unit Org ......
做好之后是这样的。
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQDMbTESomB5hILhjnlmSsAal6CAIFk5q33ifpmPF/rAxGv3NnJi
9AI/771bvKQ4ECUvjZaAgDTfvxAf4Kyl7s0csOToKh6GsogIp3uTc+rGMA4pxIg9
KIupddZYKnhS5oYqvYnYP+5eu4Yehq3t3/q+FVcvMv1yiIYVNJJgpBODWwIDAQAB
AoGBAMYuiWeGUb8c7wGabSj1CN3+51OviLC3B7h/gYFO/wLIqd6lQymZY2D2m34H
GLFdPZ+nRSPYpunPQeOVnerT4rXS25VDlUIy+Fg0+vbNhBRDOinVkPqVHA3P65a3
nFw9XU1zAwKaqRZITRN3AhuYQQJ18xcNWVFjBYIAGTGMytNRAkEA/mkuto7XPCkT
YrMmMiCqn1ZQWPomNSZeHz0Db99yEFqtMHrV2/5xbDeduGTuhiLtoetsi311aRNy
tDhbocw5kwJBAM20FNa3MX1+FFllYECpaTdc/SgoeYnpJQMM4UTq+KimI2cb67He
YTXYHrVvLjOv+EvpY544E0hRMRMoUeM1DBkCQFWfvuoQTx5fULfyRZOvbN1tpmMb
5coTnK/0z/hSAsjAS/O6E8oT68aZPUr3JVQd406QtpqH4gE4W22OXkCpRGMCQFuG
jN8ck8CqoJNGMBWVS2N+1IVRvQJH4lgBGxp3Ejy373ipS63QrKAwkTlZRs1otqnQ
Jqr3eFztA1Dq18SojcECQHYOnRBfOhoaYMqlakMUj/h4+/6Uxt47nErRHnLR+RVR
7rND/QH/+WPkJ3ngrN/OKwsGXzX03Z/EytMkxt3rOZs=
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIDaDCCAtGgAwIBAgIBADANBgkqhkiG9w0BAQQFADCBhTELMAkGA1UEBhMCQ04x
DTALBgNVBAgTBEVBU1QxETAPBgNVBAcTCFNIQU5HSEFJMQ4wDAYDVQQKEwVIVUFZ
QTELMAkGA1UECxMCSUMxEDAOBgNVBAMTB1JJQ0hBUkQxJTAjBgkqhkiG9w0BCQEW
FlJJQ0hBUkRASFVBWUFNSUNSTy5DT00wHhcNMDMwOTIyMTA0OTEyWhcNMDMxMDIy
MTA0OTEyWjCBhTELMAkGA1UEBhMCQ04xDTALBgNVBAgTBEVBU1QxETAPBgNVBAcT
CFNIQU5HSEFJMQ4wDAYDVQQKEwVIVUFZQTELMAkGA1UECxMCSUMxEDAOBgNVBAMT
B1JJQ0hBUkQxJTAjBgkqhkiG9w0BCQEWFlJJQ0hBUkRASFVBWUFNSUNSTy5DT00w
gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMxtMRKiYHmEguGOeWZKwBqXoIAg
WTmrfeJ+mY8X+sDEa/c2cmL0Aj/vvVu8pDgQJS+NloCANN+/EB/grKXuzRyw5Ogq
HoayiAine5Nz6sYwDinEiD0oi6l11lgqeFLmhiq9idg/7l67hh6Gre3f+r4VVy8y
/XKIhhU0kmCkE4NbAgMBAAGjgeUwgeIwHQYDVR0OBBYEFOQpxMkT47cZq19AOxtm
vQqwi1rFMIGyBgNVHSMEgaowgaeAFOQpxMkT47cZq19AOxtmvQqwi1rFoYGLpIGI
MIGFMQswCQYDVQQGEwJDTjENMAsGA1UECBMERUFTVDERMA8GA1UEBxMIU0hBTkdI
QUkxDjAMBgNVBAoTBUhVQVlBMQswCQYDVQQLEwJJQzEQMA4GA1UEAxMHUklDSEFS
RDElMCMGCSqGSIb3DQEJARYWUklDSEFSREBIVUFZQU1JQ1JPLkNPTYIBADAMBgNV
HRMEBTADAQH/MA0GCSqGSIb3DQEBBAUAA4GBAKdSaI3Y1F/6FyrD8lMlkvSsZRvA
g7GXja0IchLGce0alkoxaARH849U7GEueA695wd7KFeHfJ5klFe7kMY4BkRYVshj
JBweRRZ1u9OjcKHbVufFunKMBY12Qoe0s6IC/HgDHHiJ5ocaYmew3vNQkTKrIQES
atP6AvLTcPoPVT3T
-----END CERTIFICATE-----
————用FTP
CLIENT
连接时候
回提示你安装证书。
3)安装Pure-FTPD 1.0.16a
download pure-ftpd-1.0.16a.tar.bz2
bzip2 pure-ftpd-1.0.16a.tar.bz2
tar xvf pure-ftpd-1.0.16a.tar
cd pure-ftpd-1.0.16a
#./configure --with-puredb --with-altlog --with-ratios --with-ftpwho --with-largefile --with-virtualhosts --with-virtualchroot
--with-quotas --with-tls
````
make ; make check make installl
添加FPT
用户
pw groupadd ftpgroup
pw useradd ftpuser -g ftpgroup -d /dev/null -s /etc
添加PURE-FTP
用户
pure-pw useradd test -u ftpuser -d /export/ftphost/test
4 设置Pure-FTP
############################################################
# #
# Configuration file for pure-ftpd wrappers #
# #
############################################################
# If you want to run Pure-FTPd with this configuration
# instead of command-line options, please run the
# following command :
#
# /usr/local/sbin/pure-config.pl /usr/local/etc/pure-ftpd.conf
#
# Please don't forget to have a look at documentation at
# http://www.pureftpd.org/documentation.html for a complete list of
# options.
# Cage in every user in his home directory
ChrootEveryone yes
# If the previous option is set to "no", members of the following group
# won't be caged. Others will be. If you don't want chroot()ing anyone,
# just comment out ChrootEveryone and TrustedGID.
TrustedGID 100
# Turn on compatibility hacks for broken clients
BrokenClientsCompatibility no
# Maximum number of simultaneous users
MaxClientsNumber 50
# Fork in background
Daemonize yes
# Maximum number of sim clients with the same IP address
MaxClientsPerIP 8
# If you want to log all client commands, set this to "yes".
# This directive can be duplicated to also log server responses.
VerboseLog no
# List dot-files even when the client doesn't send "-a".
DisplayDotFiles yes
# Don't allow authenticated users - have a public anonymous FTP only.
AnonymousOnly no
# Disallow anonymous connections. Only allow authenticated users.
NoAnonymous yes
# Syslog facility (auth, authpriv, daemon, ftp, security, user, local*)
# The default facility is "ftp". "none" disables logging.
SyslogFacility ftp
# Display fortune cookies
# FortunesFile /usr/share/fortune/zippy
# Don't resolve host names in log files. Logs are less verbose, but
# it uses less bandwidth. Set this to "yes" on very busy servers or
# if you don't have a working DNS.
DontResolve yes
# Maximum idle time in minutes (default = 15 minutes)
MaxIdleTime 15
# LDAP configuration file (see README.LDAP)
# LDAPConfigFile /etc/pureftpd-ldap.conf
# MySQL configuration file (see README.MySQL)
# MySQLConfigFile /etc/pureftpd-mysql.conf
# Postgres configuration file (see README.PGSQL)
# PGSQLConfigFile /etc/pureftpd-pgsql.conf
# PureDB user database (see README.Virtual-Users)
PureDB /etc/pureftpd.pdb
(这里选用 PUREDB 做用户认证
# Path to pure-authd socket (see README.Authentication-Modules)
# ExtAuth /var/run/ftpd.sock
# If you want to enable PAM authentication, uncomment the following line
# PAMAuthentication yes
# If you want simple Unix (/etc/passwd) authentication, uncomment this
# UnixAuthentication yes
# Please note that LDAPConfigFile, MySQLConfigFile, PAMAuthentication and
# UnixAuthentication can be used only once, but they can be combined
# together. For instance, if you use MySQLConfigFile, then UnixAuthentication,
# the SQL server will be asked. If the SQL authentication fails because the
# user wasn't found, another try # will be done with /etc/passwd and
# /etc/shadow. If the SQL authentication fails because the password was wrong,
# the authentication chain stops here. Authentication methods are chained in
# the order they are given.
# 'ls' recursion limits. The first argument is the maximum number of
# files to be displayed. The second one is the max subdirectories depth
LimitRecursion 2000 8
# Are anonymous users allowed to create new directories ?
AnonymousCanCreateDirs no
# If the system is more loaded than the following value,
# anonymous users aren't allowed to download.
MaxLoad 4
# Port range for passive connections replies. - for firewalling.
# PassivePortRange 30000 50000
# Force an IP address in PASV/EPSV/SPSV replies. - for NAT.
# Symbolic host names are also accepted for gateways with dynamic IP
# addresses.
# ForcePassiveIP 192.168.0.1
# Upload/download ratio for anonymous users.
# AnonymousRatio 1 10
# Upload/download ratio for all users.
# This directive superscedes the previous one.
# UserRatio 1 10
# Disallow downloading of files owned by "ftp", ie.
# files that were uploaded but not validated by a local admin.
AntiWarez yes
# IP address/port to listen to (default=all IP and port 21).
# Bind 127.0.0.1,21
# Maximum bandwidth for anonymous users in KB/s
# AnonymousBandwidth 8
# Maximum bandwidth for *all* users (including anonymous) in KB/s
# Use AnonymousBandwidth *or* UserBandwidth, both makes no sense.
# UserBandwidth 8
# File creation mask. <umask for files>:<umask for dirs> .
# 177:077 if you feel paranoid.
Umask 133:022
# Minimum UID for an authenticated user to log in.
MinUID 100
# Allow FXP transfers for authenticated users only.
#AllowUserFXP yes
# Allow anonymous FXP for anonymous and non-anonymous users.
AllowAnonymousFXP no
# Users can't delete/write files beginning with a dot ('.')
# even if they own them. If TrustedGID is enabled, this group
# will have access to dot-files, though.
ProhibitDotFilesWrite no
# Prohibit *reading* of files beginning with a dot (.history, .ssh...)
ProhibitDotFilesRead no
# Never overwrite files. When a file whoose name already exist is uploaded,
# it get automatically renamed to file.1, file.2, file.3, ...
AutoRename no
# Disallow anonymous users to upload new files (no = upload is allowed)
AnonymousCantUpload no
# Only connections to this specific IP address are allowed to be
# non-anonymous. You can use this directive to open several public IPs for
# anonymous FTP, and keep a private firewalled IP for remote administration.
# You can also only allow a non-routable local IP (like 10.x.x.x) to
# authenticate, and keep a public anon-only FTP server on another IP.
TrustedIP 10.1.1.1
(这里添加你信任的IP )
# If you want to add the PID to every logged line, uncomment the following
# line.
#LogPID yes
# Create an additional log file with transfers logged in a Apache-like format :
# fw.c9x.org - jedi [13/Dec/1975:19:36:39] "GET /ftp/linux.tar.bz2" 200 21809338
# This log file can then be processed by www traffic analyzers.
# AltLog clf:/var/log/pureftpd.log
# Create an additional log file with transfers logged in a format optimized
# for statistic reports.
# AltLog stats:/var/log/pureftpd.log
# Create an additional log file with transfers logged in the standard W3C
# format (compatible with most commercial log analyzers)
# AltLog w3c:/var/log/pureftpd.log
# Disallow the CHMOD command. Users can't change perms of their files.
#NoChmod yes
# Allow users to resume and upload files, but *NOT* to delete them.
#KeepAllFiles yes
# Automatically create home directories if they are missing
#CreateHomeDir yes
# Enable virtual quotas. The first number is the max number of files.
# The second number is the max size of megabytes.
# So 1000:10 limits every user to 1000 files and 10 Mb.
#Quota 1000:10
# If your pure-ftpd has been compiled with standalone support, you can change
# the location of the pid file. The default is /var/run/pure-ftpd.pid
#PIDFile /var/run/pure-ftpd.pid
# If your pure-ftpd has been compiled with pure-uploadscript support,
# this will make pure-ftpd write info about new uploads to
# /var/run/pure-ftpd.upload.pipe so pure-uploadscript can read it and
# spawn a script to handle the upload.
#CallUploadScript yes
# This option is useful with servers where anonymous upload is
# allowed. As /var/ftp is in /var, it save some space and protect
# the log files. When the partition is more that X percent full,
# new uploads are disallowed.
MaxDiskUsage 99
# Set to 'yes' if you don't want your users to rename files.
#NoRename yes
# Be 'customer proof' : workaround against common customer mistakes like
# 'chmod 0 public_html', that are valid, but that could cause ignorant
# customers to lock their files, and then keep your technical support busy
# with silly issues. If you're sure all your users have some basic Unix
# knowledge, this feature is useless. If you're a hosting service, enable it.
CustomerProof yes
# Per-user concurrency limits. It will only work if the FTP server has
# been compiled with --with-peruserlimits (and this is the case on
# most binary distributions) .
# The format is : <max sessions per user>:<max anonymous sessions>
# For instance, 3:20 means that the same authenticated user can have 3 active
# sessions max. And there are 20 anonymous sessions max.
# PerUserLimits 3:20
# This option can accept three values :
# 0 : disable SSL/TLS encryption layer (default).
# 1 : accept both traditional and encrypted sessions.
# 2 : refuse connections that don't use SSL/TLS security mechanisms,
# including anonymous sessions.
# Do _not_ uncomment this blindly. Be sure that :
# 1) Your server has been compiled with SSL/TLS support (--with-tls),
# 2) A valid certificate is in place,
# 3) Only compatible clients will log in.
TLS 2
(这里选2 --明文的USERNAME 和 PASSWD 都是禁止的 )
启动
PUREFTP
220---------- Welcome to Pure-FTPd [TLS] ----------
220-You are user number 1 of 50 allowed.
220-Local time is now 13:27. Server port: 21.
220-This is a private system - No anonymous login
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.
USER test
421 Sorry, cleartext sessions are not accepted on this server.
连接失败
正在延迟 120 秒,在重新连接尝试第 1 次之前
如果你用明文USERNAME
服务器
将拒绝。
4 FTP client 的设置
SmartFTP (Windows)
URL: http://www.smartftp.com/
(Tools->Settings->SSL) is set to
"clear data connection" while the AUTH mode (also in Tools->Settings->SSL) is
set to "TLS".
* IglooFTP Pro (Windows, Linux)
URL: http://www.iglooftp.com/
SSL/TLS is automatically detected and works when Preferences->Security->
Encrypt is set to "Commands [if possible], Transfers [if possible]".
连接的时候你都会让你确认证书的。
证书的图片我没办法上传。。
0 You will be disconnected after 15 minutes of inactivity.
AUTH TLS
234 AUTH TLS OK.
Connected. Exchanging encryption keys...
Session Cipher: 128 bit RC4
SSL encrypted session established.
PBSZ 0
200 PBSZ=0
USER test
总结--方便经济。实用
安全的FTP
就这样做成了。
很适合做软件设计的公司使用。
8-)
没什么成本。也做到了相对安全。