基于ssl加密传输的vsftpd

主要适用于生产线上公网对外服务的ftp服务器

1.ftp有两种安全传输方式:

ftps=ftp+ssl/tls

Sftp=openssh,subsystem,sftp  基于ssh

2.基本ftps流程:

创建一个私有CA,由CA创建证书给vsftpd,再修改vsftpd配置文件。

3.相关操作流程:

[[email protected] vsftpd]# cd /etc/pki/CA/

[[email protected] CA]# ls

certs  crl  newcerts  private

[[email protected] CA]# echo 01 > serial

[[email protected] CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)

[[email protected] CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.‘, the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:JS

Locality Name (eg, city) [Default City]:YC

Organization Name (eg, company) [Default Company Ltd]:Luckyfairy

Organizational Unit Name (eg, section) []:Tech

Common Name (eg, your name or your server‘s hostname) []:ca.luckyfairy.com

Email Address []:

[[email protected] CA]# mkdir /etc/vsftpd/ssl

[[email protected] CA]# cd /etc/vsftpd/ssl

[[email protected] ssl]# (umask 077;openssl genrsa -out vsftpd.key 2048; )

Generating RSA private key, 2048 bit long modulus

...+++

...................................................+++

e is 65537 (0x10001)

[[email protected] ssl]# openssl req -new -key vsftpd.key -out vsftpd.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.‘, the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:JS

Locality Name (eg, city) [Default City]:YC

Organization Name (eg, company) [Default Company Ltd]:Luckyfairy

Organizational Unit Name (eg, section) []:Tech

Common Name (eg, your name or your server‘s hostname) []:ftp.lucjyfairy.com

Email Address []:^C

[[email protected] ssl]# openssl req -new -key vsftpd.key -out vsftpd.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.‘, the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:JS

Locality Name (eg, city) [Default City]:YC

Organization Name (eg, company) [Default Company Ltd]:Luckyfairy

Organizational Unit Name (eg, section) []:Tech

Common Name (eg, your name or your server‘s hostname) []:ftp.luckyfairy.com

Email Address []:

Please enter the following ‘extra‘ attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

[[email protected] ssl]# openssl ca -in vsftpd.csr -out vsftpd.crt

Using configuration from /etc/pki/tls/openssl.cnf

Check that the request matches the signature

Signature ok

Certificate Details:

Serial Number: 1 (0x1)

Validity

Not Before: Aug  2 07:56:14 2016 GMT

Not After : Aug  2 07:56:14 2017 GMT

Subject:

countryName               = CN

stateOrProvinceName       = JS

organizationName          = Luckyfairy

organizationalUnitName    = Tech

commonName                = ftp.luckyfairy.com

X509v3 extensions:

X509v3 Basic Constraints:

CA:FALSE

Netscape Comment:

OpenSSL Generated Certificate

X509v3 Subject Key Identifier:

7E:BE:2E:D8:42:E5:60:2B:E6:06:4B:81:F9:E6:DC:33:32:B7:4B:3C

X509v3 Authority Key Identifier:

keyid:98:4E:5D:94:EC:13:55:C7:AA:39:FA:47:9A:8F:5C:02:85:D0:EB:99

Certificate is to be certified until Aug  2 07:56:14 2017 GMT (365 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

在配置文件中添加以下内容

ssl_enable=YES

ssl_tlsv1=YES

ssl_sslv3=YES

allow_anon_ssl=NO

force_local_data_ssl=YES

force_local_logins_ssl=YES

rsa_cert_file=/etc/vsftpd/ssl/vsftpd.crt

rsa_private_key_file=/etc/vsftpd/ssl/vsftpd.key

重启vsftpd进程

4.连接ftp服务器时

需要有能支持加密的ftp客户端,在连接时必须使用设置秘钥时的ftp域名

时间: 2024-10-13 18:47:59

基于ssl加密传输的vsftpd的相关文章

mysql5.7:mysql安装和基于SSL加密的主从复制(详细剖析)

小生博客:http://xsboke.blog.51cto.com 小生 Q Q:1770058260 -------谢谢您的参考,如有疑问,欢迎交流 目录: --------mysql-5.7.13简介及安装 --------配置mysql-5.7.13的ssl加密传输 --------基于SSL加密传输实现mysql-5.7.13的主从复制 一. Mysql5.7.13简介 1. Mysql5.7的主要优化 mysql5.7原生支持centos7.*版本的systemd 更好的性能:对于多核

Centos6.5基于SSL加密的VSFTPD 服务器搭建和配置

基于SSL加密的VSFTPD 服务器搭建和配置 一.yum install -y vsftpd ftp 主配置文件设置: vim /etc/vsftpd.conf anonymous_enable=NOguest_enable=YESguest_username=virtual user_config_dir=/etc/vsftpd/vconflocal_enable=YESwrite_enable=YESlocal_umask=022dirmessage_enable=YESxferlog_e

MySQL(十五)之基于ssl加密搭建含有gtid特性的MySQL主从复制

一.什么是GTID 自MySQL 5.6引入的GTID(Global Transaction ID)使得其复制功能的配置.监控及管理变得更加易于实现,且更加健壮.官方文档在这篇文档里,我们可以知道全局事务 ID 的官方定义是:GTID = source_id:transaction_id gtid是一个 unique 唯一的表示符,他是由服务器的uuid 全局唯一标识,是由128位的随机符组成,mysql-5.6是依靠server-id和uuid 来标识复制架构中的每一个主机,因为是128位的随

MySQL主从ssl加密传输报错解决

案例:今天实施MySQL主从+SSL加密传输时候,master为slave签署证书有一个小小问题: failedto update database TXT_DBerror number 2 一开始没留意,最后导致在slave通过证书连接master时候报错证书错误.仔细检查才看到错误. 1.报错原因: This thing happens when certificates share common data. You cannot have two  certificates that lo

20190225 实验:实现基于SSL加密的主从复制

实验:实现基于SSL加密的主从复制实验步骤: 环境:三台主机,一台CA:200,一台master:150 ,一台slave:100平时都是在CA上帮用户生成私钥,在服务器上做的1 CA,master,slave 的证书相关文件mkdir /etc/my.cnf.d/sslcd /etc/my.cnf.d/sslopenssl genrsa 2048 > cakey.pemopenssl req -new -x509 -key cakey.pem -out cacert.pem -days 365

Vsftpd支持SSL加密传输

ftp传输数据是明文,弄个抓包软件就可以通过数据包来分析到账号和密码,为了搭建一个安全性比较高ftp,可以结合SSL来解决问题 SSL(Secure Socket Layer)工作于传输层和应用程序之间.作为一个中间层,应用程序只要采用SSL提供的一套SSL套接字API来替换标准的Socket套接字,就可以把程序转换为SSL化的安全网络程序,在传输过程中将由SSL协议实现数据机密性和完整性的保证.SSL取得大规模成功后,IETF将SSL作了标准化,并将其称为TLS(Transport Layer

基于SSL加密的MySQL主从复制

主主mysql搭建我就不多叙述了 由于公司需求要基于公网的mysql主主复制,对数据隐私保护的要求极为严格,通过局域网或广域网复制数据都需要加密,一般都是基于公网才做,需用到ssl隧道.废话不多说 环境:Centos6.5 master1:192.168.1.10 master2: 192.168.1.30 查看是否开启ssl show variables like '%ssl%'; 开启ssl vim /etc/my.cnf [mysqld] ssl 配置CA服务器 vim /etc/pki/

使用JavaMail发送邮件,465端口开启ssl加密传输

package com.wangxin.test; import java.security.Security; import java.util.Date; import java.util.Properties; import javax.mail.Authenticator; import javax.mail.Message; import javax.mail.MessagingException; import javax.mail.PasswordAuthentication; i

.net mvc 站点自带简易SSL加密传输

因项目需要,传输数据需要加密,因此有了一些经验,现简易抽出来分享! 请求:前端cryptojs用rsa/aes 或 rsa/des加密,后端.net 解密返回后端.net用rsa/aes 或 rsa/des加密,前端cryptojs解密 图示: 数据发送加密: 返回数据加密: 开源代码分享:https://github.com/guandy/NetSSL 现只是简易抽出,如果后续需求量大可考虑做成组件 原文地址:https://www.cnblogs.com/guandy2018/p/99677