document/TranslateProject
2
0
Fork 0
mirror of https://github.com/LCTT/TranslateProject.git synced 2025-02-03 23:40:14 +08:00
Code Issues Packages Projects Releases Wiki Activity

Translated tech/20170215 How to Secure a FTP Server Using SSL TLS for Secure File Transfer in CentOS 7.md

Browse Source
This commit is contained in:
ictlyh 2017-04-11 20:01:55 +08:00
parent 31b11c6386
commit d361ea1e8e
No known key found for this signature in database
GPG Key ID: 6861F1F0C29F118D
2 changed files with 234 additions and 236 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

236
sources/tech/20170215 How to Secure a FTP Server Using SSL TLS for Secure File Transfer in CentOS 7.md
View File

@ -1,236 +0,0 @@
ictlyh Translating
How to Secure a FTP Server Using SSL/TLS for Secure File Transfer in CentOS 7
============================================================
By its original design, FTP (File Transfer Protocol) is not secure, meaning it doesnt encrypt data being transmitted between two machines, along with users credentials. This poses a massive threat to data as well as server security.
In this tutorial, we will explain how to manually enable data encryption services in a FTP server in CentOS/RHEL 7 and Fedora; we will go through various steps of securing VSFTPD (Very Secure FTP Daemon) services using SSL/TLS certificates.
#### Prerequisites:
1. You must have [installed and configured a FTP server in CentOS 7][1]
Before we start, note that all the commands in this tutorial will be run as root, otherwise, use the [sudo command][2] to gain root privileges if you are not controlling the server using the root account.
### Step 1\. Generating SSL/TLS Certificate and Private Key
1. We need to start by creating a subdirectory under: `/etc/ssl/` where we will store the SSL/TLS certificate and key files:
```
# mkdir /etc/ssl/private
```
2. Then run the command below to create the certificate and key for vsftpd in a single file, here is the explanation of each flag used.
1. req  is a command for X.509 Certificate Signing Request (CSR) management.
2. x509  means X.509 certificate data management.
3. days  defines number of days certificate is valid for.
4. newkey  specifies certificate key processor.
5. rsa:2048  RSA key processor, will generate a 2048 bit private key.
6. keyout  sets the key storage file.
7. out  sets the certificate storage file, note that both certificate and key are stored in the same file: /etc/ssl/private/vsftpd.pem.
```
# openssl req -x509 -nodes -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem -days 365 -newkey rsa:2048
```
The above command will ask you to answer the questions below, remember to use values that apply to your scenario.
```
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:Lower Parel
Locality Name (eg, city) [Default City]:Mumbai
Organization Name (eg, company) [Default Company Ltd]:TecMint.com
Organizational Unit Name (eg, section) []:Linux and Open Source
Common Name (eg, your name or your server's hostname) []:tecmint
Email Address []:admin@tecmint.com
```
### Step 2\. Configuring VSFTPD To Use SSL/TLS
3. Before we perform any VSFTPD configurations, lets open the ports 990 and 40000-50000 to allow TLS connections and the port range of passive ports to define in the VSFTPD configuration file respectively:
```
# firewall-cmd --zone=public --permanent --add-port=990/tcp
# firewall-cmd --zone=public --permanent --add-port=40000-50000/tcp
# firewall-cmd --reload
```
4. Now, open the VSFTPD config file and specify the SSL details in it:
```
# vi /etc/vsftpd/vsftpd.conf
```
Look for the option ssl_enable and set its value to `YES` to activate the use of SSL, in addition, since TSL is more secure than SSL, we will restrict VSFTPD to employ TLS instead, using the ssl_tlsv1_2 option:
```
ssl_enable=YES
ssl_tlsv1_2=YES
ssl_sslv2=NO
ssl_sslv3=NO
```
5. Then, add the lines below to define the location of the SSL certificate and key file:
```
rsa_cert_file=/etc/ssl/private/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem
```
6. Next, we have to prevent anonymous users from using SSL, then force all non-anonymous logins to use a secure SSL connection for data transfer and to send the password during login:
```
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
```
7. In addition, we can add the options below to boost up FTP server security. When option require_ssl_reuse is set to `YES`, then, all SSL data connections are required to exhibit SSL session reuse; proving that they know the same master secret as the control channel.
Therefore, we have to turn it off.
```
require_ssl_reuse=NO
```
Again, we need to select which SSL ciphers VSFTPD will permit for encrypted SSL connections with the ssl_ciphers option. This can greatly limit efforts of attackers who try to force a particular cipher which they probably discovered vulnerabilities in:
```
ssl_ciphers=HIGH
```
8. Now, set the port range (min and max port) of passive ports.
```
pasv_min_port=40000
pasv_max_port=50000
```
9. Optionally, allow SSL debugging, meaning openSSL connection diagnostics are recorded to the VSFTPD log file with the debug_ssl option:
```
debug_ssl=YES
```
Save all the changes and close the file. Then lets restart VSFTPD service:
```
# systemctl restart vsftpd
```
### Step 3: Testing FTP server With SSL/TLS Connections
10. After doing all the above configurations, test if VSFTPD is using SSL/TLS connections by attempting to use FTP from the command line as follows:
```
# ftp 192.168.56.10
Connected to 192.168.56.10 (192.168.56.10).
220 Welcome to TecMint.com FTP service.
Name (192.168.56.10:root) : ravi
530 Non-anonymous sessions must use encryption.
Login failed.
421 Service not available, remote server has closed connection
ftp>
```
[
![Verify FTP SSL Secure Connection](http://www.tecmint.com/wp-content/uploads/2017/02/Verify-FTP-Secure-Connection.png)
][3]
Verify FTP SSL Secure Connection
From the screen shot above, we can see that there is an error informing us that VSFTPD can only allow user to login from clients that support encryption services.
The command line does not offer encryption services thus producing the error. So, to securely connect to the server, we need a FTP client that supports SSL/TLS connections such as FileZilla.
### Step 4: Install FileZilla to Securely Connect to a FTP Server
11. FileZilla is a modern, popular and importantly cross-platform FTP client that supports SSL/TLS connections by default.
To install FileZilla in Linux, run the command below:
```
--------- On CentOS/RHEL/Fedora ---------
# yum install epel-release filezilla
--------- On Debian/Ubuntu ---------
$ sudo apt-get install filezilla
```
12. When the installation completes (or else if you already have it installed), open it and go to File=>Sites Manager or (press `Ctrl+S`) to get the Site Manager interface below.
Click on New Site button to add a new site/host connection details.
[
![Add New FTP Site in Filezilla](http://www.tecmint.com/wp-content/uploads/2017/02/Add-New-FTP-Site-in-Filezilla.png)
][4]
Add New FTP Site in Filezilla
13. Next, set the host/site name, add the IP address, define the protocol to use, encryption and logon type as in the screen shot below (use values that apply to your scenario):
```
Host: 192.168.56.10
Protocol: FTP File Transfer Protocol
Encryption: Require explicit FTP over #recommended
Logon Type: Ask for password #recommended
User: username
```
[
![Add FTP Server Details in Filezilla](http://www.tecmint.com/wp-content/uploads/2017/02/Add-FTP-Server-Details-in-Filezilla.png)
][5]
Add FTP Server Details in Filezilla
14. Then click on Connect to enter the password again, and then verify the certificate being used for the SSL/TLS connection and click `OK` once more to connect to the FTP server:
[
![Verify FTP SSL Certificate](http://www.tecmint.com/wp-content/uploads/2017/02/Verify-FTP-SSL-Certificate.png)
][6]
Verify FTP SSL Certificate
At this stage, we should have logged successfully into the FTP server over a TLS connection, check the connection status section for more information from the interface below.
[
![Connected to FTP Server Over TLS/SSL ](http://www.tecmint.com/wp-content/uploads/2017/02/connected-to-ftp-server-with-tls.png)
][7]
Connected to FTP Server Over TLS/SSL
15. Last but not least, try [transferring files from the local machine to the FTP sever][8] in the files folder, take a look at the lower end of the FileZilla interface to view reports concerning file transfers.
[
![Transfer Files Securely Using FTP](http://www.tecmint.com/wp-content/uploads/2017/02/Transfer-Files-Securely-Using-FTP.png)
][9]
Transfer Files Securely Using FTP
Thats all! Always keep in mind that FTP is not secure by default, unless we configure it to use SSL/TLS connections as we showed you in this tutorial. Do share your thoughts about this tutorial/topic via the feedback form below.
--------------------------------------------------------------------------------
作者简介:
Aaron Kili is a Linux and F.O.S.S enthusiast, an upcoming Linux SysAdmin, web developer, and currently a content creator for TecMint who loves working with computers and strongly believes in sharing knowledge.
--------------------------------------------------------------------------------
via: http://www.tecmint.com/secure-vsftpd-using-ssl-tls-on-centos/
作者:[Aaron Kili][a]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]:http://www.tecmint.com/author/aaronkili/
[1]:http://www.tecmint.com/install-ftp-server-in-centos-7/
[2]:http://www.tecmint.com/sudoers-configurations-for-setting-sudo-in-linux/
[3]:http://www.tecmint.com/wp-content/uploads/2017/02/Verify-FTP-Secure-Connection.png
[4]:http://www.tecmint.com/wp-content/uploads/2017/02/Add-New-FTP-Site-in-Filezilla.png
[5]:http://www.tecmint.com/wp-content/uploads/2017/02/Add-FTP-Server-Details-in-Filezilla.png
[6]:http://www.tecmint.com/wp-content/uploads/2017/02/Verify-FTP-SSL-Certificate.png
[7]:http://www.tecmint.com/wp-content/uploads/2017/02/connected-to-ftp-server-with-tls.png
[8]:http://www.tecmint.com/sftp-command-examples/
[9]:http://www.tecmint.com/wp-content/uploads/2017/02/Transfer-Files-Securely-Using-FTP.png

234
translated/tech/20170215 How to Secure a FTP Server Using SSL TLS for Secure File Transfer in CentOS 7.md Normal file
View File

@ -0,0 +1,234 @@
如何在 CentOS 7 中使用 SSL/TLS 加固 FTP 服务器进行安全文件传输
============================================================
在一开始的设计中FTP文件传输协议是不安全的意味着它不会加密两台机器之间传输的数据以及用户的凭据。这使得数据和服务器安全面临很大威胁。
在这篇文章中,我们会介绍在 CentOS/RHEL 7 以及 Fedora 中如何在 FTP 服务器中手动启用数据加密服务;我们会介绍使用 SSL/TLS 证书保护 VSFTPDVery Secure FTP Daemon服务的各个步骤。
#### 前提条件:
1. 你必须已经[在 CentOS 7 中安装和配置 FTP 服务][1]
在我们开始之前,要注意本文中所有命令都以 root 用户运行,否则,如果现在你不是使用 root 用户控制服务器,你可以使用 [sudo 命令][2] 去获取 root 权限。
### 第一步:生成 SSL/TLS 证书和密钥
1. 我们首先要在 `/etc/ssl` 目录下创建用于保存 SSL/TLS 证书和密钥文件的子目录:
```
# mkdir /etc/ssl/private
```
2. 然后运行下面的命令为 vsftpd 创建证书和密钥并保存到一个文件中,下面会解析使用的每个标签。
1. req - 是 X.509 Certificate Signing Request CSR证书签名请求管理的一个命令。
2. x509 - X.509 证书数据管理。
3. days - 定义证书的有效日期。
4. newkey - 指定证书密钥处理器。
5. rsa:2048 - RSA 密钥处理器,会生成一个 2048 位的密钥。
6. keyout - 设置密钥存储文件。
7. out - 设置证书存储文件,注意证书和密钥都保存在一个相同的文件:/etc/ssl/private/vsftpd.pem。
```
# openssl req -x509 -nodes -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem -days 365 -newkey rsa:2048
```
上面的命令会让你回答以下的问题,记住使用你自己情况的值。
```
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:Lower Parel
Locality Name (eg, city) [Default City]:Mumbai
Organization Name (eg, company) [Default Company Ltd]:TecMint.com
Organizational Unit Name (eg, section) []:Linux and Open Source
Common Name (eg, your name or your server's hostname) []:tecmint
Email Address []:admin@tecmint.com
```
### 第二步:配置 VSFTPD 使用 SSL/TLS
3. 在我们进行任何 VSFTPD 配置之前,首先开放 990 和 40000-50000 端口,以便在 VSFTPD 配置文件中分别定义 TLS 连接的端口和被动端口的端口范围:
```
# firewall-cmd --zone=public --permanent --add-port=990/tcp
# firewall-cmd --zone=public --permanent --add-port=40000-50000/tcp
# firewall-cmd --reload
```
4. 现在,打开 VSFTPD 配置文件并在文件中指定 SSL 的详细信息:
```
# vi /etc/vsftpd/vsftpd.conf
```
找到 `ssl_enable` 选项把它的值设置为 `YES` 激活使用 SSL另外由于 TSL 比 SSL 更安全,我们会使用 `ssl_tlsv1_2` 选项让 VSFTPD 使用更严格的 TLS
```
ssl_enable=YES
ssl_tlsv1_2=YES
ssl_sslv2=NO
ssl_sslv3=NO
```
5. 然后,添加下面的行定义 SSL 证书和密钥文件的位置:
```
rsa_cert_file=/etc/ssl/private/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem
```
6. 下面,我们要阻止匿名用户使用 SSL然后强制所有非匿名用户登录使用安全的 SSL 连接进行数据传输和登录过程中的密码发送:
```
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
```
7. 另外,我们还可以添加下面的选项增强 FTP 服务器的安全性。当选项 `require_ssl_reuse` 被设置为 `YES` 时,要求所有 SSL 数据连接都显示 SSL 会话重用;表明它们知道与控制频道相同的主机密码。
因此,我们需要把它关闭。
```
require_ssl_reuse=NO
```
另外,我们还要用 `ssl_ciphers` 选项选择 VSFTPD 允许用于加密 SSL 连接的 SSL 密码。这可以大大限制尝试使用在漏洞中发现的特定密码的攻击者:
```
ssl_ciphers=HIGH
```
8. 现在,设置被动端口的端口范围(最小和最大端口)。
```
pasv_min_port=40000
pasv_max_port=50000
```
9. 选择性启用 `debug_ssl` 选项以允许 SSL 调试,意味着 OpenSSL 连接诊断会被记录到 VSFTPD 日志文件:
```
debug_ssl=YES
```
保存所有更改并关闭文件。然后让我们重启 VSFTPD 服务:
```
# systemctl restart vsftpd
```
### 第三步:用 SSL/TLS 连接测试 FTP 服务器
10. 完成上面的所有配置之后,像下面这样通过在命令行中尝试使用 FTP 测试 VSFTPD 是否使用 SSL/TLS 连接:
```
# ftp 192.168.56.10
Connected to 192.168.56.10 (192.168.56.10).
220 Welcome to TecMint.com FTP service.
Name (192.168.56.10:root) : ravi
530 Non-anonymous sessions must use encryption.
Login failed.
421 Service not available, remote server has closed connection
ftp>
```
[
![验证 FTP SSL 安全连接](http://www.tecmint.com/wp-content/uploads/2017/02/Verify-FTP-Secure-Connection.png)
][3]
验证 FTP SSL 安全连接
从上面的截图中,我们可以看到这里有个错误提示我们 VSFTPD 只允许用户从支持加密服务的客户端登录。
命令行并不会提供加密服务因此产生了这个错误。因此,为了安全地连接到服务器,我们需要一个支持 SSL/TLS 连接的 FTP 客户端,例如 FileZilla。
### 第四步:安装 FileZilla 以便安全地连接到 FTP 服务器
11. FileZilla 是一个时尚、流行且重要的交叉平台 FTP 客户端,它默认支持 SSL/TLS 连接。
要在 Linux 上安装 FileZilla可以运行下面的命令
```
--------- On CentOS/RHEL/Fedora ---------
# yum install epel-release filezilla
--------- On Debian/Ubuntu ---------
$ sudo apt-get install filezilla
```
12. 当安装完成后(或者你已经安装了该软件),打开它,选择 File=>Sites Manager 或者按 `Ctrl + S` 打开 Site Manager 界面。
点击 New Site 按钮添加一个新的站点/主机连接详细信息。
[
![在 FileZilla 中添加新 FTP 站点](http://www.tecmint.com/wp-content/uploads/2017/02/Add-New-FTP-Site-in-Filezilla.png)
][4]
在 FileZilla 中添加新 FTP 站点
13. 下一步,像下面这样设置主机/站点名称、添加 IP 地址、定义使用的协议、加密和登录类型(使用你自己情况的值):
```
Host: 192.168.56.10
Protocol: FTP File Transfer Protocol
Encryption: Require explicit FTP over #recommended
Logon Type: Ask for password #recommended
User: username
```
[
![在 Filezilla 中添加 FTP 服务器详细信息](http://www.tecmint.com/wp-content/uploads/2017/02/Add-FTP-Server-Details-in-Filezilla.png)
][5]
在 Filezilla 中添加 FTP 服务器详细信息
14. 然后点击 Connect再次输入密码然后验证用于 SSL/TLS 连接的证书,再一次点击 `OK` 连接到 FTP 服务器:
[
![验证 FTP SSL 证书](http://www.tecmint.com/wp-content/uploads/2017/02/Verify-FTP-SSL-Certificate.png)
][6]
验证 FTP SSL 证书
到了这里,我们应该使用 TLS 连接成功地登录到了 FTP 服务器,在下面的界面中检查连接状态部分获取更多信息。
[
![通过 TLS/SSL 连接到 FTP 服务器](http://www.tecmint.com/wp-content/uploads/2017/02/connected-to-ftp-server-with-tls.png)
][7]
通过 TLS/SSL 连接到 FTP 服务器
15. 最后,在文件目录尝试 [从本地传输文件到 FTP 服务器][8],看 FileZilla 界面后面的部分查看文件传输相关的报告。
[
![使用 FTP 安全地传输文件](http://www.tecmint.com/wp-content/uploads/2017/02/Transfer-Files-Securely-Using-FTP.png)
][9]
使用 FTP 安全地传输文件
就是这些。记住 FTP 默认是不安全的,除非我们像上面介绍的那样配置它使用 SSL/TLS 连接。在下面的评论框中和我们分享你关于这篇文章/主题的想法吧。
--------------------------------------------------------------------------------
作者简介:
Aaron Kili 是一个 Linux 和 F.O.S.S 的爱好者Linux 系统管理员,网络开发员,目前也是 TecMint 的内容创作者,他喜欢和电脑一起工作,并且坚信共享知识。
--------------------------------------------------------------------------------
via: http://www.tecmint.com/secure-vsftpd-using-ssl-tls-on-centos/
作者:[Aaron Kili][a]
译者:[ictlyh](https://github.com/ictlyh)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]:http://www.tecmint.com/author/aaronkili/
[1]:http://www.tecmint.com/install-ftp-server-in-centos-7/
[2]:http://www.tecmint.com/sudoers-configurations-for-setting-sudo-in-linux/
[3]:http://www.tecmint.com/wp-content/uploads/2017/02/Verify-FTP-Secure-Connection.png
[4]:http://www.tecmint.com/wp-content/uploads/2017/02/Add-New-FTP-Site-in-Filezilla.png
[5]:http://www.tecmint.com/wp-content/uploads/2017/02/Add-FTP-Server-Details-in-Filezilla.png
[6]:http://www.tecmint.com/wp-content/uploads/2017/02/Verify-FTP-SSL-Certificate.png
[7]:http://www.tecmint.com/wp-content/uploads/2017/02/connected-to-ftp-server-with-tls.png
[8]:http://www.tecmint.com/sftp-command-examples/
[9]:http://www.tecmint.com/wp-content/uploads/2017/02/Transfer-Files-Securely-Using-FTP.png