From d361ea1e8e977db0c5fe6a9cf6802d59f81e39a2 Mon Sep 17 00:00:00 2001 From: ictlyh Date: Tue, 11 Apr 2017 20:01:55 +0800 Subject: [PATCH] Translated tech/20170215 How to Secure a FTP Server Using SSL TLS for Secure File Transfer in CentOS 7.md --- ...LS for Secure File Transfer in CentOS 7.md | 236 ------------------ ...LS for Secure File Transfer in CentOS 7.md | 234 +++++++++++++++++ 2 files changed, 234 insertions(+), 236 deletions(-) delete mode 100644 sources/tech/20170215 How to Secure a FTP Server Using SSL TLS for Secure File Transfer in CentOS 7.md create mode 100644 translated/tech/20170215 How to Secure a FTP Server Using SSL TLS for Secure File Transfer in CentOS 7.md diff --git a/sources/tech/20170215 How to Secure a FTP Server Using SSL TLS for Secure File Transfer in CentOS 7.md b/sources/tech/20170215 How to Secure a FTP Server Using SSL TLS for Secure File Transfer in CentOS 7.md deleted file mode 100644 index ed5736e090..0000000000 --- a/sources/tech/20170215 How to Secure a FTP Server Using SSL TLS for Secure File Transfer in CentOS 7.md +++ /dev/null @@ -1,236 +0,0 @@ -ictlyh Translating -How to Secure a FTP Server Using SSL/TLS for Secure File Transfer in CentOS 7 -============================================================ - -By its original design, FTP (File Transfer Protocol) is not secure, meaning it doesn’t encrypt data being transmitted between two machines, along with user’s credentials. This poses a massive threat to data as well as server security. - -In this tutorial, we will explain how to manually enable data encryption services in a FTP server in CentOS/RHEL 7 and Fedora; we will go through various steps of securing VSFTPD (Very Secure FTP Daemon) services using SSL/TLS certificates. - -#### Prerequisites: - -1. You must have [installed and configured a FTP server in CentOS 7][1] - -Before we start, note that all the commands in this tutorial will be run as root, otherwise, use the [sudo command][2] to gain root privileges if you are not controlling the server using the root account. - -### Step 1\. Generating SSL/TLS Certificate and Private Key - -1. We need to start by creating a subdirectory under: `/etc/ssl/` where we will store the SSL/TLS certificate and key files: - -``` -# mkdir /etc/ssl/private -``` - -2. Then run the command below to create the certificate and key for vsftpd in a single file, here is the explanation of each flag used. - -1. req – is a command for X.509 Certificate Signing Request (CSR) management. -2. x509 – means X.509 certificate data management. -3. days – defines number of days certificate is valid for. -4. newkey – specifies certificate key processor. -5. rsa:2048 – RSA key processor, will generate a 2048 bit private key. -6. keyout – sets the key storage file. -7. out – sets the certificate storage file, note that both certificate and key are stored in the same file: /etc/ssl/private/vsftpd.pem. - -``` -# openssl req -x509 -nodes -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem -days 365 -newkey rsa:2048 -``` - -The above command will ask you to answer the questions below, remember to use values that apply to your scenario. - -``` -Country Name (2 letter code) [XX]:IN -State or Province Name (full name) []:Lower Parel -Locality Name (eg, city) [Default City]:Mumbai -Organization Name (eg, company) [Default Company Ltd]:TecMint.com -Organizational Unit Name (eg, section) []:Linux and Open Source -Common Name (eg, your name or your server's hostname) []:tecmint -Email Address []:admin@tecmint.com -``` - -### Step 2\. Configuring VSFTPD To Use SSL/TLS - -3. Before we perform any VSFTPD configurations, let’s open the ports 990 and 40000-50000 to allow TLS connections and the port range of passive ports to define in the VSFTPD configuration file respectively: - -``` -# firewall-cmd --zone=public --permanent --add-port=990/tcp -# firewall-cmd --zone=public --permanent --add-port=40000-50000/tcp -# firewall-cmd --reload -``` - -4. Now, open the VSFTPD config file and specify the SSL details in it: - -``` -# vi /etc/vsftpd/vsftpd.conf -``` - -Look for the option ssl_enable and set its value to `YES` to activate the use of SSL, in addition, since TSL is more secure than SSL, we will restrict VSFTPD to employ TLS instead, using the ssl_tlsv1_2 option: - -``` -ssl_enable=YES -ssl_tlsv1_2=YES -ssl_sslv2=NO -ssl_sslv3=NO -``` - -5. Then, add the lines below to define the location of the SSL certificate and key file: - -``` -rsa_cert_file=/etc/ssl/private/vsftpd.pem -rsa_private_key_file=/etc/ssl/private/vsftpd.pem -``` - -6. Next, we have to prevent anonymous users from using SSL, then force all non-anonymous logins to use a secure SSL connection for data transfer and to send the password during login: - -``` -allow_anon_ssl=NO -force_local_data_ssl=YES -force_local_logins_ssl=YES -``` - -7. In addition, we can add the options below to boost up FTP server security. When option require_ssl_reuse is set to `YES`, then, all SSL data connections are required to exhibit SSL session reuse; proving that they know the same master secret as the control channel. - -Therefore, we have to turn it off. - -``` -require_ssl_reuse=NO -``` - -Again, we need to select which SSL ciphers VSFTPD will permit for encrypted SSL connections with the ssl_ciphers option. This can greatly limit efforts of attackers who try to force a particular cipher which they probably discovered vulnerabilities in: - -``` -ssl_ciphers=HIGH -``` - -8. Now, set the port range (min and max port) of passive ports. - -``` -pasv_min_port=40000 -pasv_max_port=50000 -``` - -9. Optionally, allow SSL debugging, meaning openSSL connection diagnostics are recorded to the VSFTPD log file with the debug_ssl option: - -``` -debug_ssl=YES -``` - -Save all the changes and close the file. Then let’s restart VSFTPD service: - -``` -# systemctl restart vsftpd -``` - -### Step 3: Testing FTP server With SSL/TLS Connections - -10. After doing all the above configurations, test if VSFTPD is using SSL/TLS connections by attempting to use FTP from the command line as follows: - -``` -# ftp 192.168.56.10 -Connected to 192.168.56.10 (192.168.56.10). -220 Welcome to TecMint.com FTP service. -Name (192.168.56.10:root) : ravi -530 Non-anonymous sessions must use encryption. -Login failed. -421 Service not available, remote server has closed connection -ftp> -``` -[ - ![Verify FTP SSL Secure Connection](http://www.tecmint.com/wp-content/uploads/2017/02/Verify-FTP-Secure-Connection.png) -][3] - -Verify FTP SSL Secure Connection - -From the screen shot above, we can see that there is an error informing us that VSFTPD can only allow user to login from clients that support encryption services. - -The command line does not offer encryption services thus producing the error. So, to securely connect to the server, we need a FTP client that supports SSL/TLS connections such as FileZilla. - -### Step 4: Install FileZilla to Securely Connect to a FTP Server - -11. FileZilla is a modern, popular and importantly cross-platform FTP client that supports SSL/TLS connections by default. - -To install FileZilla in Linux, run the command below: - -``` ---------- On CentOS/RHEL/Fedora --------- -# yum install epel-release filezilla ---------- On Debian/Ubuntu --------- -$ sudo apt-get install filezilla -``` - -12. When the installation completes (or else if you already have it installed), open it and go to File=>Sites Manager or (press `Ctrl+S`) to get the Site Manager interface below. - -Click on New Site button to add a new site/host connection details. - -[ - ![Add New FTP Site in Filezilla](http://www.tecmint.com/wp-content/uploads/2017/02/Add-New-FTP-Site-in-Filezilla.png) -][4] - -Add New FTP Site in Filezilla - -13. Next, set the host/site name, add the IP address, define the protocol to use, encryption and logon type as in the screen shot below (use values that apply to your scenario): - -``` -Host: 192.168.56.10 -Protocol: FTP – File Transfer Protocol -Encryption: Require explicit FTP over #recommended -Logon Type: Ask for password #recommended -User: username -``` -[ - ![Add FTP Server Details in Filezilla](http://www.tecmint.com/wp-content/uploads/2017/02/Add-FTP-Server-Details-in-Filezilla.png) -][5] - -Add FTP Server Details in Filezilla - -14. Then click on Connect to enter the password again, and then verify the certificate being used for the SSL/TLS connection and click `OK` once more to connect to the FTP server: - -[ - ![Verify FTP SSL Certificate](http://www.tecmint.com/wp-content/uploads/2017/02/Verify-FTP-SSL-Certificate.png) -][6] - -Verify FTP SSL Certificate - -At this stage, we should have logged successfully into the FTP server over a TLS connection, check the connection status section for more information from the interface below. - -[ - ![Connected to FTP Server Over TLS/SSL ](http://www.tecmint.com/wp-content/uploads/2017/02/connected-to-ftp-server-with-tls.png) -][7] - -Connected to FTP Server Over TLS/SSL - -15. Last but not least, try [transferring files from the local machine to the FTP sever][8] in the files folder, take a look at the lower end of the FileZilla interface to view reports concerning file transfers. - -[ - ![Transfer Files Securely Using FTP](http://www.tecmint.com/wp-content/uploads/2017/02/Transfer-Files-Securely-Using-FTP.png) -][9] - -Transfer Files Securely Using FTP - -That’s all! Always keep in mind that FTP is not secure by default, unless we configure it to use SSL/TLS connections as we showed you in this tutorial. Do share your thoughts about this tutorial/topic via the feedback form below. - --------------------------------------------------------------------------------- - -作者简介: - -Aaron Kili is a Linux and F.O.S.S enthusiast, an upcoming Linux SysAdmin, web developer, and currently a content creator for TecMint who loves working with computers and strongly believes in sharing knowledge. - --------------------------------------------------------------------------------- - -via: http://www.tecmint.com/secure-vsftpd-using-ssl-tls-on-centos/ - -作者:[Aaron Kili][a] -译者:[译者ID](https://github.com/译者ID) -校对:[校对者ID](https://github.com/校对者ID) - -本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 - -[a]:http://www.tecmint.com/author/aaronkili/ - -[1]:http://www.tecmint.com/install-ftp-server-in-centos-7/ -[2]:http://www.tecmint.com/sudoers-configurations-for-setting-sudo-in-linux/ -[3]:http://www.tecmint.com/wp-content/uploads/2017/02/Verify-FTP-Secure-Connection.png -[4]:http://www.tecmint.com/wp-content/uploads/2017/02/Add-New-FTP-Site-in-Filezilla.png -[5]:http://www.tecmint.com/wp-content/uploads/2017/02/Add-FTP-Server-Details-in-Filezilla.png -[6]:http://www.tecmint.com/wp-content/uploads/2017/02/Verify-FTP-SSL-Certificate.png -[7]:http://www.tecmint.com/wp-content/uploads/2017/02/connected-to-ftp-server-with-tls.png -[8]:http://www.tecmint.com/sftp-command-examples/ -[9]:http://www.tecmint.com/wp-content/uploads/2017/02/Transfer-Files-Securely-Using-FTP.png diff --git a/translated/tech/20170215 How to Secure a FTP Server Using SSL TLS for Secure File Transfer in CentOS 7.md b/translated/tech/20170215 How to Secure a FTP Server Using SSL TLS for Secure File Transfer in CentOS 7.md new file mode 100644 index 0000000000..ec6302e009 --- /dev/null +++ b/translated/tech/20170215 How to Secure a FTP Server Using SSL TLS for Secure File Transfer in CentOS 7.md @@ -0,0 +1,234 @@ +如何在 CentOS 7 中使用 SSL/TLS 加固 FTP 服务器进行安全文件传输 +============================================================ + +在一开始的设计中,FTP(文件传输协议)是不安全的,意味着它不会加密两台机器之间传输的数据以及用户的凭据。这使得数据和服务器安全面临很大威胁。 + +在这篇文章中,我们会介绍在 CentOS/RHEL 7 以及 Fedora 中如何在 FTP 服务器中手动启用数据加密服务;我们会介绍使用 SSL/TLS 证书保护 VSFTPD(Very Secure FTP Daemon)服务的各个步骤。 + +#### 前提条件: + +1. 你必须已经[在 CentOS 7 中安装和配置 FTP 服务][1] + +在我们开始之前,要注意本文中所有命令都以 root 用户运行,否则,如果现在你不是使用 root 用户控制服务器,你可以使用 [sudo 命令][2] 去获取 root 权限。 + +### 第一步:生成 SSL/TLS 证书和密钥 + +1. 我们首先要在 `/etc/ssl` 目录下创建用于保存 SSL/TLS 证书和密钥文件的子目录: + +``` +# mkdir /etc/ssl/private +``` + +2. 然后运行下面的命令为 vsftpd 创建证书和密钥并保存到一个文件中,下面会解析使用的每个标签。 + +1. req - 是 X.509 Certificate Signing Request (CSR,证书签名请求)管理的一个命令。 +2. x509 - X.509 证书数据管理。 +3. days - 定义证书的有效日期。 +4. newkey - 指定证书密钥处理器。 +5. rsa:2048 - RSA 密钥处理器,会生成一个 2048 位的密钥。 +6. keyout - 设置密钥存储文件。 +7. out - 设置证书存储文件,注意证书和密钥都保存在一个相同的文件:/etc/ssl/private/vsftpd.pem。 + +``` +# openssl req -x509 -nodes -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem -days 365 -newkey rsa:2048 +``` + +上面的命令会让你回答以下的问题,记住使用你自己情况的值。 + +``` +Country Name (2 letter code) [XX]:IN +State or Province Name (full name) []:Lower Parel +Locality Name (eg, city) [Default City]:Mumbai +Organization Name (eg, company) [Default Company Ltd]:TecMint.com +Organizational Unit Name (eg, section) []:Linux and Open Source +Common Name (eg, your name or your server's hostname) []:tecmint +Email Address []:admin@tecmint.com +``` + +### 第二步:配置 VSFTPD 使用 SSL/TLS + +3. 在我们进行任何 VSFTPD 配置之前,首先开放 990 和 40000-50000 端口,以便在 VSFTPD 配置文件中分别定义 TLS 连接的端口和被动端口的端口范围: + +``` +# firewall-cmd --zone=public --permanent --add-port=990/tcp +# firewall-cmd --zone=public --permanent --add-port=40000-50000/tcp +# firewall-cmd --reload +``` + +4. 现在,打开 VSFTPD 配置文件并在文件中指定 SSL 的详细信息: + +``` +# vi /etc/vsftpd/vsftpd.conf +``` + +找到 `ssl_enable` 选项把它的值设置为 `YES` 激活使用 SSL,另外,由于 TSL 比 SSL 更安全,我们会使用 `ssl_tlsv1_2` 选项让 VSFTPD 使用更严格的 TLS: + +``` +ssl_enable=YES +ssl_tlsv1_2=YES +ssl_sslv2=NO +ssl_sslv3=NO +``` + +5. 然后,添加下面的行定义 SSL 证书和密钥文件的位置: + +``` +rsa_cert_file=/etc/ssl/private/vsftpd.pem +rsa_private_key_file=/etc/ssl/private/vsftpd.pem +``` + +6. 下面,我们要阻止匿名用户使用 SSL,然后强制所有非匿名用户登录使用安全的 SSL 连接进行数据传输和登录过程中的密码发送: + +``` +allow_anon_ssl=NO +force_local_data_ssl=YES +force_local_logins_ssl=YES +``` + +7. 另外,我们还可以添加下面的选项增强 FTP 服务器的安全性。当选项 `require_ssl_reuse` 被设置为 `YES` 时,要求所有 SSL 数据连接都显示 SSL 会话重用;表明它们知道与控制频道相同的主机密码。 + +因此,我们需要把它关闭。 + +``` +require_ssl_reuse=NO +``` + +另外,我们还要用 `ssl_ciphers` 选项选择 VSFTPD 允许用于加密 SSL 连接的 SSL 密码。这可以大大限制尝试使用在漏洞中发现的特定密码的攻击者: + +``` +ssl_ciphers=HIGH +``` + +8. 现在,设置被动端口的端口范围(最小和最大端口)。 +``` +pasv_min_port=40000 +pasv_max_port=50000 +``` + +9. 选择性启用 `debug_ssl` 选项以允许 SSL 调试,意味着 OpenSSL 连接诊断会被记录到 VSFTPD 日志文件: + +``` +debug_ssl=YES +``` + +保存所有更改并关闭文件。然后让我们重启 VSFTPD 服务: + +``` +# systemctl restart vsftpd +``` + +### 第三步:用 SSL/TLS 连接测试 FTP 服务器 + +10. 完成上面的所有配置之后,像下面这样通过在命令行中尝试使用 FTP 测试 VSFTPD 是否使用 SSL/TLS 连接: + +``` +# ftp 192.168.56.10 +Connected to 192.168.56.10 (192.168.56.10). +220 Welcome to TecMint.com FTP service. +Name (192.168.56.10:root) : ravi +530 Non-anonymous sessions must use encryption. +Login failed. +421 Service not available, remote server has closed connection +ftp> +``` +[ + ![验证 FTP SSL 安全连接](http://www.tecmint.com/wp-content/uploads/2017/02/Verify-FTP-Secure-Connection.png) +][3] + +验证 FTP SSL 安全连接 + +从上面的截图中,我们可以看到这里有个错误提示我们 VSFTPD 只允许用户从支持加密服务的客户端登录。 + +命令行并不会提供加密服务因此产生了这个错误。因此,为了安全地连接到服务器,我们需要一个支持 SSL/TLS 连接的 FTP 客户端,例如 FileZilla。 + +### 第四步:安装 FileZilla 以便安全地连接到 FTP 服务器 + +11. FileZilla 是一个时尚、流行且重要的交叉平台 FTP 客户端,它默认支持 SSL/TLS 连接。 + +要在 Linux 上安装 FileZilla,可以运行下面的命令: + +``` +--------- On CentOS/RHEL/Fedora --------- +# yum install epel-release filezilla +--------- On Debian/Ubuntu --------- +$ sudo apt-get install filezilla +``` + +12. 当安装完成后(或者你已经安装了该软件),打开它,选择 File=>Sites Manager 或者按 `Ctrl + S` 打开 Site Manager 界面。 + +点击 New Site 按钮添加一个新的站点/主机连接详细信息。 + +[ + ![在 FileZilla 中添加新 FTP 站点](http://www.tecmint.com/wp-content/uploads/2017/02/Add-New-FTP-Site-in-Filezilla.png) +][4] + +在 FileZilla 中添加新 FTP 站点 + +13. 下一步,像下面这样设置主机/站点名称、添加 IP 地址、定义使用的协议、加密和登录类型(使用你自己情况的值): + +``` +Host: 192.168.56.10 +Protocol: FTP – File Transfer Protocol +Encryption: Require explicit FTP over #recommended +Logon Type: Ask for password #recommended +User: username +``` +[ + ![在 Filezilla 中添加 FTP 服务器详细信息](http://www.tecmint.com/wp-content/uploads/2017/02/Add-FTP-Server-Details-in-Filezilla.png) +][5] + +在 Filezilla 中添加 FTP 服务器详细信息 + +14. 然后点击 Connect,再次输入密码,然后验证用于 SSL/TLS 连接的证书,再一次点击 `OK` 连接到 FTP 服务器: + +[ + ![验证 FTP SSL 证书](http://www.tecmint.com/wp-content/uploads/2017/02/Verify-FTP-SSL-Certificate.png) +][6] + +验证 FTP SSL 证书 + +到了这里,我们应该使用 TLS 连接成功地登录到了 FTP 服务器,在下面的界面中检查连接状态部分获取更多信息。 + +[ + ![通过 TLS/SSL 连接到 FTP 服务器](http://www.tecmint.com/wp-content/uploads/2017/02/connected-to-ftp-server-with-tls.png) +][7] + +通过 TLS/SSL 连接到 FTP 服务器 + +15. 最后,在文件目录尝试 [从本地传输文件到 FTP 服务器][8],看 FileZilla 界面后面的部分查看文件传输相关的报告。 + +[ + ![使用 FTP 安全地传输文件](http://www.tecmint.com/wp-content/uploads/2017/02/Transfer-Files-Securely-Using-FTP.png) +][9] + +使用 FTP 安全地传输文件 + +就是这些。记住 FTP 默认是不安全的,除非我们像上面介绍的那样配置它使用 SSL/TLS 连接。在下面的评论框中和我们分享你关于这篇文章/主题的想法吧。 + +-------------------------------------------------------------------------------- + +作者简介: + +Aaron Kili 是一个 Linux 和 F.O.S.S 的爱好者,Linux 系统管理员,网络开发员,目前也是 TecMint 的内容创作者,他喜欢和电脑一起工作,并且坚信共享知识。 + +-------------------------------------------------------------------------------- + +via: http://www.tecmint.com/secure-vsftpd-using-ssl-tls-on-centos/ + +作者:[Aaron Kili][a] +译者:[ictlyh](https://github.com/ictlyh) +校对:[校对者ID](https://github.com/校对者ID) + +本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 + +[a]:http://www.tecmint.com/author/aaronkili/ + +[1]:http://www.tecmint.com/install-ftp-server-in-centos-7/ +[2]:http://www.tecmint.com/sudoers-configurations-for-setting-sudo-in-linux/ +[3]:http://www.tecmint.com/wp-content/uploads/2017/02/Verify-FTP-Secure-Connection.png +[4]:http://www.tecmint.com/wp-content/uploads/2017/02/Add-New-FTP-Site-in-Filezilla.png +[5]:http://www.tecmint.com/wp-content/uploads/2017/02/Add-FTP-Server-Details-in-Filezilla.png +[6]:http://www.tecmint.com/wp-content/uploads/2017/02/Verify-FTP-SSL-Certificate.png +[7]:http://www.tecmint.com/wp-content/uploads/2017/02/connected-to-ftp-server-with-tls.png +[8]:http://www.tecmint.com/sftp-command-examples/ +[9]:http://www.tecmint.com/wp-content/uploads/2017/02/Transfer-Files-Securely-Using-FTP.png