一不小心出了国
分类:
2007-06-25 18:10:06
http://wiki.vpslink.com/index.php?title=Configuring_vsftpd_for_secure_connections_(TLS/SSL/SFTP)
Configuring vsftpd for secure connections (TLS/SSL/SFTP)
This article pertains specifically to vsftpd on CentOS. Except for the installation instructions it should be adaptable to other distributions as well.
Traditional FTP is rather insecure. When you login, your username and password are transmitted in clear text, raising the possibility of your credentials beeing 'sniffed' by a malicious person. Fortunately there's an easy answer to this. You can quite easily configure your vsftpd server to use OpenSSL encryption, so that usernames & password, and even data files, are encrypted during transfer. It takes just a few simple steps:
Contents[] |
vsftpd is the default FTP server supplied with CentOS. It should be installed by default (?) If it isn't you may install it by one of these methods:
Using yum (if you've installed yum):
[root@vps] yum install vsftpd
Using rpm:
[root@vps] rpm -Uvh
If you install via rpm there may be dependencies to satisfy (other packages to install). (?)
You use OpenSSL to generate a certificate for vsftpd. The certificate is store on your server, in a location of your choice. Here I choose to put it in the /etc/vsftpd directory. As well, you specify a 'lifetime' for the certificate; here's it set for a year ("-days 365").
Note that the backslashes only signify line breaks. You should be able to copy/paste & run it as it is, or remove the backslashes and the line breaks.
[root@vps] openssl req -x509 -nodes -days 365 -newkey rsa:1024 \ -keyout /etc/vsftpd/vsftpd.pem \ -out /etc/vsftpd/vsftpd.pem
You will be prompted with a series of question, which you answer as they appear. When done the certificate will be installed in the /etc/vsftpd directory.
To configure vsftpd you edit the file /etc/vsftpd/vsftpd.conf and add the following lines:
ssl_enable=YES allow_anon_ssl=NO force_local_data_ssl=NO force_local_logins_ssl=NO ssl_tlsv1=YES ssl_sslv2=NO ssl_sslv3=NO rsa_cert_file=/etc/vsftpd/vsftpd.pem
Restart vsftpd for these settings to take effect:
[root@vps] /etc/rc.d/init.d/vsftpd restart
If you set "force_local_logins_ssl=YES" then your clients will be required to use an FTP client that supports AUTH TLS/SSL in order to connect. If you leave it at "NO" then people can connect securely or insecurely.
There are several FTP programs available that support AUTH TLS / SSL / SFTP. I use CoreFTP (). There's an unrestricted free version available, as well as a paid 'pro' version with some extra features. With CoreFTP you can select to use AUTH TLS, AUTH SSL, or FTP over SSH. You can choose to encrypt just your login, or directory and file transfers as well. In my experience all these options work fine when connecting to a VPSLink server running vsftpd & SSH.
Another free client is . It is also available as a plug-in for , as well as a stand-alone client.
Excuse, but in my humble opinion, WinSCP does not work with ssl, and vsftpd does not work with sftp.
FireFTP (http://fireftp.mozdev.org/) is a Firefox extension that works swimmingly with vsftpd and SSL.
MOVEit Freely worked pretty well too (). I used MOVEit Freely which is a command-line windows client that can be scripted as well. The command-line to use is "ftps -a -e:on -z ftp.somedomain.tld".
If you're using a Linux distribution other than CentOS you can still use vsftpd. How you install it will depend on your distro -- for package installers, check for a vsftpd package. If there isn't a package available you can always install from source. Check the vsftpd website at .
You must ensure that your vsftp is compiled with support for libssl. To check an installation of vsftpd for SSL support do:
[root@vps] ldd /usr/sbin/vsftpd | grep libssl libssl.so.4 => /lib/libssl.so.4 (0x4001e000)
If you don't see output similar to this from the 'ldd' command then your vsftpd doesn't support SSL. You'll need to recompile it -- again, check the vsftpd website for documentation.
