2015年(67)
分类: LINUX
2015-01-23 14:52:25
配置ftp over TLS实录
先安装proftpd,然后找到proftpd.conf文件并添加以下几行
TLSEngine on
TLSRequired on
TLSRSACertificateFile /usr/local/etc/proftpd.pem
TLSRSACertificateKeyFile /usr/local/etc/proftpd.pem
TLSCipherSuite ALL:!ADH:!DES
TLSOptions NoCertReques
TLSVerifyClient off
TLSRenegotiate ctrl 3600 data 512000 required off timeout 300
TLSLog /var/log/proftpd/t.log
再生成证书文件
/usr/local/etc
openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /usr/local/etc/proftpd.pem -out /usr/local/etc/proftpd.pem
再次修改proftpd.conf文件
# 'proftpd.conf' for actual use. It establishes a single server
# and a single anonymous login. It assumes that you have a user/group
# "nobody" and "ftp" for noal operation and anon.
ServerName "ProFTPD Default Installation"
ServerType standalone
DefaultServer on
# Port 21 is the standard FTP port.
Port 990 修改监听端口
# Don't use IPv6 support by default.
UseIPv6 off
# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask 022
# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd).
MaxInstances 30
# Set the user and group under which the server will run.
User ftp 配置启动proftpd的用户
Group users
# To cause every FTP user to be "jailed" (chrooted) into their home
# directory, uncomment this line.
DefaultRoot /data/test 指定ftp登录进来后的根目录
# Normally, we want files to be overwriteable.
AllowOverwrite on
TLSEngine on 开启TLS
TLSRequired on 连接必须用TLS
TLSRSACertifieFile /usr/local/etc/proftpd.pem 指定证书文件
TLSRSACertificateKeyFile /usr/local/etc/proftpd.pem 指定证书key文件
TLSCipherSuite ALL:!ADH:!DES
TLSOptions NoCertRequest
TLSVerifyClient off
TLSRenegotiate ctrl 3600 data 512000 required off timeout 300
TLSLog /var/log/proftpd/tls.log
# Bar use of SITE CHMOD by default
DenyAll
# A basic anonymous configuration, no upload directories. If you do not
# want anonymous users, simply delete this entire
User ftp
Group ftp
# We want clients to be able to login with "anonymous" as well as "ftp"
UserAlias anonymous ftp
# Limit the maximum number of anonymous logins
MaxClients 10
# We want 'welcome.msg' displayed at login, and '.message' displayed
# in each newly chdired directory.
DisplayLogin welcome.msg
DisplayChdir .message
# Limit WRITE everywhere in the anonymous chroot
DenyAll
DenyUser !ftp 禁止除ftp以外的用户登录ftp server
PassivePorts 9900 9930 指定passive模式所用端口
ExtendedLog /var/log/proftpd/access.log WRITE,READ default
ExtendedLog /var/log/proftpd/auth.log AUTH auth
创建启动脚本
cd /sbin/init.d
vi proftpd
#!/bin/sh
FTPD_BIN=/usr/local/proftpd/sbin/proftpd
FTPD_CONF=/usr/local/proftpd/etc/proftpd.conf
PIDFILE=/usr/local/proftpd/var/proftpd.pid
if [ -f $PIDFILE ]; then
pid=`cat $PIDFILE`
fi
if [ ! -x $FTPD_BIN ]; then
echo "$0: $FTPD_BIN: cannot execute"
exit 1
fi
case $1 in
start)
if [ -n "$pid" ]; then
echo "$0: proftpd [PID $pid] already running"
exit
fi
if [ -r $FTPD_CONF ]; then
echo "Starting proftpd..."
$FTPD_BIN -c $FTPD_CONF
else
echo "$0: cannot start proftpd -- $FTPD_CONF missing"
fi
;;
stop)
if [ -n "$pid" ]; then
echo "Stopping proftpd..."
kill -TERM $pid
else
echo "$0: proftpd not running"
exit 1
fi
;;
restart)
if [ -n "$pid" ]; then
echo "Rehashing proftpd configuration"
kill -HUP $pid
else
echo "$0: proftpd not running"
exit 1
fi
;;
*)
echo "usage: $0 {start|stop|restart}"
exit 1
;;
esac
exit 0
保存文件后 600 proftpd
现在可以通过脚本启动、停止、重启proftpd
./proftpd st |s |restart
使用ftp客户端软件通过显示的ftp over TLS连接到proftpd
