반응형
ftps 설치 및 서버 구성(vsftpd : ftp+ssl)
vsftpd는 매우 안전한 FTP 데몬입니다.
SFTP와 FTPS의 차이점
테스트 환경
$ cat /etc/redhat-release
CentOS Linux release 7.9.2009 (Core)
vsftpd 서버 및 클라이언트 패키지 설치
- vsftpd : Very Secure FTP Daemon
- ftp : Internet file transfer program
vsftpd 패키지 설치
yum install -y vsftpd ftp
vsftpd 버전 정보 확인
$ vsftpd -v
vsftpd: version 3.0.2
$ yum info ftp | grep Version
Version : 0.17
vsftpd 서비스 시작
systemctl --now enable vsftpd
vsftpd 서비스 상태 확인
systemctl status vsftpd
$ systemctl status vsftpd
● vsftpd.service - Vsftpd ftp daemon
Loaded: loaded (/usr/lib/systemd/system/vsftpd.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2023-01-06 15:09:35 KST; 5s ago
Process: 1524 ExecStart=/usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf (code=exited, status=0/SUCCESS)
Main PID: 1525 (vsftpd)
CGroup: /system.slice/vsftpd.service
└─1525 /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf
Jan 06 15:09:35 kube-node2 systemd[1]: Stopped Vsftpd ftp daemon.
Jan 06 15:09:35 kube-node2 systemd[1]: Starting Vsftpd ftp daemon...
Jan 06 15:09:35 kube-node2 systemd[1]: Started Vsftpd ftp daemon.
ftps(ftp+ssl) 서버 구성
vsftpd 데몬 위치 확인
$ which vsftpd
/sbin/vsftpd
(또는)
$ whereis vsftpd
vsftpd: /usr/sbin/vsftpd /etc/vsftpd /usr/share/man/man8/vsftpd.8.gz
vsftpd에서 사용하는 ssl 라이브러리 확인
ldd /sbin/vsftpd
$ ldd /sbin/vsftpd | grep ssl
libssl.so.10 => /lib64/libssl.so.10 (0x00007fd858245000)
vsftpd(/etc/vsftpd) 디렉토리 파일 확인
$ ls -l /etc/vsftpd/*
-rw------- 1 root root 125 Jun 10 2021 /etc/vsftpd/ftpusers
-rw------- 1 root root 361 Jun 10 2021 /etc/vsftpd/user_list
-rw------- 1 root root 5116 Jun 10 2021 /etc/vsftpd/vsftpd.conf
-rwxr--r-- 1 root root 338 Jun 10 2021 /etc/vsftpd/vsftpd_conf_migrate.sh
SSL 디렉토리 생성 및 권한 변경
mkdir -p /etc/vsftpd/ssl
chmod 700 /etc/vsftpd/ssl
SSL 인증서 키 생성
openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/vsftpd/ssl/vsftpd.pem -out /etc/vsftpd/ssl/vsftpd.pem
- Country Name (2 letter code) [XX]:KR
- State or Province Name (full name) []:Seoul
- Locality Name (eg, city) [Default City]:Gangseo-gu
- Organization Name (eg, company) [Default Company Ltd]:scbyun
- Organizational Unit Name (eg, section) []:infrateam
- Common Name (eg, your name or your server's hostname) []:scbyun.com
- Email Address []:admin@scbyun.com
$ openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/vsftpd/ssl/vsftpd.pem -out /etc/vsftpd/ssl/vsftpd.pem
Generating a 1024 bit RSA private key
............................................................++++++
.....++++++
writing new private key to '/etc/vsftpd/ssl/vsftpd.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:KR
State or Province Name (full name) []:Seoul
Locality Name (eg, city) [Default City]:Gangseo-gu
Organization Name (eg, company) [Default Company Ltd]:scbyun
Organizational Unit Name (eg, section) []:infrateam
Common Name (eg, your name or your server's hostname) []:scbyun.com
Email Address []:admin@scbyun.com
vsftpd.pem 파일 확인
$ ls -l /etc/vsftpd/ssl | grep pem
-rw-r--r-- 1 root root 1986 Jan 6 15:00 vsftpd.pem
openssl 명령어를 사용하여 SSL 인증서 확인
openssl x509 -in /etc/vsftpd/ssl/vsftpd.pem -noout -text
$ openssl x509 -in /etc/vsftpd/ssl/vsftpd.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
ef:0b:dd:dc:13:4f:70:96
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=KR, ST=Seoul, L=Gangseo-gu, O=scbyun, OU=infrateam, CN=scbyun.com/emailAddress=admin@scbyun.com
Validity
Not Before: Jan 6 06:00:41 2023 GMT
Not After : Jan 6 06:00:41 2024 GMT
Subject: C=KR, ST=Seoul, L=Gangseo-gu, O=scbyun, OU=infrateam, CN=scbyun.com/emailAddress=admin@scbyun.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:cf:3d:cb:34:06:95:5d:f0:30:63:a7:f1:09:e4:
ae:06:e1:83:f4:39:7c:fa:48:8e:ed:cf:3b:aa:0b:
ef:37:d8:90:df:3e:4b:63:5f:42:84:d6:4c:c8:5a:
b7:18:81:97:a0:b1:d2:7c:70:bc:22:94:56:40:f6:
a1:3d:7e:63:d3:01:62:2c:3f:fe:f1:1e:e9:ef:fd:
c8:ec:8c:cd:12:a6:4f:48:c3:98:91:b5:38:3a:10:
24:0c:32:38:aa:eb:4c:85:3a:d4:b2:af:9c:fc:a4:
93:9b:10:68:6e:28:6c:62:ac:2a:be:e4:fa:fd:9f:
fb:8e:17:75:7b:f7:e8:ee:a7
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
63:3A:26:02:FC:95:DC:64:56:27:D5:16:0D:9F:22:5E:18:72:31:A9
X509v3 Authority Key Identifier:
keyid:63:3A:26:02:FC:95:DC:64:56:27:D5:16:0D:9F:22:5E:18:72:31:A9
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
b3:c6:af:9d:02:66:32:2e:cf:8a:29:64:fd:65:9c:9a:24:f0:
2d:60:b7:5c:6c:0f:c6:7f:29:83:96:1a:97:82:0b:9a:ef:ab:
f8:e0:34:4a:56:4e:1b:24:69:4f:84:18:6b:5e:7d:a1:9f:0f:
cb:60:35:8f:ef:be:a0:c7:81:1a:ef:48:d3:b5:7b:60:8a:12:
ef:c0:37:ce:63:02:bb:81:07:c5:68:49:e5:ea:a4:d8:7d:78:
1e:22:93:4b:04:33:63:4a:9b:02:c4:79:24:29:1a:2b:3b:7f:
37:fe:5b:0c:d4:62:e5:4e:62:6e:db:4e:21:4d:5a:85:96:54:
87:6b
728x90
vsftpd.conf 기본 설정
$ cat /etc/vsftpd/vsftpd.conf | egrep -vi '^#|^$'
anonymous_enable=YES
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
listen=NO
listen_ipv6=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
vsftpd.conf 설정 파일에 추가
vim /etc/vsftpd/vsftpd.conf
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
ssl_ciphers=HIGH
require_ssl_reuse=NO
rsa_cert_file=/etc/vsftpd/ssl/vsftpd.pem
ftps을 적용한 vsftpd 설정 파일(최종)
egrep -vi '^#|^$' /etc/vsftpd/vsftpd.conf
$ egrep -vi '^#|^$' /etc/vsftpd/vsftpd.conf
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_file=/var/log/vsftpd.log
xferlog_std_format=YES
ftpd_banner=Welcome to blah FTP service.
listen=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
ssl_ciphers=HIGH
require_ssl_reuse=NO
rsa_cert_file=/etc/vsftpd/ssl/vsftpd.pem
원도우 클라이언트
- FileZilla 프로그램 다운로드(https://filezilla-project.org/)
참고URL
- vsftpd용 구성 파일 : http://vsftpd.beasts.org/vsftpd_conf.html
728x90
반응형
'리눅스' 카테고리의 다른 글
[리눅스] samba 서버를 구축하는 방법 (0) | 2014.04.28 |
---|---|
CentOS 6에서 Heartbeat을 사용하여 고가용성(HA) 클러스터를 구성하는 방법 (0) | 2014.04.28 |
CentOS 6에서 NFS를 설치하고 설정하는 방법 (0) | 2014.04.17 |
리눅스에서 LVM을 사용하여 파일 시스템을 생성하는 방법 (0) | 2014.04.14 |
[리눅스] 오픈SSL 취약점 확인(openssl) (0) | 2014.04.12 |