ftps 설치 및 서버 구성(vsftpd : ftp+ssl)

ftps 설치 및 서버 구성(vsftpd : ftp+ssl)

vsftpd는 매우 안전한 FTP 데몬입니다.

SFTP와 FTPS의 차이점

출처-https://www.msp360.com/wp-content/uploads/2018/09/FTPS-vs.-SFTP-1.png

테스트 환경

$ cat /etc/redhat-release
CentOS Linux release 7.9.2009 (Core)

vsftpd 서버 및 클라이언트 패키지 설치

• vsftpd : Very Secure FTP Daemon
• ftp : Internet file transfer program

vsftpd 패키지 설치

yum install -y vsftpd ftp

vsftpd 버전 정보 확인

$ vsftpd -v
vsftpd: version 3.0.2

$ yum info ftp | grep Version
Version     : 0.17

vsftpd 서비스 시작

systemctl --now enable vsftpd

vsftpd 서비스 상태 확인

systemctl status vsftpd

$ systemctl status vsftpd 
● vsftpd.service - Vsftpd ftp daemon
   Loaded: loaded (/usr/lib/systemd/system/vsftpd.service; enabled; vendor preset: disabled)
   Active: active (running) since Fri 2023-01-06 15:09:35 KST; 5s ago
  Process: 1524 ExecStart=/usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf (code=exited, status=0/SUCCESS)
 Main PID: 1525 (vsftpd)
   CGroup: /system.slice/vsftpd.service
           └─1525 /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf

Jan 06 15:09:35 kube-node2 systemd[1]: Stopped Vsftpd ftp daemon.
Jan 06 15:09:35 kube-node2 systemd[1]: Starting Vsftpd ftp daemon...
Jan 06 15:09:35 kube-node2 systemd[1]: Started Vsftpd ftp daemon.

ftps(ftp+ssl) 서버 구성

vsftpd 데몬 위치 확인

$ which vsftpd
/sbin/vsftpd

(또는)

$ whereis vsftpd
vsftpd: /usr/sbin/vsftpd /etc/vsftpd /usr/share/man/man8/vsftpd.8.gz

vsftpd에서 사용하는 ssl 라이브러리 확인

ldd /sbin/vsftpd

$ ldd /sbin/vsftpd | grep ssl
        libssl.so.10 => /lib64/libssl.so.10 (0x00007fd858245000)

vsftpd(/etc/vsftpd) 디렉토리 파일 확인

$ ls -l /etc/vsftpd/*
-rw------- 1 root root  125 Jun 10  2021 /etc/vsftpd/ftpusers
-rw------- 1 root root  361 Jun 10  2021 /etc/vsftpd/user_list
-rw------- 1 root root 5116 Jun 10  2021 /etc/vsftpd/vsftpd.conf
-rwxr--r-- 1 root root  338 Jun 10  2021 /etc/vsftpd/vsftpd_conf_migrate.sh

SSL 디렉토리 생성 및 권한 변경

mkdir -p /etc/vsftpd/ssl

chmod 700 /etc/vsftpd/ssl

SSL 인증서 키 생성

openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/vsftpd/ssl/vsftpd.pem -out /etc/vsftpd/ssl/vsftpd.pem

• Country Name (2 letter code) [XX]:KR
• State or Province Name (full name) []:Seoul
• Locality Name (eg, city) [Default City]:Gangseo-gu
• Organization Name (eg, company) [Default Company Ltd]:scbyun
• Organizational Unit Name (eg, section) []:infrateam
• Common Name (eg, your name or your server's hostname) []:scbyun.com
• Email Address []:admin@scbyun.com

$ openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/vsftpd/ssl/vsftpd.pem -out /etc/vsftpd/ssl/vsftpd.pem
Generating a 1024 bit RSA private key
............................................................++++++
.....++++++
writing new private key to '/etc/vsftpd/ssl/vsftpd.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:KR
State or Province Name (full name) []:Seoul
Locality Name (eg, city) [Default City]:Gangseo-gu
Organization Name (eg, company) [Default Company Ltd]:scbyun
Organizational Unit Name (eg, section) []:infrateam
Common Name (eg, your name or your server's hostname) []:scbyun.com
Email Address []:admin@scbyun.com

vsftpd.pem 파일 확인

$ ls -l /etc/vsftpd/ssl | grep pem
-rw-r--r-- 1 root root 1986 Jan  6 15:00 vsftpd.pem

openssl 명령어를 사용하여 SSL 인증서 확인

openssl x509 -in /etc/vsftpd/ssl/vsftpd.pem -noout -text

$ openssl x509 -in /etc/vsftpd/ssl/vsftpd.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            ef:0b:dd:dc:13:4f:70:96
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=KR, ST=Seoul, L=Gangseo-gu, O=scbyun, OU=infrateam, CN=scbyun.com/emailAddress=admin@scbyun.com
        Validity
            Not Before: Jan  6 06:00:41 2023 GMT
            Not After : Jan  6 06:00:41 2024 GMT
        Subject: C=KR, ST=Seoul, L=Gangseo-gu, O=scbyun, OU=infrateam, CN=scbyun.com/emailAddress=admin@scbyun.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:cf:3d:cb:34:06:95:5d:f0:30:63:a7:f1:09:e4:
                    ae:06:e1:83:f4:39:7c:fa:48:8e:ed:cf:3b:aa:0b:
                    ef:37:d8:90:df:3e:4b:63:5f:42:84:d6:4c:c8:5a:
                    b7:18:81:97:a0:b1:d2:7c:70:bc:22:94:56:40:f6:
                    a1:3d:7e:63:d3:01:62:2c:3f:fe:f1:1e:e9:ef:fd:
                    c8:ec:8c:cd:12:a6:4f:48:c3:98:91:b5:38:3a:10:
                    24:0c:32:38:aa:eb:4c:85:3a:d4:b2:af:9c:fc:a4:
                    93:9b:10:68:6e:28:6c:62:ac:2a:be:e4:fa:fd:9f:
                    fb:8e:17:75:7b:f7:e8:ee:a7
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                63:3A:26:02:FC:95:DC:64:56:27:D5:16:0D:9F:22:5E:18:72:31:A9
            X509v3 Authority Key Identifier: 
                keyid:63:3A:26:02:FC:95:DC:64:56:27:D5:16:0D:9F:22:5E:18:72:31:A9

            X509v3 Basic Constraints: 
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         b3:c6:af:9d:02:66:32:2e:cf:8a:29:64:fd:65:9c:9a:24:f0:
         2d:60:b7:5c:6c:0f:c6:7f:29:83:96:1a:97:82:0b:9a:ef:ab:
         f8:e0:34:4a:56:4e:1b:24:69:4f:84:18:6b:5e:7d:a1:9f:0f:
         cb:60:35:8f:ef:be:a0:c7:81:1a:ef:48:d3:b5:7b:60:8a:12:
         ef:c0:37:ce:63:02:bb:81:07:c5:68:49:e5:ea:a4:d8:7d:78:
         1e:22:93:4b:04:33:63:4a:9b:02:c4:79:24:29:1a:2b:3b:7f:
         37:fe:5b:0c:d4:62:e5:4e:62:6e:db:4e:21:4d:5a:85:96:54:
         87:6b

728x90

vsftpd.conf 기본 설정

$ cat /etc/vsftpd/vsftpd.conf | egrep -vi '^#|^$'
anonymous_enable=YES
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
listen=NO
listen_ipv6=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES

vsftpd.conf 설정 파일에 추가

vim /etc/vsftpd/vsftpd.conf

ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
ssl_ciphers=HIGH
require_ssl_reuse=NO
rsa_cert_file=/etc/vsftpd/ssl/vsftpd.pem

ftps을 적용한 vsftpd 설정 파일(최종)

egrep -vi '^#|^$' /etc/vsftpd/vsftpd.conf

$ egrep -vi '^#|^$' /etc/vsftpd/vsftpd.conf
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_file=/var/log/vsftpd.log
xferlog_std_format=YES
ftpd_banner=Welcome to blah FTP service.
listen=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
ssl_ciphers=HIGH
require_ssl_reuse=NO
rsa_cert_file=/etc/vsftpd/ssl/vsftpd.pem

원도우 클라이언트

• FileZilla 프로그램 다운로드(https://filezilla-project.org/)

filezilla

filezilla

filezilla

 

참고URL

- vsftpd용 구성 파일 : http://vsftpd.beasts.org/vsftpd_conf.html