FTPS(FTP + SSL/TLS) 서버를 구성하는 방법(vsftpd)

FTPS(FTP + SSL/TLS) 서버를 구성하는 방법(vsftpd)

vsftpd(vsftpd Very Secure FTP Daemon)는 Linux 및 Unix 시스템에서 매우 안전한 FTP 서버를 구성하는 데 사용되는 소프트웨어입니다. 이를 사용하여 FTPS(FTP + SSL/TLS) 서버를 구성합니다.

테스트 환경

$ cat /etc/redhat-release
CentOS Linux release 7.9.2009 (Core)

• vsftpd 설치

yum install -y vsftpd

systemctl --now enable vsftpd

FTPS 서버 구성(FTP + SSL/TLS)

• ftps 포트 확인

cat /etc/services | grep ftps

$ cat /etc/services | grep ftps
ftps-data       989/tcp                 # ftp protocol, data, over TLS/SSL
ftps-data       989/udp                 # ftp protocol, data, over TLS/SSL
ftps            990/tcp                 # ftp protocol, control, over TLS/SSL
ftps            990/udp                 # ftp protocol, control, over TLS/SSL

• vsftpd990.conf 파일 설정

cp /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd990.conf

vim /etc/vsftpd/vsftpd990.conf

anonymous_enable=NO
local_enable=YES
write_enable=YES

local_umask=022

dirmessage_enable=YES

xferlog_enable=YES
vsftpd_log_file=/var/log/vsftpd/vsftpd.log
dual_log_enable=YES
xferlog_file=/var/log/vsftpd/xferlog.log
xferlog_std_format=YES
log_ftp_protocol=YES

connect_from_port_20=YES
xferlog_std_format=YES

listen=YES
listen_ipv6=NO
listen_port=990

pam_service_name=vsftpd

userlist_enable=YES
tcp_wrappers=YES

ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
require_ssl_reuse=NO

ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
ssl_ciphers=HIGH

rsa_cert_file=/etc/ssl/vsftpd_cert.pem
rsa_private_key_file=/etc/ssl/vsftpd_key.pem

728x90

 

• vsftpd990.service 파일 생성

cp /usr/lib/systemd/system/vsftpd.service /usr/lib/systemd/system/vsftpd990.service

vim /usr/lib/systemd/system/vsftpd990.service

[Unit]
Description=Vsftpd ftp daemon
After=network.target

[Service]
Type=forking
ExecStart=/usr/sbin/vsftpd /etc/vsftpd/vsftpd990.conf

[Install]
WantedBy=multi-user.target

※ 자동으로 생성됨

$ ln -s /usr/lib/systemd/system/vsftpd990.service /etc/systemd/system/multi-user.target.wants/vsftpd990.service

• SSL/TLS 인증서 생성

openssl req -x509 -days 3650 -newkey rsa:2048 -nodes -keyout /etc/ssl/vsftpd_key.pem -out /etc/ssl/vsftpd_cert.pem

$ openssl req -x509 -days 3650 -newkey rsa:2048 -nodes -keyout /etc/ssl/vsftpd_key.pem -out /etc/ssl/vsftpd_cert.pem
Generating a 2048 bit RSA private key
...+++
.+++
writing new private key to '/etc/ssl/vsftpd_key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:KR  
State or Province Name (full name) []:Seoul
Locality Name (eg, city) [Default City]:Jongno-gu
Organization Name (eg, company) [Default Company Ltd]:sangchul
Organizational Unit Name (eg, section) []:infra team
Common Name (eg, your name or your server's hostname) []:ftps.sangchul.kr
Email Address []:admin@sangchul.kr

• vsftpd 재시작

systemctl restart vsftpd990

systemctl status vsftpd990

$ systemctl status vsftpd990
● vsftpd990.service - Vsftpd ftp daemon
   Loaded: loaded (/usr/lib/systemd/system/vsftpd990.service; enabled; vendor preset: disabled)
   Active: active (running) since 화 2021-05-18 09:05:32 KST; 3min 28s ago
  Process: 9834 ExecStart=/usr/sbin/vsftpd /etc/vsftpd/vsftpd990.conf (code=exited, status=0/SUCCESS)
 Main PID: 9835 (vsftpd)
    Tasks: 3
   Memory: 1.1M
   CGroup: /system.slice/vsftpd990.service
           ├─9835 /usr/sbin/vsftpd /etc/vsftpd/vsftpd990.conf
           ├─9880 /usr/sbin/vsftpd /etc/vsftpd/vsftpd990.conf
           └─9882 /usr/sbin/vsftpd /etc/vsftpd/vsftpd990.conf

 

참고URL

- ftps 클라이언트 접속 방법 : https://scbyun.com/977

- ftps(ftp+ssl) 설치 및 서버 구성(vsftpd) : https://scbyun.com/436