0%

Ubuntu 利用Vsftpd及Openssl创建SSL/TLS FTP服务器

很早以前就想创建SSL/TLS的FTP服务器,一直没有时间
最近在网上找了很多资料(国内),发现很多都无法正常使用,主要问题是,配置完vsftp.conf文件后,FTP服务器,都不能正常启动,提示

1
2
stop: Unknown instance:
vsftpd start/running. process xxxx

最后在一个国外的网站找到了能够启动的配置方法

一, SSL证书的制作

为了创建更加安全的通信通道,我们必须事先之前创建证书文件。
这里所创建的证书文件,在安装的时候会出现警告,直接安装即可(内部使用),公司的话,请使用正规渠道的证书文件,这里就不详细说明了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
root@www:~# cd /etc/ssl/private

root@www:/etc/ssl/private# openssl genrsa -aes128 -out server.key 2048

Generating RSA private key, 2048 bit long modulus
...................+++
.....+++
e is 65537 (0x10001)
Enter pass phrase for server.key: # 设置密码

Verifying - Enter pass phrase for server.key: # 再次输入密码
# 从密匙中删除密码

root@www:/etc/ssl/private# openssl rsa -in server.key -out server.key

Enter pass phrase for server.key: # 输入密码

writing RSA key
root@www:/etc/ssl/private# openssl req -new -days 3650 -key server.key -out server.csr

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
# 国家

State or Province Name (full name) [Some-State]:beijing
# 地区

Locality Name (eg, city) []:beijing
# 市

Organization Name (eg, company) [Internet Widgits Pty Ltd]:XXX
# 公司及组织名称

Organizational Unit Name (eg, section) []:Server World
# 公司部门

Common Name (e.g. server FQDN or YOUR name) []:www.xxx.com
# FQDN

Email Address []:xx@xxx
# 管理员邮箱
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
root@www:/etc/ssl/private# openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 3650

Signature ok
subject=/C=CN/ST=beijing/L=beijing/O=XXX/OU=Server World/CN=www.xxx.com/emailAddress=xx@xxx
Getting Private key
root@www:/etc/ssl/private# chmod 400 server.*

这时候我们已经创建好简单的证书文件了

二, 设置Vsftpd.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
root@www:~# vim /etc/vsftpd.conf
# 证书位置登录

rsa_cert_file=/etc/ssl/private/server.crt
# 密匙登录

rsa_private_key_file=/etc/ssl/private/server.key
# 最后面追加以下内容

ssl_enable=YES # SSL开启
force_local_data_ssl=YES # 必须使用SSL
force_local_logins_ssl=YES
root@www:~# service vsftpd restart

vsftpd start/running, process 1406

好了,到此我们已经完成了此次的FTP服务器创建。