rt 65341:65351 -j ACCEPT
允许192.168.184.1访问本地 PASV端口
[root@red-hat-5 ~]# iptables -P INPUT DROP 禁止任何输入的数据包 [root@red-hat-5 ~]# service iptables save 保存iptables设置
将当前规则保存到 /etc/sysconfig/iptables: [确定] [root@red-hat-5 ~]# service iptables status 检查iptables的设置
表格:filter
Chain INPUT (policy DROP)
num target prot opt source destination
1 RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
2 ACCEPT tcp -- 192.168.184.1 0.0.0.0/0 tcp dpt:22
3 ACCEPT tcp -- 192.168.184.1 0.0.0.0/0 tcp dpt:21
4 ACCEPT tcp -192.168.184.1 0.0.0.0/0 tcp dpts:65341:65351
(四)搭建支持SSL加密传输的vftpd
ftp传输数据是明文,弄个抓包软件就可以通过数据包来分析到账号和密码,为了搭建一个安全性比较高ftp,可以结合SSL来解决问题 SSL(Secure Socket Layer)工作于传输层和应用程序之间.作为一个中间层,应用程序只要采用SSL提供的一套SSL套接字API来替换标准的Socket套接字,就可以把程序转换为SSL化的安全网络程序,在传输过程中将由SSL协议实现数据机密性和完整性的保证.SSL取得大规模成功后,IETF将SSL作了标准化,并将其称为TLS(Transport Layer Security).Ftp结合SSL,将实现传输数据的加密,保证数据不被别人窃取.
下面我们使用linux自带的抓包工具tcpdump抓包分析,来截取ftp登录用户口令 [root@red-hat-5 vsftpd]# tcpdump -i eth0 -A |more
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes ……………………………….
20:40:26.208724 IP 192.168.184.1.54516 > 192.168.184.129.ftp: 306029:28
9306029(0) win 8192 .............>u.....p. ..V..........
20:40:26.210838 IP 192.168.184.129.ftp > 192.168.184.1.54516: 2926425:1
292926425(0) ack 289306030 win 5840 E..0..@.@.H.............M.}..>u.p...S...........
20:40:26.212600 IP 192.168.184.1.54516 > 192.168.184.129.ftp: 1 win 64 240
E..(m.@..................>u.M.}.P.............
20:40:26.229597 IP 192.168.184.129.ftp > 192.168.184.1.54516: 48(6) ack 1 win 5840
E....2@.@...............M.~..>u.P.......220
20:40:26.251901 IP 192.168.184.1.54516 > 192.168.184.129.ftp: 6(15) ack 48 win 64193
E..7m.@..................>u.M.~ P...#...USER uhome
20:40:26.251989 IP 192.168.184.129.ftp > 192.168.184.1.54516: 16 win 5
S 289S 129. ackP 42:P 1:1. ack840
E..(.3@.@...............M.~ .>u.P.......
20:40:26.252116 IP 192.168.184.129.ftp > 192.168.184.1.54516: P 48:82(34) ac k 16 win 5840
E..J.4@.@...............M.~ .>u.P...8...331 Please specify the password.
20:40:26.255680 IP 192.168.184.1.54516 > 192.168.184.129.ftp: P 16:31(15) ac
k 82 win 64159
E..7m.@..................>u.M.~+P....3..PASS 123456
E..Nm......R.............:.!............ EJFDEBFEEBFACACACACACACACACACAAA.. .. 20:40:31.301262 IP 192.168.184.129.ftp > 192.168.184.1.54516: P 82:105(23) ack 31 win 5840
E..?.6@.@...............M.~+.>u.P....H..230 Login successful.
从我们抓的数据包,可以看到账号密码,所以明文传输的数据安全性太可怕了 让vsftpd支持SSL,必须让OPENSSL≥0.9.6版本,还有就是本身vsftpd版本是否支持 查询vsftpd软件是否支持SSL
[root@localhost vsftpd]# ldd /usr/sbin/vsftpd |grep libssl
libssl.so.6 => /lib/libssl.so.6 (0xf7f27000) 说明此版本支持 如没有输出libssl.so.6 => /lib/libssl.so.6 (0xf7f27000)类似文本,说明此vsftpd版本不支持SSL
[root@red-hat-5 ~]#openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/vsftpd/vsftpd.pem -out /etc/vsftpd/vsftpd.pem 生成vsftpd.pem 证书
Generating a 1024 bit RSA private key
..++++++
....................................++++++
writing new private key to 'vsftpd.pem' -----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. -----
Country Name (2 letter code) [GB]:cn
State or Province Name (full name) [Berkshire]: shanghai Locality Name (eg, city) [Newbury]:shanghai
Organization Name (eg, company) [My Company Ltd]:lenovo 根据提示填写一些信息
Organizational Unit Name (eg, section) []:lenovo
Common Name (eg, your name or your server's hostname) []:uhome Email Address []:uhome@uhome.com
[root@localhost ~]# ll /etc/vsftpd/ ==è查看是否生成vsftpd.pem文件 -rw-r--r-- 1 root root 197 12-25 19:57 chroot_list -rw--------1 root root 125 2007-12-13 ftpusers -rw------- 1 root root 361 2007-12-13 user_list -rw------- 1 root root 4396 12-25 19:19 vsftpd.conf
-rwxr--r-- 1 root root 338 2007-12-13 vsftpd_conf_migrate.sh