政务服务平台开发需要注意如何提升小程序跨平台兼容性与用户体验
549
2022-09-23
vsftp-安全和虚拟账户
vsftp-安全和虚拟账户
Vsftp传输重要数据不安全,要采用ssl保证安全
1.安装ca
[root@~]# vim /etc/hosts
127.0.0.1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
222.1.1.132 hotel.com
[root@~]# hostname
hotel.com
[root@~]# cat /etc/sysconfig/network
HOSTNAME=hotel.com
[root@~]# vim /etc/pki/tls/openssl-f
45 dir = /etc/pki/CA # Where everything is kept
88 countryName = optional
89 stateOrProvinceName = optional
90 organizationName = optional
[root@~]# cd /etc/pki/CA/
[root@CA]# openssl genrsa 1024 >private/cakey.pem
[root@CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem
[root@CA]# chmod 600 private/*
[root@CA]# mkdir crl certs newcerts
[root@CA]# touch serial index.txt
[root@CA]# echo "09">serial
[root@Server]# rpm -ivh vsftpd--16.el5_4.1.i386.rpm
[root@Server]# mkdir -pv /etc/ftp/certs
mkdir: created directory `/etc/ftp'
mkdir: created directory `/etc/ftp/certs'
[root@Server]# cd /etc/ftp/certs
[root@certs]# openssl genrsa 1024 >vsftpd.key产生密钥
[root@certs]# openssl req -new -key vsftpd.key -out vsftpd.csr产生请求证书的文件
[root@certs]# openssl ca -in vsftpd.csr -out vsftpd.crt
Using configuration from /etc/pki/tls/openssl-f
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 9 (0x9)
Validity
Not Before: Oct 22 11:34:52 2011 GMT
Not After : Oct 21 11:34:52 2012 GMT
Subject:
countryName = cn
stateOrProvinceName = hn
organizationName = zzu
organizationalUnitName = hotel
commonName = hotel.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
74:9A:07:DB:7B:89:75:D0:90:66:71:04:91:72:42:68:F9:9F:0A:0A
X509v3 Authority Key Identifier:
keyid:B6:53:B5:C4:64:8E:7C:E2:DE:2A:8C:F9:8E:0D:1C:5C:7F:52:99:48
Certificate is to be certified until Oct 21 11:34:52 2012 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
使用抓包工具测试ftp的安全性
# yum list all |grep wireshark
wireshark.i386 -1.el5_3.1 rhel-server
wireshark-gnome.i386 -1.el5_3.1 rhel-server
# yum install wireshark* -y --有依赖的包
# useradd user1
# passwd user1
#service vsftpd start
#chkconfig vsftpd on
# cd /var/ftp/pub/
# touch test01
# touch test02
#tshark –ni eth0 –R “tcp.dstport eq 21”
67-1
采用ssl安全登陆
[root@pub]# vim /etc/vsftpd/vsftpd.conf
--vsftp是支持ssl的
--默认是no
force_local_logins_ssl=YES
force_local_data_ssl=YES
ssl_enable=YES
ssl_tlsv1=YES
ssl_sslv2=YES
ssl_sslv3=YES
rsa_cert_file=/etc/ftp/certs/vsftpd.crt
rsa_private_key_file=/etc/ftp/certs/vsftpd.key
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
[root@pub]# service vsftpd restart
[root@pub]# chmod 600 /etc/ftp/certs*
#service vsftpd restart
命令行不支持ftps登陆,需要使用ftp客户端工具登陆
Flashfxp
[root@pub]# tail -f /var/log/secure
Oct 22 20:18:28 sshd[5584]: pam_unix(sshd:session): session opened for user user1 by (uid=0)
Oct 22 20:18:28 sshd[5588]: subsystem request for sftp
Oct 22 20:18:55 sshd[5584]: pam_unix(sshd:session): session closed for user user1
67-2
虚拟账号
在linux系统上不存在的账号,但是是能够访问ftp的账号
当虚拟用户登陆到ftp服务器时会转换成其他linux系统上用户的身份访问ftp
1.创建虚拟账号的文件并转换成数据库文件
[root@pub]# cd /etc/ftp
[root@ftp]# cd /etc/vsftpd/
[root@vsftpd]# vim viruser.txt
zhangsan
123
lisi
123
需要安装光盘的数据库转换文件的工具
[root@vsftpd]# cd /mnt/cdrom/Server/
rpm –qlp db4-utils-4.3.29-10.el5.i386.rpm
--查看有没有db_load工具
[root@Server]# rpm -ivh db4-utils--10.el5.i386.rpm
#/lib/security/pam_userdb.so 模块存放的位置
# /lib/security/pam_userdb.so
Segmentation fault
# more /usr/share/doc/pam-0.99.6.2/txts/README.pam_userdb
查看模块的用法
[root@Server]# cd /etc/vsftpd/
--db_load 没有man手册
[root@vsftpd]# db_load -T -t hash -f viruser.txt viruser.db
[root@vsftpd]# vim /etc/vsftpd/vsftpd.conf
force_local_logins_ssl=YES
force_local_data_ssl=YES
ssl_enable=YES
ssl_tlsv1=YES
ssl_sslv2=YES
ssl_sslv3=YES
rsa_cert_file=/etc/ftp/certs/vsftpd.crt
rsa_private_key_file=/etc/ftp/certs/vsftpd.key
pam_service_name=vsftpd.v
需要加入来宾账户
guest_enable=YES 打开guest账号否则虚拟用户登陆到ftp站点,提示连接错误
guest_username=user1 设置虚拟账号的映射必须是本地的用户账号可以没有密码的账号
[root@pam.d]# cp vsftpd vsftpd.v
[root@pam.d]# vim vsftpd.v
#%PAM-1.0
--验证的规则的文件和模块
auth required pam_userdb.so db=/etc/vsftpd/viruser
--判断账号密码是否有效
account required pam_userdb.so db=/etc/vsftpd/viruser
[root@pam.d]# service vsftpd restart
ftp client 测试匿名用户登陆
67-3
--登陆有关的日志
[root@pam.d]# tail -f /var/log/secure
Oct 22 20:26:08 sshd[5678]: pam_unix(sshd:session): session opened for user user1 by (uid=0)
Oct 22 20:26:08 sshd[5680]: subsystem request for sftp
Oct 22 20:38:25 sshd[5678]: pam_unix(sshd:session): session closed for user user1
Oct 22 20:38:51 sshd[5756]: Accepted password for user1 from UNKNOWN port 2627 ssh2
Oct 22 20:38:51 sshd[5756]: pam_unix(sshd:session): session opened for user user1 by (uid=0)
Oct 22 21:11:00 vsftpd: pam_userdb(vsftpd.v:auth): user 'zhangsan' granted access
Oct 22 21:14:27 vsftpd: pam_userdb(vsftpd.v:auth): user 'lisi' granted access
版权声明:本文内容由网络用户投稿,版权归原作者所有,本站不拥有其著作权,亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容,请联系我们jiasou666@gmail.com 处理,核实后本网站将在24小时内删除侵权内容。
发表评论
暂时没有评论,来抢沙发吧~