vsftp使用SSL加密传输功能

[szfhx]

vsftp默认文件传输时好像没有加密?(原题，现已解决)
使用ssh （22端口）的sftp文件传输时加密，
是不是说sftp比vsftp更安全？vsftp能否加密？

[myhackerway]

vsftpd能加密，需要自己配置！

[oceanwave]

可以使用加密的。

代码： 全选

ssl_enable=YES （启用SSL)
allow_anon_ssl=NO (允许匿名登录，选择 NO）
force_local_data_ssl=YES （强制使用SSL传输数据）
force_local_logins_ssl=YES （强制使用SSL登录）
ssl_tlsv1=YES
ssl_sslv2=YES
ssl_sslv3=YES
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem (这个是使用默认生成的加密证书，也可以自己另外生成后重新设置一个，一般使用默认即可）
# Filezilla uses port 21 if you don't set any port
# in Servertype "FTPES - FTP over explicit TLS/SSL"
# Port 990 is the default used for FTPS protocol.
# Uncomment it if you want/have to use port 990.
#listen_port=990

[szfhx]

首先查看自己的系统有没有安装 OpenSSL，ubuntu server默认已安装，
sudo apt-get install openssl
下面我们为 vsftpd 生成证书：
mkdir /etc/vsftpd
cd /etc/vsftpd/
openssl req -new -x509 -nodes -out vsftpd.pem -keyout vsftpd.pem
Generating a 1024 bit RSA private key
.........................
.............
writing new private key to 'vsftpd.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:cn
State or Province Name (full name) [Berkshire]:ShiChuan
Locality Name (eg, city) [Newbury]:ChenDu
Organization Name (eg, company) [My Company Ltd]:linuxer
Organizational Unit Name (eg, section) []:linuxer
Common Name (eg, your name or your server's hostname) []:www.linuxer.cn
Email Address []:icecard@hotmail.com
填写这些信息后，就产生了/etc/vsftpd/vsftpd.pem证书文件，接下来我们在配置文件中加入下面两行：
vim /etc/vsftpd.conf
ssl_enable=yes
rsa_cert_file=/etc/vsftpd/vsftpd.pem
重启
sudo /etc/init.d/vsftpd restart

[szfhx]

在windows下支持ssl的ftp客户端很多（IE是不支持的），比如 FlashFXP。
打开FlashFXP按F4跳出站点管理器.填写ftp目标地址并选择连接类型为：FTP使用外部SSL(认证SSL)
l登陆连接--"接受并保存证书"
并在客户端XP防火墙弹出窗口点击“解除阻塞”按钮

[szfhx]

如ftp服务器有防火墙封堵端口的话，客户端ftp连接模式应选主动模式Port，因为被动模式需要随机的其他端口

[micro_cy]

开启SSL以后~手机使用3G可以登录，同网段可以登录，回家以后用家里的电脑，有个路由器，没有什么特别的设置，登陆不了~不知道什么原因~
代码如下：

代码： 全选

# Turn on SSL
ssl_enable=YES
# Allow anonymous users to use secured SSL connections
allow_anon_ssl=YES
# All non-anonymous logins are forced to use a secure SSL connection in order to
# send and receive data on data connections.
force_local_data_ssl=NO
force_anon_data_ssl=NO
# All non-anonymous logins are forced to use a secure SSL connection in order to send the password.
force_local_logins_ssl=YES
force_anon_logins_ssl=YES
# Permit TLS v1 protocol connections. TLS v1 connections are preferred
ssl_tlsv1=YES
# Permit SSL v2 protocol connections. TLS v1 connections are preferred
ssl_sslv2=YES
# permit SSL v3 protocol connections. TLS v1 connections are preferred
ssl_sslv3=YES
# Disable SSL session reuse (required by WinSCP)
require_ssl_reuse=YES
# Select which SSL ciphers vsftpd will allow for encrypted SSL connections (required by FileZilla)
ssl_ciphers=HIGH
#require_cert=NO
#validate_cert=NO
#assl_request_cert=YES
# This option specifies the location of the RSA certificate to use for SSL
# encrypted connections.
# Filezilla uses port 21 if you don't set any port
# in Servertype "FTPES - FTP over explicit TLS/SSL"
# Port 990 is the default used for FTPS protocol.
# Uncomment it if you want/have to use port 990.
#listen_port=990
# This option specifies the location of the RSA certificate to use for SSL
# encrypted connections.
#rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_cert_file=/etc/vsftpd/vsftpd.pem
# This option specifies the location of the RSA key to use for SSL
# encrypted connections.
#rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
#rsa_private_key_file=/etc/vsftpd/vsftpd.pem

如果关闭了SSL，一切就都正常了。客户端用的fillzilla~

[micro_cy]

开启SSL以后~手机使用3G可以登录，同网段可以登录，回家以后用家里的电脑，有个路由器，没有什么特别的设置，登陆不了~不知道什么原因~
代码如下：

代码： 全选

# Turn on SSL
ssl_enable=YES
# Allow anonymous users to use secured SSL connections
allow_anon_ssl=YES
# All non-anonymous logins are forced to use a secure SSL connection in order to
# send and receive data on data connections.
force_local_data_ssl=NO
force_anon_data_ssl=NO
# All non-anonymous logins are forced to use a secure SSL connection in order to send the password.
force_local_logins_ssl=YES
force_anon_logins_ssl=YES
# Permit TLS v1 protocol connections. TLS v1 connections are preferred
ssl_tlsv1=YES
# Permit SSL v2 protocol connections. TLS v1 connections are preferred
ssl_sslv2=YES
# permit SSL v3 protocol connections. TLS v1 connections are preferred
ssl_sslv3=YES
# Disable SSL session reuse (required by WinSCP)
require_ssl_reuse=YES
# Select which SSL ciphers vsftpd will allow for encrypted SSL connections (required by FileZilla)
ssl_ciphers=HIGH
#require_cert=NO
#validate_cert=NO
#assl_request_cert=YES
# This option specifies the location of the RSA certificate to use for SSL
# encrypted connections.
# Filezilla uses port 21 if you don't set any port
# in Servertype "FTPES - FTP over explicit TLS/SSL"
# Port 990 is the default used for FTPS protocol.
# Uncomment it if you want/have to use port 990.
#listen_port=990
# This option specifies the location of the RSA certificate to use for SSL
# encrypted connections.
#rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_cert_file=/etc/vsftpd/vsftpd.pem
# This option specifies the location of the RSA key to use for SSL
# encrypted connections.
#rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
#rsa_private_key_file=/etc/vsftpd/vsftpd.pem

如果关闭了SSL，一切就都正常了。客户端用的fillzilla~