我正在寻找一种方法来为 Ubuntu 服务器上的 VSFTPD 定义自定义密码套件。
我发现我可以通过 HIGH/MEDIUM/LOW 指定密码。但是,这对我来说还不够,因为我需要手动配置密码。
有没有办法做到这一点?
答案1
从 vsftpd.conf 手册中我可以看到
ssl_ciphers
This option can be used to select which SSL ciphers vsftpd will
allow for encrypted SSL connections. See the ciphers man page
for further details. Note that restricting ciphers can be a use‐
ful security precaution as it prevents malicious remote parties
forcing a cipher which they have found problems with.
Default: DES-CBC3-SHA
然后,如果我查看密码手册(openssl 的一部分),它会提供所有可以使用的密码类型。实际上,LOW/MEDIUM/HIGH 的定义如下
HIGH
"high" encryption cipher suites. This currently means those with key lengths larger than 128
bits, and some cipher suites with 128-bit keys.
MEDIUM
"medium" encryption cipher suites, currently some of those using 128 bit encryption.
LOW
"low" encryption cipher suites, currently those using 64 or 56 bit encryption algorithms but
excluding export cipher suites.
因此基本上您可以使用密码手册中指定的任何密码字符串。
答案2
最近,我发现,完全可以定义自定义密码;请看以下示例:
## Select which SSL ciphers `vsftpd` will allow for encrypted SSL connections (required by FileZilla).
ssl_ciphers=ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256
此外,并不是 OP 询问,但我觉得我可以分享另一种安全可能性。
即仅启用 TLSv1.2和 TLSv1.3. 可以通过以下方式实现:
## The following might look strange as
## it does not seem to allow any protocol;
## But it does allow TLSv1.2 + TLSv1.3.
# disallow SSLv2 protocol
ssl_sslv2=NO
# disallow SSLv3 protocol
ssl_sslv3=NO
# disallow TLSv1.0+TLSv1.1 protocols
ssl_tlsv1=NO
最后,我建议测试你的配置,例如免疫网,您可以在其中轻松调试您的配置。
这只是一个示例: