VSFTPD 特定密码

VSFTPD 特定密码

我正在寻找一种方法来为 Ubuntu 服务器上的 VSFTPD 定义自定义密码套件。

我发现我可以通过 HIGH/MEDIUM/LOW 指定密码。但是,这对我来说还不够,因为我需要手动配置密码。

有没有办法做到这一点?

答案1

从 vsftpd.conf 手册中我可以看到

ssl_ciphers
              This option can be used to select which SSL ciphers vsftpd  will
              allow  for  encrypted  SSL connections. See the ciphers man page
              for further details. Note that restricting ciphers can be a use‐
              ful  security precaution as it prevents malicious remote parties
              forcing a cipher which they have found problems with.

              Default: DES-CBC3-SHA

然后,如果我查看密码手册(openssl 的一部分),它会提供所有可以使用的密码类型。实际上,LOW/MEDIUM/HIGH 的定义如下

HIGH
    "high" encryption cipher suites. This currently means those with key lengths larger than 128
           bits, and some cipher suites with 128-bit keys.

MEDIUM
    "medium" encryption cipher suites, currently some of those using 128 bit encryption.

LOW 
    "low" encryption cipher suites, currently those using 64 or 56 bit encryption algorithms but
           excluding export cipher suites.

因此基本上您可以使用密码手册中指定的任何密码字符串。

答案2

最近,我发现,完全可以定义自定义密码;请看以下示例:

## Select which SSL ciphers `vsftpd` will allow for encrypted SSL connections (required by FileZilla).
ssl_ciphers=ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256

此外,并不是 OP 询问,但我觉得我可以分享另一种安全可能性。

即仅启用 TLSv1.2和 TLSv1.3. 可以通过以下方式实现:

## The following might look strange as
## it does not seem to allow any protocol;
## But it does allow TLSv1.2 + TLSv1.3.

# disallow SSLv2 protocol
ssl_sslv2=NO
# disallow SSLv3 protocol
ssl_sslv3=NO
# disallow TLSv1.0+TLSv1.1 protocols
ssl_tlsv1=NO

最后,我建议测试你的配置,例如免疫网,您可以在其中轻松调试您的配置。

这只是一个示例:

ImmuniWeb 结果示例

相关内容