>> 1.0 << FTP and TCP port numbers are based on whether to use Port mode or passive mode, FTP uses different TCP port numbers. Before detail, let's simply discuss some of the basic concepts of TCP port numbers. TCP uses the port number to identify the sent and received applications, the port number can help TCP to separate the byte stream and help the corresponding bytes to the correct application. The TCP port number can be half a permanent and temporary. The server is listened to the client to access the client on the half-permanent port. The client uses a temporary port to identify a conversation, and the client port only exists when using the TCP service, and the server port is only listening for the server in operation. The TCP port can be classified 3: 1, well-known ports to identify standard services running on TCP, including FTP, HTTP, TELNET, SMTP, etc., these port numbers range from 0-1023; 2. Registration port number is used to identify Applications that have been registered with IANA (Internet Assigned Numbers Assigned Numbers Authority), registration port number is 1024-49151; 3, the private port number is non-registered and can dynamically assigned to any application, private port is 49152-65535; registration The port number is originally intended to use only applications for registration. In recent years, the port number has been caught in the limit of the limit. You may see that the registration port that should be used by the registered application is not registered to use the temporary port. The RFC1700 is detailed in detail, unfortunately, this RFC document has not been updated since 1994, then you can still get a timely updated port list from IANA, and detailed URL is: http: / /www.iana.org/assignments/port-numbers >> 2.0 << FTP Port mode and FTP passive mode When you play a FTP problem, one of the questions you want to ask is to use Port mode or Passive mode. Because these two behaviors are very different, the problems caused by these two modes are different; in the past, the client defaults to ACTI VE (Port) mode; recently, due to the security issue of Port mode, many client FTP applications default Passive mode.
>> 2.1 FTP port mode Port mode The ftp step is as follows: 1. The client sends a TCP SYN (TCP Synchronization) package to the server segment, the FTP control port 21, the client uses a temporary port as its source port; 2, The server side sends SYN ACK to the client, the source port is 21, the destination port is the temporary port used by the client; 3. The client sends an ACK (confirmation) package; the client uses this connection to send FTP Command, server side uses this connection to send FTP answers; 4. When the user requests a list (list) request or initiate a request to send or accept files, the client software uses the port command, this command contains a temporary port, The client hopes that the server uses this temporary port when the server is opened; the port command also contains an IP address. This IP address is usually the customer's own IP address, and FT P also supports third-party (Third-Party) mode, The triplicate mode is that the client tells the server to open the connection with the sectors; 5, the server side sends a SYN package to the client's temporary port, the source port is 20, the temporary port is sent to the server to the server side in the port command to the server-side temporary port No.; 6, the client is transmitted as the temporary port in the source port. The destination port is 20 sends a SYN ACK package; 7, the server side sends an ACK package; 8. The host transmitted by transmitting data is transmitted in this connection, and the data is in TCP segment. Note: Segment, Layer 4's PDU is sent (some commands, such as the Stor indicates that the client wants to send data, and the RETR means that the server segment sends data), these TCP segments require the other party to conduct ACK confirmation (Note: because the TCP protocol is one Connected protocol) 9. After the data transfer is completed, the host sends data ends the data connection with a FIN command. This fin command requires another host to confirm with ACK, and another host also sends a fin command, this FIN The command that needs to send data is confirmed by A CK; 10, the client can send more commands on the control connection, which can turn the additional data connection; sometimes after the client ends, the client is in the FIN command. Turn off a control connection, the server side confirms the client's FIN, the server also sends its FIN, and the client is confirmed by ACK.
The following figure illustrates a few steps in the ftp port mode: / ====================================== ======================================================================================================================================================================================================================== / | | | | | | | | : 21 Connection initialization, control port) | | SYN | | Port xxxx ----------------------> Port 21 [TCP] | | SYN ACK | Port XXXX <-------------------- Port 21 | | ACK | | Port XXXX ---------------- ------> Port 21 | | | | (Control) | | | | | Port, IP, Port YYYY | | Port XXXX <----------- ----------- Port 21 | | Port Seccussful | | Port XXXX <-------------------- Port 21 | | List, Retr or Stor | | Port XXXX ----------------------> Port 21 | | | | | | (TCP: 20 Connection Initialization, Data Port) | | SYN | | Port YYYY <-------------------- Port 20 | | SYN ACK | | Port YYYY ----------- -----------> Port 20 | ACK | | Port YYYY <-------------------- Port 20 | | | | | | (Data Operation: Data Transport) | | Data Ack | | Port YYYY <--------------------> Port 20 |. | | | | / ============================================= ======================== / FTP port mode will bring a lot of problems to network managers, first, in the port command message Address and port number Not a straightforward display. In addition, the protocol command of the application layer should not include network address information (Note: IP address) because it breaks the principles of the protocol layer and may result in synergy and security issues.
The following figure shows the address parameters of the WildPackets Etherpeek protocol decoding the port command. After the address parameter is the port number, see Port 192, 168, 10, 232, 6, 127; 6, 127 part of the first Arabic number multiplied by 256, then coupled with the second The arabic number gets the port number, so the client specifies the port number 6 * 256 127 = 1663; / ======================== ========================================================== ip Header - Internet protocol DataGram | | Version: 4 | | Header Length: 5 (20 Bytes) | | | | ............... | | | | TIME to LIVE: 128 | | Protocol: 6 TCP - Transmission Control Protocol | | Header Checksum: 0xAA36 | | Source IP Address: 192.168.0.1 DEMO | | Dest IP Address:. 192.168.0.3 VI | | No IP Options | | | | TCP - Transport Control Protocol | | Source Port: 2342 Manage-Exec | | Destination Port: 21 FTP | | Sequence Number: 2435440100 | | Ack Number: 9822605 | | Offset: 5 (20 Bytes) | | RESERVED: 000000 | | Flags:% 011000 | 0. .. .. (no urgent pointer) | | .1 .... ACK | | .. 1 ... push | | .. .0 .. (no reset) | | .. ..0. (No syn) | | .. ... 0 (NO FIN) | | | | | CHECKSUM: 0x832A | | Urgent Pointer: 0 | | | | | FTP Control - Fil e Transfer protocol | | line 1: Port 192, 168, 0, 1, 9, 39
============= / The picture verifies the TCP connection that the server is opened from the port 20 to the port 1663: / ================================================================================================================================================== ============================================================================================================================================================================================================= = / | TCP - Transport Control Protocol | | Source Port: 20 FTP-DATA | | Destination Port: 1663 | | Sequence Number: 2578824336 | | Ack Number: 0 | | Offset: 6 (24 Bytes) | | reserved:% 000000 | | | Flag
S:% 000010 | | 0. .... (no urgent pointer) | | .0 .... (no answer) | | .. .0 .. No reset | | .. ..1. SYN | | .. ... 0 (no fin) | | | | CHECKSUM: 0x8A4C | | Urgent Pointer: 0 | | | | | | TCP Options | | Options Type: 2 Maxinum Segment Size | | Length: 4 | | | | FCS - FRAME CHECK Sequence | | FCS (Calculate): 0x5a1bd023 | / ========= ============================================================================================================================================================================================================= ========= / When using ftp, the firewall in the network must declare the corresponding port, the firewall must track the FTP conversation and check the port command, the firewall must participate in the port command from the server side to the client The establishment of the port connection specified in the middle. If NAT (Note: Network Address Translation) is used in the network, then NAT's gateway also needs to declare the corresponding port. The gateway needs to translate the IP address specified in the port command to the client's address, and then recalculate the TCP Checksum. If the gateway does not perform this operation correctly, FTP failed. Hackers may use FTP to support third-party features, set IP addresses and port number parameters in the port command to specify the address and port number of a target host (sometimes call this attack for FTP rebound attack), such as hackers A FTP server can be continually transmitted from its source port 20 to a series of destination ports, so that the FTP server looks in the port scan, the destination host does not know the host from hackers, it looks like attack FTP server. Some commonly used FTP applications set the address in the port command, which is the intention to make the FTP server only need to data connection with the same customer that opens the control connection, setting the address is 0.0.0.0 may make the firewall do not know what it is. . For example, Cisco PIX iOS 6.0 or higher version of PIX (Note: Cisco hardware firewall device, 6.0 or later version of the associated FTP protocol) requires that the IP address of the data connection to the IP address that already exists will be the same. The reason is to prevent hackers from attacking other machines with port commands, although some FTP applications set the IP address is 0.0.0.0 is not intentional attack, but in the PI X correction agreement, some problems are indeed, while others This will also cause the same problem to avoid a third-party mode and a firewall that avoids FTP rebound attack. >> 2.2 FTP Passive Mode The following list describes the steps of the FTP of the Passive mode, steps 1 through 3 and Port mode FTPs, and steps 9 to 11 are the same as the PORT mode FTP last three steps.
1. The client sends a TCP SYN (TCP Synchronization) package to the server segment, the FTP control port 21, the client uses a temporary port as its source port; 2. The server side sends SYN ACK (synchronous confirmation) package to the client The source port is 21, the destination port is a temporary port used by the client; 3. The client sends an ACK (confirmation) package; the client uses this connection to send the FTP command, the server side uses this connection to send FTP response; 4 When the user requests a list (list) or sending or receiving a file, the client software sends the PASV command to the server side indicates that the client wants to enter the Passive mode; 5, the server side responds, including the IP address of the server and a temporary Port, this temporary port is the port that the client should use when opening the data transfer connection; 6, the client sends a SYN package, the source port is a temporary port selected by the client, and the destination port is in the PASV response command. The specified temporary port number; 7, the server side sends the SYN ACK package to the client, the destination port is the temporary port selected by the client, and the source port is the temporary port number specified in the PASV response; 8, the client sends an ACK package; 9. The host sent by the transmitted data transmits data in this connection, and the data is sent in the form of a TCP segment (Note: Segment, Layer 4's PDU) (some commands, such as the Stor indicates that the client wants to send data, Retri Represents the server segment send data) These TCP segments need to perform ACK confirmation; 10, when the data transfer is complete, the host sends data ends the data connection with a FIN command, this FIN command requires another host to confirm with ACK, another host is also sent A fin command, this FIN command also needs to send data, the host confirms in A CK; 11, the client can send more commands on the control connection, which can turn additional data connection; sometimes after the client ends, The client closes a control connection with the FIN command, the server side confirms the client's FIN, the server also also sends its FIN, and the client is confirmed by ACK.
The following figure illustrates a few steps in the PASSIVE mode FTP: / ==================================== ============================================================================================================================================================================================================================================== # TCP: 21 Connection Initialization, Control Port) | | SYN | | Port XXXX ----------------------> Port 21 [TCP] | | SYN ACK | | Port xxxx <---------------------- Port 21 | | ACK | | Port XXXX --------------- -------> Port 21 | | | | (PASV Action: Passive Connection Data Port Initialization) | | | | PASV | | Port XXXX ----------------- -----> Port 21 | | PASV OK, IP, Port YYYY | | Port XXXX <-------------------- Port 21 | | SYN | | Port zzzz ----------------------> Port YYYY | | SYN ACK | | Port zzzz <------------ ---------- Port YYYY | | ACK | | Port zzzz --------------------> Port YYYY | | | | | | (Data operation: data transmission) | | list, retr or stor | | port xxxx ----------------------> Port 21 | | DATA ACK | Port zzzz <--------------------> Port YYYY | |. | | | | | | | / ========== ============================================================================================================================================================================================================= ======== / A PASV request requires the server to accept data connections on a new port selected by the server. The PASV command does not have any parameters. The server-side response is just a line display server IP address and the server accepts the TCP end of the server. slogan.
The following figure shows the server response to the PASV command, the server tells the client to monitor the port 5365 (192, 168, 179, 100, 20, 245), the method of calculating the port is 20 * 256 245 = 5365; / ====== ============================================================================================================================================================================================================= ============ / | TCP - Transport Control Protocol | | Source Port: 21 FTP | | Destination Port: 1249 | | SEQUENCE NUMBER: 4239887193 | | Ack Number: 36925357 | | Offset: 5 20 BYTES | | RESERVED: 000000 | | Flags:% 011000 | | 0. .... (no urgent pointer) | | .1 .... ACK | |.. 1 ... push | |. .0 .. (no reset) | | .. ..0. (No syn) | | | | | | | | CHECKSUM: 0X3EAB | | Urgent Pointer: 0 | | | | | | | | FTP Control - File Transfer Protocol | | Line 1: Pasv 192,168,0,1,100,20,245
/ ================================================================================================================================================================================================== =================== / | TCP - Transport Control Protocol | | Source Port: 1250 | | Destination Port: 5365 | | SEQUENCE NUMBER: 36931503 | | ACK NUMBER: 0 | | Offset: 7 (28 Bytes) | | RESERVED: 000000 | | Flags: 000010 | | 0. .... (no urgent pointer) | | .0 .... (no answer) | 0 ... (no push) | | .. .0 .. (no reset) | | .. ..1. SYN |.
... 0 (NO FIN) | | CHECKSUM: 0X1A57 | | Urgent Pointer: 0 | | | | | TCP Options | | Options Type: 2 Maxinum Segment Size | | Length : 4 | | | MSS: 1460 | | | | FCS - FRAME CHECK SEQUENCE | | FCS (CALCULATED): 0x5A1BD023 | / ======================== ====================================================== most people think The Passive mode in the firewall network environment is smaller than the PORT mode, but we noticed that in Passive mode, the client opens a temporary destination port connection, some firewalls or Cisco devices access list (ACL) may prevent this connection, The same server response is also from a temporary port to a temporary port, the firewall or Cisco access list will also block this connection. On the Cisco router, you can use the access list keyword "ESTABLISHED" to avoid the second question, "ESTABLISHED" keyword tells the router to allow the package with the ACK to pass, the server-side S YN ACK package with an ACK word. In the new version PIX iOS, you can also establish a deep-state detection filtering for FTP protocols through the Fixit keyword, and most of the other state detection firewalls, such as LinuxNetFilters, also support status detection of the FTP protocol, and accurate PASV dynamic port filtering. >> 2.3 Username and Password of the FTP Transfer FTP Another Name Wolf Base is that it sends a username and password in a clear text, which is not encrypted. Anyone can see the username and password as long as you place a protocol analyzer in your proper location; the data sent by the FTP is also transmitted in a clear text, and the FTP data can be collected and reproduced by monitoring and data collection for FTP connections. Transfer and implement protocol connection back. In fact, many users use the same username and password in different applications, so that this problem may look even worse; if hackers are collected by FTP password, they may also get your online account or other secret data password. . Below is the full communication process of FTP grabbed by tcpdump - a famous network protocol analysis program.
/ ================================================================================================================================================================================================== =====================38.0.1.2323> 192.168.0.3.21: s 2047626269: 2047626269 (0) WIN 65535
......... 0x0010 C0A8 0001 0015 0913 E981 069A 7A0C 4C1E ............ zl 0x0020 5018 FFFF 074F 0000 3232 3020 506C 6561 P .... o..220. PLEA 0X0030 7365 2065 6E74 6572 2079 6F75 7220 6C6F se.enter.your.lo 0x0040 6769 6e 6E61 6D65 206E 6F77 2E0D 0A gin.name.now ... 21: 55: 37.0.1.2323> 192.168.0.3. 21: P 1:12 (11) ACK 154 WIN 65382 (DF) 0X0000 4500 0033 B8D2 4000 8006 C09D C0A8 0001 E..3. @ ......... 0x0010 C0A8 0003 0913 0015 7A0C 4C1E E981 06C1 ........ zl .... 0x0020 5018 FF66 C4EB 0000 5553 4552 2065 6C6C P..f .... user.ell 0x0030 790d 0a y ..
.... "....0x0010 C0A8 0001 0015 0913 E981 06E3 7A0C 4C38 ........... Z.L8 0x0020 5010 FFE5 0300 0000 3233 302D 5765 6C63 P ....... 230-Welc 0x0030 6F6D 6520 746F 2076 6920 4654 5020 7365 ome.to.vi.ftp.se 0x0040 7276 6572 0D0A 3233 302D 0D0A 3233 302D RVER..230 - .. 230- 0x0050 4375 CU
Wait, but in most cases, the versatility and ease of use of F TP make it inevitably replaced for a long time. So just like other antique services (such as SMTP / HTTP), there have been some protocol expansions that do not need to be fully changed to the FTP protocol itself, and can complete compatibility and function extensions. FTP SSL / TLS EXTENSION is one of the way. FTP security extension: http://www.ietf.org/rfc/rfc2228.txt http://www.ietf.org/rfc/rfc2246.txt FTP security extension, SSL interface draft: http://www.ieetf. ORG / Internet-Drafts / Draft-Murray-Auth-FTP-SSL-13.TXT >> 3.1 SSL / TLS introduction Let's talk about the SSL / TLS protocol, SSL (Secure Socket Layer) is the earliest NetScape company designed for HTTP protocol The encrypted secure transport protocol, SSL works between the transport layer (TCP layer) of the TCP protocol and the application. As an intermediate layer, the application can replace the standard SOCKET socket as long as the SSL provides a set of SOCKET sockets, you can convert the program into SSL-based secure network programs, which will be implemented by the SSL protocol during transmission. Guarantee for data confidentiality and integrity. The current version of the SSL protocol is 3.0. After SSL has successfully successful, IETF (www.ietf.org) makes SSL standardization, specification is RFC2246, referred to as TLS (Transport Layer Security). From a technical speech, TLS1.0 and SSL3.0 are very different, SSL uses more than its historical applications in the previous commercial application. TLS protocol, RFC 2246: http://www.ietf.org/rfc/rfc2246.txt >> 3.2 Data confidentiality and integrity have repeatedly mentioned two aspects of data confidentiality and integrity, this slight explanation a bit. The confidentiality of the data ensures that the data information is confidential and will not be accessed and browsed by no permissions. The basic confidential protection means is data encryption; and the integrity of the data refers to the data will be guaranteed during transmission and storage. The only and complete data is not modified by malicious, and the basic means of ensuring data integrity mainly have digital signatures. Here, the two types of algorithms, encryption algorithms, and hash algorithms are involved in the field of data encryption. The encryption algorithm can be divided into symmetric encryption and asymmetric encryption from the principle of mathematics. From the data processing method, it can be divided into stream encryption and packet encryption. This paper is not here, and it will not be repeated, only several commonly used encryption algorithms: DES , 3DES, AES, BLOWFISH, RC2-RC6, etc. The data signature algorithm is another way of encryption, but also a data hash algorithm, which is used to generate a unique equal-long signature string for data. The length of the original data may be arbitrary, and any two are similar but Even if there is only a small amount of data set, it will have a very large number of different signed strings that are very different. This string is considered to have a spatial collision (repetition) in the general sense, so the data hash algorithm for ensuring The uniqueness of data is a necessary means; common digital hash algorithms include MD5, SHA-1, CAST-256, and the like. It can be seen that it is very cumbersome to handle so many kinds of encryption algorithms. SSL provides an automated algorithm negotiation, key exchange, and data encryption process in this level.
The SSL protocol is divided into two parts: Handshake Protocol and Record Protocol, the Handshake section is used to process the algorithm negotiation and key exchange process of the communication between the communication, and the Record section is used to encrypt the data.
The entire SSL basic communication process is as follows: / ============================================= ==================================== / | | | | | | | | (TCP three-step handshake) | (SSL Condensed Connection) | |. | |. Sslsocket () | |. Bind () | | sslsocket () -------------------> | | <------------------ Connect | | (Connection Capi Algorithm negotiation) | | ClientHello () ------------------------------------------------------------------------------------------------ ---> | | (server-side algorithm confirmation and certificate delivery) | | ServerHello | | Certificate * | | | CertificateRexChange * | | <----------------- - ServerHellodone | | (Client Certificate Verification and Key Exchange) | | CERTIFICATE * | | CLIENTKEYEXCHANGE | | CRTIFICATEVERIFY * | | [ChangeCipherspec] | | Finished ---------------------------------------------------------------- ---> (Data Encryption Algorithm negotiation) | | [ChangeCipherspec] | | <----------------- Finished | | | | Application Data <------------------> Application Data | | ... | / ====================== ====================================================== / SSL set The symptoms are as follows: 1, the client and server two sides replace the BSD Socket series function by the SSL Socket series function; 2. Connect to the Server-side application via the TCP protocol; "Safety Collection" contains encryption and signature algorithm negotiation; 4. Server responds to the connection, including the algorithm collection used in this communication, and Serv ER end certificate; 5, after receiving the certificate, use the Server-end negotiation algorithm to encrypt a random sequence with the Server public key contained in the Server-end certificate, and send back the server as a challenge question.
6. Server receives the encrypted ciphertext, decrypts data using its own private key, if successful, represents SA consultation, can start communication; 7, optional process, continue to initiate the client verification process, the Client side issues a client certificate, Client End Verification Process; 8, optional process, data transfer process encryption algorithm negotiation; 9, negotiation is completed, start encrypted data transfer; it can be seen that the SSL Socket communication process is more than a security collection. The process of exchange negotiation, this process is completed by the SSL, relative to the application, as long as the SSL Socket is used, the other processes are transparent. Step 3-6 in the SSL communication process must be manipulated, including the Server-end verification process and encryption algorithm negotiation, similar to the three-step handshake process similar to the TCP protocol, this process passes the key (public key) through the public key plus algorithm The function of the secret key (private key), cleverly implements key exchange and algorithm negotiation, and since the decryption secret does not need to be transmitted on the network, this simultaneously implements the confidentiality and internal application of the data communication process Confidentiality of the protocol. During the verification process of the Client End Certificate in step 7, due to the current PKI and CA system in the current network environment, it is not very high due to the safety demand for the CLIENT operating environment due to the SSL design. An optional segment is implemented, depending on the security level of the application. The confidentiality feature of SSL data communication is completed by the above process, and a data signing algorithm is exchanged in addition to the negotiation of the encryption algorithm in the algorithm negotiation process, which is used to generate a unique hash check code to prevent it. During the transmission process, the data is tampered with, and the data signature process realizes the integrity assurance of the communication process. The two security features, confidentiality and confidentiality provided by SSL, SSL define four security levels, which are the status combinations of these two characteristics: 'c' - Clear - No protection 's' - Safe - Complete Sexual implementation, but there is no confidentiality 'e' - confidential - confidentiality, but no integrity 'p' - private - two states of SSL extension of confidentiality and integrity FTP simultaneously 1) clear (Requester) BY 'Prot C') 2) PRIVATE (Requested By 'Prot P') The Switching of the Status is completed by the FTP Extension Instruction Prot during the connection.
>> 3.3 SSL FTP Extensions In RFC 2228, the FTP protocol expands the following instructions: Auth (Authentication / Security Mechanism), ADAT (Authentication / Security Data), PBSZ (Protection Buffer Size, CCC (Integrity Protected Command), Conf (Confidential Protected Command), And Enc (Privacy Protected Command). The main instructions related to SSL extensions have the following: Auth (negotiation expansion verification): Specify an extension Authentication method, SSL or TLS; PBSZ (negotiated to protect buffer): Develop protection buffers, must be 0 in SSL / TLS mode; prot (switch protection level): switch protection level, can be "c" no protection, or " P "Protection level; in a typical FTP SSL communication process, the instruction sequence is as follows: / =============================== ============================================== / | Client Server | | Control Data Data Control | | = ============================================================================================================================================================================================================= ======================= | | | | | | | | | | | CONNECT () ----------- --------------------------------> acception () | | <----------- -------------------------------- 220 | | AUTH TLS ------------- ------------------------------> | |
----------------------------------------- 234 | | TLSNEG () <- ----------------------------------------> TLSNEG () | | PBSZ 0 - -----------------------------------------> | | <----- -------------------------------------- 200 | Prot P ------- ------------------------------------> | <---------- ---------------------------------- 200 | | User ELY -------------------------------------- ----------------------------------------- ---------------------------- 331 | | Pass **** -------------- ----------------------------------------- -------------------------- 230 | | / ==================== ============================================================================================================= / An SSL FTP connection process instance: / =============================================== ==================================== / | | | Winsock 2.0 - OpenSSL 0.9.7d 17 Mar 2004 | | [R] Connecting to 192.168 .21.3 -> ip = 192.168.21.3 port =
2121 | | [R] Connected to 192.168.21.3 | | [R] 220 please enter your login name now. | | [R] Auth TLS (authentication method) | | [R] 234 Auth command OK. Initializing SSL Connection. | [R] Connected. Negotiarating SSL / TLS session .. | | [R] SSL / TLS Negotiation Success Eventful ... (negotiation association) | | [R] TLSV1 / SSLV3 Encrypted session useing cipher AES256-SHA (256 BITS) | [R] PBSZ 0 (PBSZ) | | [R] 200 Pbsz Command OK. Protection Buffer Size Set To 0. | | [R] User Elly (FTP Traditional Certification) | | [R] 331 Password Required for ELLY. | [R] Pass (Hidden) | | [R] 230 User Elly Logged in. | | [R] 215 Unix Type: L8, CP: 936 | | [R] Feat (Extension Instruction Test) | | [R] 211-Extensions Supported: | | [R] Size | | [R] MDTM YYYYMMDDHHMMMS FileName | | [R] List -lat | | [R] Stat -lat | |. | | [R] auth TLS | | [R] PBSZ | | [R] SSCN | | [R] UTF8 | | [R] 211 End | | ] CLNT flashfxp 2.2.985 | | [r] 213 client type set to flashfxp 2.2.985. | | [R] PWD (traditional communication process) | | [r] 257 "/" is current directory | | [r] TY PE A | | [R] 200 Type Set to ascii. | | [R] PASV | | | [R] Pasv | | [R] 227 Entering Passive, | | [R] 200 Prot P Accepted. Mode (192, 168, 21, 3, 5, 122) | | [R] Opening Data Connection IP: 192.168.21.3 Port: 1402 | | [R] List -An | | [R] Connected. Negotiaring SSL / TLS session .. (Encytry Communication process) | | [r] 150 Opening ASCII Data Connection for LS / USING SSL / TLS. | | [R] SSL / TLS Negotiation Successful ... | | [R] TLSV1 / SSLV3 Encrypted session Using Cipher AES256-SHA ( 256 Bits) | [R] 226-Free Disk Space Under this Directory: 101 MB | | [R] 226 Transfer Finished SuccessFully. Data Connection Closed. | | [R] List Complete: 181 BYtes in 0.14 Seconds (1.26 Kbps) | | | / ===============
============================================================================================================================================================================================================= === / In SSL FTP, there are several special points: 1. Auth is an optional instruction, because the SSL FTP implementation is different, see the next section Explicit SSL and Implicit SSL; 2, PBSZ and PROT It is necessary to instructions for switching to protection channel mode; 3, Auth, PBSZ and PROT instructions are methods for implementing SSL authentication methods, but can coexist with traditional USER / Password mode, or take only one; 4, SSL certification The method's SSL authentication process (Auth / PBSZ) and traditional mode certification are not strictly associated, and it may be after the username and password; but for security factors, it is best to switch before USER / Password transfer. Safety mode ensures that users / password transfer security; 5, in the Explicit SSL mode, you can switch to the protection mode at any time, as described in the Implicit SSL mode, the initialization connection will directly use SSL Socket to establish Do not need an Auth Directive to switch. >> 3.4 ExpliCit SSL and Implicit SSL have two ways of implementation of SSL FTP due to historical and software compatibility factors, respectively, which are ExpliCit SSL and Implicit SSL, and most of the above data is ExpliCit SSL as examples. Explicit SSL (external SSL) is also called Auth SSL mode; Explicit SSL maintains good compatibility with traditional FTP services, exists in an FTP service extension instruction. The initialization connection can be used to switch to the protection mode using the Auth SSL instruction when transmitting encrypted information is required to transmit encrypted information. When using Explicit SSL, Server must fully implement an auth / PBSZ / PROT and other instructions. Implicit SSL (Include SSL) is a new FTP implementation. After the TCP three-step handshake is completed, use SSL Socket directly using SSL Socket, which will then use SSL encryption. In this mode, general FTP Server will listen to a new service port, IANA specifies FTPS: TCP: 990 for the default port of the Implicit SSL FTP. Because the negotiation is automatically completed by the SSL implementation in the initial phase, the AUTH instruction in the Implicit mode is optional. Under the factors that do not consider compatibility, it is best to use the Implicit SSL mode in the service period to achieve better confidentiality.
Compare two SSL FTP implementation patterns are as follows: / ======================================= ==================================================================================================================================================================== ============================================================================================================================================================================================================= ============= | | | | | CONNECT () ------> - - 明文 | sslconnect () ------> Encryption | | <--- --- 220 | | <------ 220 - | | Auth SSL ------> | | | | | | <------ 234 - | <------ 331 | | | TLSNEG () <-----> TLSNEG () - - Encryption | Pass *** ------> | | | ---- 200 | | <------ 230 | | | User *** ------> | | List <-----> ... | | | <---- - 331 | | RETR <-----> ... | | | pass *** ------> | | ... | | | | | List / retrine -----> ... | | sslclose () <-----> ... - | | close () <-----> ... - | | | | | / ================================================ ========================= / >>
3.5 Some messages are shown in 3.3 references an Explicit SSL connection instruction sequence, here is the corresponding Implicit SSL connection
Cheng: / ================================================== ================================ / | Winsock 2.0 - OpenSSL 0.9.7d 17 Mar 2004 | | [R] Connecting to 192.168.21.3 -> ip = 192.168.21.3 Port = 9909 | | [r] Connected to 192.168.21.3 | | [r] connected. Negotiaring SSL / TLS session .. | | [R] SSL / TLS Negotiation Successful ... | | [R] TLSV1 / SSLV3 Encrypted Session Using Cipher AES256-SHA (256 Bits) | | [R] 220 Please Enter Your Login Name Now. | | [R] PBSZ 0 | | [R] 200 PBSZ Command OK. Protection Buffer Size Set To 0. | | [R] User el - | | [r] pass (hidden) | | [r] 230 user elly logged in. | | [R] SYST | | [R] 215 Unix TYPE: L8, CP: 936 | | [R] PROT P | | [R] 200 Prot P Accepted. | | [R] PASV | | [R] 227 Entering Passive Mode (192, 168, 21, 3, 5, 122) | | [R] Opening Data Connection IP: 192.168.21.3 Port: 1402 | | [R] List -An | | [R] Connected. Negotiarating SSL / TLS session .. | | [R] 150 Opening ASCII Data Connection for LS / Using SSL / TLS. | | [R] SSL / TLS Negotiation S Uccessful ... | | [r] TLSV1 / SSLV3 Encrypted session Using Cipher AES256-SHA (256 Bits) | | [R] List Complete: 181 BYtes in 0.17 Seconds (1.04 Kbps) | / ======== ============================================================================================================================================================================================================= ====
======== / ExpliCit SSL mode FTP Client <- Server communication data, you can see that the instructions after the Auth SSL have been encrypted and cannot be seen. Corresponding to the traditional communication process in Section 2.3, this ensures that the data cannot be eavesdropped during transmission. In the Implicit SSL mode, the data starting from the initialization connection will be all encrypted and cannot be analyzed, so it is not extracted here.
/ ================================================================================================================================================================================================== =============================274879> 192.168.0.3.999: s 172744887: 172774887: 172774887 (0) Win 65535 < MSS 1460, NOP, NOP, SACKOK> (DF) 0x0000 4500 0030 E6B7 4000 8006 92BB C0A8 0001 E.0 .. @ ......... 0x0010 C0A8 0003 08E7 03E7 66FB 4B77 0000 0000 .... .... f.kw .... 0x0020 7002 FFFF 428A 0000 0204 05B4 0101 0402 P ... b ........... 21: 34: 22.095576 IP 192.168.0.3.999> 192.168. 0.1.2279: S 3598555607: 359855507 (0) ACK 1727744888 WIN 65535
192.168.0.3.999:. ACK 115 WIN 65421 (DF) 0X0000 4500 0028 E6C1 4000 8006 92B9 C0A8 0001 E .. (.. @ ......... 0x0010 C0A8 0003 08E7 03E7 66FB 4B78 D67D 9A4A .. ... f.kx.}. J 0x0020 5010 FF8D FEE7 0000 P ....... 21: 34: 22.0.0.3.999> 192.168.0.1.2279: P 115: 154 (39 ) ACK 1 WIN 65535 (DF) 0X0000 4500 004F 8DA7 4000 8006 EBAC C0A8 0003 E..O .. @ ......... 0x0010 C0A8 0001 03E7 08E7 D67D 9A4A 66FB 4B78 ........ }. Jf.kx 0x0020 5018 FFFF 96B3 0000 3232 3020 506C 6561 P ....... 220.plea 0x0030 7365 2065 6E74 6572 2079 6F75 7220 6C6F se.enter.your.lo 0x0040 6769 6E20 6E61 6D65 206E 6F77 2E0D 0A gin.name.now ... 21: 34: 22.264587 ip 192.168.0.1.2279> 192.168.0.3.999: p 1:11 (10) ACK 154 WIN 65382 (DF) 0X0000 4500 0032 E6C2 4000 8006 92AE C0A8 0001 E.2 .. @ ......... 0x0010 C0A8 0003 08E7 03E7 66FB 4B78 D67D 9A71 ....... F.kx.}. Q 0x0020 5018 FF66 E88E 0000 4155 5448 2053 534C P ..f .... auth.ssl 0x0030 0d0a .. 21: 34: 22.0.3.999> 192.168.0.1.2279: P 154: 205 (51) ACK 11 WIN 65525 (DF) 0x0000 4500 005B 8DAC 4000 8006 EB9B C0A8 0003 E .. [.. @ ......... 0x0010 C0A8 0001 03E7 08E7 D67D 9A71 66FB 4B82 .........}. Qf.k. 0x0020 5018 FFF5 9A03 0000 3233 3420 4155 5448 p ....... 234.auth 0x0030 2043 6F6D 6D61 6E64 204F 4B2E 2049 6E69.Command.ok..ini 0x0040 7469 616C 697A 696E 6720 5353 4C20 636F TIALIZING.ssl.co 0x0050 6E6E NN 21: 34: 22.374945 IP 192.168.0.1.2279> 192.168.0.3.999: P 11: 141 (130) ACK 205 WIN 65331 (DF) 0X0000 4500 00AA E6C6 4000 8006 9232 C0A8 0001 E ..... @ @ @ a
.... 2 .... 0x0010 C0A8 0003 08E7 03E7 66FB 4B82 D67D 9AA4 ........ fk.} .. 0x0020 5018 FF33 F99A 0000 8080 0103 0100 5700 p..3 ... .... w. 0x0030 0000 2000 0016 0000 1300 000A 0700 C000 ................ 0x0040 0066 0000 0700 0005 0000 0405 0080 0300 .f ........ ... 0x0050 8001 .. 21: 34: 22.375857 IP 192.168.0.3.999> 192.168.0.1.2279: P 205: 10
71 (866) ACK 141 WIN 65395 (DF) 0X0000 4500 038A 8DAD 4000 8006 E86B C0A8 0003 E ..... @ .... k .... 0x0010 C0A8 0001 03E7 08E7 D67D 9AA4 66FB 4C04 ..... ....} .. fl 0x0020 5018 FF73 E356 0000 1603 0100 4A02 0000 p..SV ..... j ... 0x0030 4603 0140 8283 7DA1 8821 775E 7765 a9ee f .. @ ..} ..! w ^ We .. 0x0040 18CA E0AB 1B17 461E BF71 515F 6837 5C1A ... f.. QQ_H7 /. / ========================= ====================================================== / >> 4.0 << Summary FTP's alternative application Today, if you take into account other secure file transfer options, it may not seem to use the ftp, such as SCP or SFTP, similar to the FTP application but use SSH (Note: Secure shell) Verification and encryption, if you use a Unix-based server, you can call the SCP or SFTP in the command mode, if you want to get more information about SSH, refer to the following URL: http://www.openssh.com If you just use FTP to update your web page, some alternative applications, called WebDAV's new protocol, WebDAV is an extension of HTTP, which allows multiple users to edit and maintain files on remote web servers, if you want Understand the details of WebDAV, reference: http://www.cis.ohio-state.edu/cgi-bin/rfc/rfc2518.html FTP is designed in the 1970s, when the Internet is still a closed network, network Safety is not a big problem. When FTP is used in modern network environments using NAT gateways, firewalls, Cisco Access lists, no matter how you use Port mode or passive mode, some problems can be generated, FTP's file transmission means on public network as some key applications may be A mistake; of course, many people have made unremitting efforts in order to be FTP protocols, but these efforts have made the FTP's troubleshooting, and they have not solved the FTP's largest problem, that is, the user name and passwords are transmitted. There are many applications that can replace FTP, such as SCP, SFTP, or WebDAV. The above is the original summary, and the lower half of this article adds the security extension of FTP itself, using SSL / TLS to verify and encrypt the FTP transmission process, good implementation of compatibility and excellent data confidentiality and integrity of traditional FTP protocols . It is a very good FTP service improvement plan in an environment where an alternative service cannot be used.
