# proftpd -l

Compiled-in modules:
  mod_core.c
  mod_xfer.c
  mod_auth_unix.c
  mod_auth_file.c
  mod_auth.c
  mod_ls.c
  mod_log.c
  mod_site.c
  mod_delay.c
  mod_codeconv.c
  mod_auth_pam.c
  mod_ratio.c
  mod_readme.c
  mod_quota.c
  mod_tls.c      # < ---------------- 就是這個
  mod_cap.c

再編輯 proftpd.conf，加入

<IfModule mod_tls.c>
    TLSEngine on
    TLSLog /var/log/tls.log
# SSLv23 = SSLv3 + TLSv1
    TLSProtocol SSLv23

    # Are clients required to use FTP over TLS?
    TLSRequired off

    # Server's certificate
    TLSRSACertificateFile /path/server.crt
    TLSRSACertificateKeyFile /path/server.key

    # Authenticate clients that want to use FTP over TLS?
    TLSVerifyClient off

    # Allow SSL/TLS renegotiations when the client requests them, but
    # do not force the renegotations.  Some clients do not support
    # SSL/TLS renegotiations; when mod_tls forces a renegotiation, these
    # clients will close the data connection, or there will be a timeout
    # on an idle data connection.
    TLSRenegotiate required off
</IfModule>

要產生key， /path/server.key 及 /path/server.crt (省略)

重啟 proftpd

測試lftp，可以成功登入，列出就ok

# lftp
lftp :~> set ftp:ssl-force true
lftp :~> connect localhost
lftp localhost:~> login ssorclin
密碼：
lftp ssorclin@localhost:~> ls
drwxr-xr-x   2 root    root      4096 Dec 15 18:15 bin
lftp ssorclin@localhost:/> exit

另一個測試 openssl，會出現憑證的內容就是ok

openssl s_client -connect 127.0.0.1:21 -starttls ftp

測試 curl

# 顯示
curl -ucross:1234 ftp://localhost --ftp-ssl -k

# 隱式
curl -ucross:1234 ftp://localhost -k


測試 flashfxp

# 隱式 ,,,, 失敗

[L] 已連線. 正在交涉 SSL 中..
[L] SSL 錯誤: 未知的通訊協定
[L] SSL 交涉失敗, 已斷線
[L] 連線失敗 (連線已被客戶端關閉)
[L] 正在延遲 33 秒, 於重新連線嘗試第 #1 次之前

# SSL與TLS認證，皆ok

測試 filezilla 3.5.3版

# 需透過外顯式TLS，失敗

回應: 150 Opening ASCII mode data connection for file list
錯誤: GnuTLS error -9: A TLS packet with unexpected length was received.
狀態: 伺服器未正確結束 TLS 連線
錯誤: 傳輸連線中斷: ECONNABORTED - Connection aborted
回應: 226-Transfer complete
回應: 226 Quotas off
錯誤: 無法取得目錄列表

# 需透過隱含式TLS，失敗

狀態: 所選的連接埠通常是使用於其它協定.
狀態: 正在連線到 10.10.10.173:21 ...
狀態: 連線已建立, 初始 TLS 加密...

參考
http://www.gentoo-wiki.info/ProFTPd/Compiling_with_TLS_SSL_support
http://hi.baidu.com/%B4%F8%B5%B6%B2%BB%B4%F8%C9%A1/blog/item/df846dbe952c8c0518d81ffe.html
http://www.proftpd.org/docs/howto/TLS.html
http://kb.parallels.com/2207

scponly : Restricted shell for ssh based file services

我可以用在什麼地方

今天假如我開放讓某個人可以ssh，但目的只是要抓檔案，我就可以用scponly來限制這個使用者只能抓，而無法登入主機操作了

環境 : server

CentOS release 5.7 (Final)
2.6.18-274.el5 #1 SMP Fri Jul 22 04:49:12 EDT 2011 i686 i686 i386 GNU/Linux

怎麼安裝

yum install scponly

# 如果沒有可以試著用 atomic 或 rpmforge

怎麼使用

新增使用者，把它的shell指定scponly

useradd -d /home/scp -s /usr/bin/scponly scp

打開scponly 的debug模式

echo 7 > /etc/scponly/debuglevel

使用一client 試著ssh登入，但被拒絕了

[root@client ~]# ssh scp@server
scp@server's password:
Last login: Thu Jan 19 13:39:04 2012 from client
scponly[8695]: 1 arguments in total.
scponly[8695]:  arg 0 is -scponly
scponly[8695]: opened log at LOG_AUTHPRIV, opts 0x00000029
scponly[8695]: determined USER is "scp" from environment
scponly[8695]: retrieved home directory of "/home/scp" for user "scp"
scponly[8695]: setting uid to 10004
scponly[8695]: entering WinSCP compatibility mode [username: scp(10004), IP/port: client 39168 22]

WinSCP: this is end-of-file:0

WinSCP: this is end-of-file:0

# 這裡不會自動跳出，一直enter的話，只會一直出現WinSCP: this is end-of-file:0，所以這裡我就解讀為無法ssh登入了

如果我只用scp

[root@client ~]# scp scp@server:/etc/passwd ./
scp@server's password:
scponly[8842]: 3 arguments in total.
scponly[8842]:  arg 0 is scponly
scponly[8842]:  arg 1 is -c
scponly[8842]:  arg 2 is scp -f /etc/passwd
scponly[8842]: opened log at LOG_AUTHPRIV, opts 0x00000029
scponly[8842]: determined USER is "scp" from environment
scponly[8842]: retrieved home directory of "/home/scp" for user "scp"
scponly[8842]: setting uid to 10004
scponly[8842]: processing request: "scp -f /etc/passwd"
scponly[8842]: Using getopt processing for cmd /usr/bin/scp
 (username: scp(10004), IP/port: client 39169 22)
scponly[8842]: getopt processing returned 'f' (username: scp(10004), IP/port: client 39169 22)
scponly[8842]: running: /usr/bin/scp -f /etc/passwd (username: scp(10004), IP/port: client 39169 22)
scponly[8842]: about to exec "/usr/bin/scp" (username: scp(10004), IP/port: client 39169 22)
passwd                

# 成功將passwd複製過來

passwd檔的資訊

-rw-r--r--  1 root root 2642  1月 19 13:43 passwd

scponly還提供chroot功能

只要把 shell從 scponly 換成 scponlyc (路徑也不同喔)

usermod -s /usr/sbin/scponlyc scp

如果再scp的話

[root@client ~]# scp scp@server:/etc/passwd ./
scp@server's password:
scponly[10458]: chrooted binary in place, will chroot()
scponly[10458]: 3 arguments in total.
scponly[10458]:         arg 0 is scponlyc
scponly[10458]:         arg 1 is -c
scponly[10458]:         arg 2 is scp -f /etc/passwd
scponly[10458]: opened log at LOG_AUTHPRIV, opts 0x00000029
scponly[10458]: determined USER is "scp" from environment
scponly[10458]: retrieved home directory of "/home/scp" for user "scp"
scponly[10458]: chroot dir not owned by root: /home/scp

# 它就跟你說scp這個使用者無法複製/home/scp以外的檔案

ps : 不用debug模式時可以把 /etc/scponly/debuglevel 清空就好


------
補: 遇到 chroot的問題，無法用scp傳到server也無法傳到 client，應該是chroot少了東西，就是該有的目錄及檔案 (bin,etc,dev等等)

我用 tarball 下載來編譯安裝

./configure --enable-winscp-compat --enable-sftp-logging-compat --enable-scp-compat --enable-rsync-compat --enable-chrooted-binary --enable-passwd-compat --enable-quota-compat --with-sftp-server  --disable-wildcards --disable-gftp-compat
make
make install

再把 scponlyc 放到 shells

echo  "/usr/local/sbin/scponlyc" >> /etc/shells

利用taball裡的工具來建立使用者

make jail

# 預設帳號是scponly ，可以自行更換
# 會要定義一個可寫入的目錄 (incoming)，它會放在 /home/scponly/incoming (owner是scponly)
# 再輸入密碼

使用者建好了

# finger scponly
Login: scponly                          Name: (null)
Directory: /home/scponly                Shell: /usr/local/sbin/scponlyc
Last login 四  1月 19 15:28 (CST) on pts/2 from 10.10.10.135
No mail.
No Plan.

目錄長這樣子

# ll /home/scponly/
總計 24
drwxr-xr-x 2 root    root    4096  1月 19 15:31 bin
drwxr-xr-x 2 root    root    4096  1月 19 15:25 etc
drwxr-xr-x 2 scponly scponly 4096  1月 19 15:38 incoming
drwxr-xr-x 2 root    root    4096  1月 19 15:25 lib
drwxr-xr-x 5 root    root    4096  1月 19 15:25 usr

# 建立 /dev/null，不然會說找不到 /dev/null

mkdir /home/scponly/dev
cp -rp /dev/null /home/scponly/dev

使用ssh登入，確認不行

我再用sftp登入，可以 ，這是在chroot的環境喔

sftp> ls -al
drwxr-xr-x    8 0        0            4096 Jan 19 07:32 .
drwxr-xr-x    8 0        0            4096 Jan 19 07:32 ..
drwxr-xr-x    2 0        0            4096 Jan 19 07:31 bin
drwxr-xr-x    2 0        0            4096 Jan 19 07:32 dev
drwxr-xr-x    2 0        0            4096 Jan 19 07:25 etc
drwxr-xr-x    2 scponly  10005        4096 Jan 19 07:38 incoming
drwxr-xr-x    2 0        0            4096 Jan 19 07:25 lib
drwxr-xr-x    5 0        0            4096 Jan 19 07:25 usr

我測試 ls ../ 或是 ls ../../，皆不會看到chroot 以外的東西 (/home/scponly/)

sftp> ls ../
../bin        ../dev        ../etc        ../incoming   ../lib        ../usr
sftp> ls ../../
../../bin        ../../dev        ../../etc        ../../incoming   ../../lib        ../../usr

~~~我用
scp scponly@server:/incoming/123 ./ 或 sftp xxx scponly@server:/incoming/ 皆 OK

05 00 00 00 01 00 00 00

centos 5.7
mysql 5.0

安裝mydumper (v 0.2.3)

# 用 atomic 的 yum庫
wget -q -O - http://www.atomicorp.com/installers/atomic | sh
yum install mydumper

測試

time mydumper -u admin -p 123456 -B mysql -o 321 ; time mysqldump -u admin -p123456 mysql > 321.sql

結果

real    0m0.346s
user    0m0.034s
sys     0m0.131s


real    0m0.402s
user    0m0.038s
sys     0m0.100s

測了幾次 mydumper 都比 mysqldump 快

mysqldump 備出來的資料皆塞到同一個檔案裡去
而 mydumper 則是一個table一個檔案，且資料跟 schema 也是分開的
(mysql.user-schema.sql 內容長成 →  CREATE TABLE `user` XXX)
(mysql.user.sql 內容長 成 → INSERT INTO `user` XXX)

-rw-r--r-- 1 root root   2722  1月  3 14:17 mysql.user-schema.sql
-rw-r--r-- 1 root root    601  1月  3 14:17 mysql.user.sql

[root@xx1 ~]# ssh 1.1.1.1
The authenticity of host '1.1.1.1 (1.1.1.1)' can't be established.
RSA key fingerprint is 5d:72:df:77:24:a9:80:e6:d1:23:68:4f:d9:42:6b:44.
Are you sure you want to continue connecting (yes/no)?

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
e1:9b:5c:16:a6:cd:11:10:3a:cd:1b:a2:16:cd:e5:1c.
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending key in /root/.ssh/known_hosts:1
RSA host key for 1.1.1.1 has changed and you have requested strict checking.
Host key verification failed.

ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no  root@1.1.1.1

ssh-keygen -R 1.1.1.1

(省略)
(# 輸入以下兩行)
HEAD / HTTP/1.0
(# R 是要求重新談判)
R
RENEGOTIATING
5115:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:529:

出現error 後跳出，就代表不支援

如果是再出現憑證資訊就是有支援

目前測試 centos 4.8 ， mod_ssl 為mod_ssl-2.0.52-38.ent.centos4.2 就會有SSL renegotiation

我把它更新到 2.0.52-49.ent.centos4  (連同 httpd也update了)，再行測試就不會有SSL renegotiation

測試 CentOS release 5.7，當下的mod_ssl為mod_ssl-2.2.3-22.el5.centos.2，升級至 2.2.3-53.el5.centos.3，也是不會有SSL renegotiation

只要升級就ok了~~嗎!!! (保留疑問)



ref: http://blog.ivanristic.com/2009/12/testing-for-ssl-renegotiation.html
ref: http://www.gremwell.com/really_testing_for_ssl_tls_renegotiation

• http://loadimpact.com/
• http://www.webpagetest.org/
• https://developers.google.com/pagespeed/
• firebug
• httpwatch
• http://site-perf.com/
• http://www.websiteoptimization.com/services/analyze/
• http://tools.pingdom.com/fpt/
• http://www.octagate.com/service/SiteTimer/?Target=AJAX
• http://loads.in/

f2blog

就變成這樣子

echo "TMOUT=1800" >> /etc/bashrc
echo "readonly TMOUT" >> /etc/bashrc
echo "export TMOUT" >> /etc/bashrc

登出再登入測試即可達到目的