Configure vsftpd to Use SSL/TLS

January 13, 2016 by Linux Guru

Filed under Security, Unix

Last modified July 15, 2016

Configure vsftpd to Use SSL/TLS

FTP (file transfer protocol) is a way to transfer files between local and remote servers. Although very popular and ubiquitous, the use of this method of file transfer has fallen out of favor due to the lack of security inherent in its design.

A very capable alternative is SFTP, as mentioned above. This protocol implements file sharing over SSH. If you must use FTP, you should at least secure the connection with SSL/TLS certificates.

Install vsftpd

$sudo yum install vsftpd

Configure Basic Settings for vsftpd

main configuration file :- /etc/vsftpd/vsftpd.conf

$sudo vi /etc/vsftpd/vsftpd.conf
changed in vsftpd.conf
-----------------------------
anonymous_enable=NO   #disable anonymous users.
local_enable=YES      #allow local users, meaning that vsftpd will use our Linux system users and authentication to determine who can sign in
write_enable=YES     #allow user write access, so that they can upload material and modify content

chroot_local_user=YES  #confine our users to their respective home directories
—————————————-
This is enough for a basic (non-SSL) FTP configuration. We will add the SSL functionality later.Save and close the file.
Create an FTP User:-
$sudo adduser sftpuser      #creating new user
$sudo passwd sftpuser       #setting password
Configure SSL with vsftpd:-We will actually be using TLS, which is a protocol that is a successor to SSL and more secure.
$sudo mkdir /etc/ssl/private
To create the certificate and the key in a single file, we can use this command:
$sudo openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem
Note:- Fill out the questions that it asks.

Add the SSL Details to the vsftpd Configuration File:-

$sudo vi /etc/vsftpd/vsftpd.conf

Scroll to the bottom of the file. We will add our SSL/TLS information here

rsa_cert_file=/etc/ssl/private/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem

Next, we need enable the use of these files & disable anonymous users. We should also force the use of SSL for both data transfer & login routines. This will make the security mandatory:
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES

Next, we will restrict the type of connection to TLS, which is more secure than SSL. We will do this by explicitly allowing TLS and denying the use of SSL:

ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=NO
ssl_ciphers=HIGH

Save and close the file.We need to restart vsftpd to enable our changes:

$sudo service vsftpd start

We will also configure it to start automatically with every reboot:

$sudo chkconfig vsftpd on

Leave a Comment