I astonish all the time when I see the FTP package name. vsftpd which abbreviated to Very Secure File Transfer Demon(vsftpd). But when we see the security prospective of this package there is no much security included with this package. I mean when you login to server the credentials are transferred in plain text. This is the reason by default root user is not allowed to login to ftp server. To eliminate transferring data/user credentials in plain text and to encrypt the entire transmission we can take help from openssl to generate a certificate and use SSL certificate when communicating with FTP server. This is nothing but a FTPS(FTP+SSL cert) server. Some file transfers you should know are.
1. TFTP(Trivial File Transfer Protocol which uses UDP for transmission) –high data rates/not secure
2. SFTP (This protocol uses SSH in back-end, so you need to run an FTP server) –secure
3. FTP (This is normal ftp transfer which uses TCP) –not secure
4. FTPS(FTP+SSL certificate to encrypt data transmission) -secure
5. FTP Over SSH(this is a kind of ftp tunnel on SSH protocol) -secure
In this post we will see how we can configure SSL certificate for VSFTPD to make it secure.
Step 1: Check the following packages on the server and if they are not install please install them.
#yum install openssl
#yum install vsftpd
Step 2: Generate rsa key in /etc/vsftpd folder as shown below.
#/usr/bin/openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout vsftpd.pem -out vsftpd.pem
The clipped output for your reference
[root@v-itig42 vsftpd]# /usr/bin/openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout vsftpd.pem -out vsftpd.pem
Generating a 1024 bit RSA private key ....................................................++++++ ..........................................++++++ writing new private key to 'vsftpd.pem' -----
You are now asked to enter information that will be incorporated into your certificate request. What you are about to enter is called as Distinguished Name or a DN. There are many fields but you can leave some blank. For some fields there will be a default value, If you enter ‘.’, the field will be left blank.
Country Name (2 letter code) [GB]:IN
State or Province Name (full name) [Berkshire]:Andhra Pradesh
Locality Name (eg, city) [Newbury]:Vijaywada
Organization Name (eg, company) [My Company Ltd]:Linuxnix Systems Limited
Organizational Unit Name (eg, section) : IT admin Group
Common Name (eg, your name or your server's hostname) :ftp2.linuxnix.co.in
Email Address :email@example.com
Step 3: Once the Certificate is generated, certificate is kept in /etc/vsftpd folder. We have to provide this entry in vsftpd.conf along some ssl configurations.
Step 4: Edit vsftpd.conf and give entires at the last of the file.
#For SSL on specify yes to below option. ssl_enable=YES # To allow anonysonomous users to use SSL allow_anon_ssl=YES # if you want local users to use both ssl as well unsecure way of transmission of data plz specify no to below option. force_local_data_ssl=NO #If you want to allow all the login credentials which are transmitted should be sent with encryption
#pleas use below option to force them to use only ssl connection at the time of login. force_local_logins_ssl=YES # Permit TLS v1 protocol connections. TLS v1 connections are preferred ssl_tlsv1=YES # Permit SSL v2 protocol connections. TLS v1 connections are preferred ssl_sslv2=NO # permit SSL v3 protocol connections. TLS v1 connections are preferred ssl_sslv3=NO #Please pecifies the location of the RSA certificate to use for SSL encrypted connections, which we #created some time back. rsa_cert_file=/etc/vsftpd/vsftpd.pem
Now save and exit the vsftpd file
Step 5: Restart the vsftpd service.
# service vsftpd restart
Shutting down vsftpd: [ OK ]
Starting vsftpd for vsftpd: [ OK ]
Start accessing the sftp server with filezila or some other FTP clients which will support SSL/TSL. If you want to access ftps sites through browsers it’s not possible(especially IE). We have to have add-on called fireftp for accessing FTPS protocol with browsers. Then only we can access ftps:// site through browsers. Here in this example I used filezila ftp client which will support many file transfer protocols.
Latest posts by Surendra Anne (see all)
- FREE: JOIN OUR DEVOPS TELEGRAM GROUPS - August 2, 2019
- Review: Whizlabs Practice Tests for AWS Certified Solutions Architect Professional (CSAP) - August 27, 2018
- How to use ohai/chef-shell to get node attributes - July 19, 2018
- wget download a file to a directory in Linux/Unix - June 4, 2018
- GIT: How to compare two GIT branches? - June 3, 2018