I astonish all the time when I see the FTP package name. vsftpd which abbreviated to Very Secure File Transfer Demon(vsftpd). But when we see the security prospective of this package there is no much security included with this package. I mean when you login to server the credentials are transferred in plain text. This is the reason by default root user is not allowed to login to ftp server. To eliminate transferring data/user credentials in plain text and to encrypt the entire transmission we can take help from openssl to generate a certificate and use SSL certificate when communicating with FTP server. This is nothing but a FTPS(FTP+SSL cert) server. Some file transfers you should know are.

1. TFTP(Trivial File Transfer Protocol which uses UDP for transmission) –high data rates/not secure

2. SFTP (This protocol uses SSH in back-end, so you need to run an FTP server) –secure

3. FTP (This is normal ftp transfer which uses TCP) –not secure

4. FTPS(FTP+SSL certificate to encrypt data transmission) -secure

5. FTP Over SSH(this is a kind of ftp tunnel on SSH protocol) -secure

In this post we will see how we can configure SSL certificate for VSFTPD to make it secure.

Step 1: Check the following packages on the server and if they are not install please install them.

#yum install openssl
#yum install vsftpd

Step 2: Generate rsa key in /etc/vsftpd folder as shown below.

#cd /etc/vsftpd
#/usr/bin/openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout vsftpd.pem -out vsftpd.pem

The clipped output for your reference

[root@v-itig42 vsftpd]# /usr/bin/openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout vsftpd.pem -out vsftpd.pem
Generating a 1024 bit RSA private key
....................................................++++++
..........................................++++++
writing new private key to 'vsftpd.pem'
-----

You are now asked to enter information that will be incorporated into your certificate request. What you are about to enter is called as Distinguished Name or a DN. There are many fields but you can leave some blank. For some fields there will be a default value, If you enter ‘.’, the field will be left blank.

Country Name (2 letter code) [GB]:IN
State or Province Name (full name) [Berkshire]:Andhra Pradesh
Locality Name (eg, city) [Newbury]:Vijaywada
Organization Name (eg, company) [My Company Ltd]:Linuxnix Systems Limited
Organizational Unit Name (eg, section) []: IT admin Group
Common Name (eg, your name or your server's hostname) []:ftp2.linuxnix.co.in
Email Address []:surendra@linuxnix.co.in

Step 3: Once the Certificate is generated, certificate is kept in /etc/vsftpd folder. We have to provide this entry in vsftpd.conf along some ssl configurations.

Step 4: Edit vsftpd.conf and give entires at the last of the file.

#vi /etc/vsftpd/vsftpd.conf
#For SSL on specify yes to below option.
 ssl_enable=YES
 # To allow anonysonomous users to use SSL
 allow_anon_ssl=YES
 # if you want local users to use both ssl as well unsecure way of transmission of data plz specify no to below option.
 force_local_data_ssl=NO
 #If you want to allow all the login credentials which are transmitted should be sent with encryption
#pleas use below option to force them to use only ssl connection at the time of login.
 force_local_logins_ssl=YES
 # Permit TLS v1 protocol connections. TLS v1 connections are preferred
 ssl_tlsv1=YES
 # Permit SSL v2 protocol connections. TLS v1 connections are preferred
 ssl_sslv2=NO
 # permit SSL v3 protocol connections. TLS v1 connections are preferred
 ssl_sslv3=NO
 #Please pecifies the location of the RSA certificate to use for SSL encrypted connections, which we #created some time back.
 rsa_cert_file=/etc/vsftpd/vsftpd.pem

Now save and exit the vsftpd file

Step 5: Restart the vsftpd service.

# service vsftpd restart

Output:

Shutting down vsftpd: [ OK ]
Starting vsftpd for vsftpd: [ OK ]

Start accessing the sftp server with filezila or some other FTP clients which will support SSL/TSL. If you want to access ftps sites through browsers it’s not possible(especially IE). We have to have add-on called fireftp for accessing FTPS protocol with browsers. Then only we can access ftps:// site through browsers. Here in this example I used filezila ftp client which will support many file transfer protocols.

 

The following two tabs change content below.
Mr Surendra Anne is from Vijayawada, Andhra Pradesh, India. He is a Linux/Open source supporter who believes in Hard work, A down to earth person, Likes to share knowledge with others, Loves dogs, Likes photography. He works as Devops Engineer with Taggle systems, an IOT automatic water metering company, Sydney . You can contact him at surendra (@) linuxnix dot com.