Configure vsftpd with SSL/TLS on Centos7/RHEL7/Fedora22

Configure vsftpd with SSL/TLS

In this post, we will configure vsftpd to use TLS/SSL certificates on a Centos7 or RHEL7.

FTP server is the standard network protocol used to transfer computer files between one host(Server) to another host(Client) over a TCP-based network, such as the Internet. It also supports secure connections via SSL / TLS and same encryption used in different fields like online banking, shopping and many more.

vsftpd is a lighweight and GPL-licensed FTP server, built with security in mind. Many of the large sites like,
ftp.freebsd.org, ftp.redhat.com, ftp.debian.org currently utilize vsftpd as their FTP server.

Traditional FTP is insecure, When we login using username and password are transmitted in clear text. So if you want to share the files, you should at least secure the connection with SSL/TLS certificates.

To Enable SSL/TLS for Vsftpd to use secure FTP (SFTP) connections the steps are:

1) Configure the FTP server.

Previously article we have already seen how to configure the FTP server in Linux and some Tips and Tricks on FTP server, For this article, login purposes on FTP server we are using “gaurav” account, refer the below link.

 

2)Generate self-signed certificates.

First, Check OpenSSL package is installed or not, if not then install using yum command “yum install openssl -y“.

#rpm -qa openssl (To check the Package installed or not)

[root@server1 ~]# rpm -qa openssl  
openssl-1.0.1e-42.el7.9.x86_64 
[root@server1 ~]#

To operate vsftpd with SSL the first step to create SSL certificate. We will create a subdirectory within the SSL directory to store our files.

#mkdir /etc/ssl/certificates

[root@server1 ~]# mkdir /etc/ssl/certificates 
[root@server1 ~]#

To create the certificate, we use the following command.

#openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/ssl/certificates/vsftpd.pem -out /etc/ssl/certificates/vsftpd.pem

[root@server1 ~]# openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/ssl/certificates/vsftpd.pem -out /etc/ssl/certificates/vsftpd.pem 
Generating a 1024 bit RSA private key 
.........................................++++++ 
.........++++++ 
writing new private key to '/etc/ssl/certificates/vsftpd.pem' 
----- 
You are about to be asked to enter information that will be incorporated 
into your certificate request. 
What you are about to enter is what is called a Distinguished Name or a DN. 
There are quite a few fields but you can leave some blank 
For some fields there will be a default value, 
If you enter '.', the field will be left blank. 
----- 
Country Name (2 letter code) [XX]:IN 
State or Province Name (full name) []:Himachal 
Locality Name (eg, city) [Default City]:Shimla 
Organization Name (eg, company) [Default Company Ltd]:itcare 
Organizational Unit Name (eg, section) []:IT Troubleshooter 
Common Name (eg, your name or your server's hostname) []:server1 
Email Address []:root@server1.itcare.in 
[root@server1 ~]#

Note: You specified a lifetime for the certificate, here in our case we set a year (-days 365). After execution the command, It will prompt the some questions, fill out the questions that it ask.

Change the permission of vsftpd.pem file.

#chmod 400 <Filename>

[root@server1 ~]# chmod 400 /etc/ssl/certificates/vsftpd.pem  
[root@server1 ~]# ll /etc/ssl/certificates/vsftpd.pem 
-r--------. 1 root root 2015 Oct 15 03:34 /etc/ssl/certificates/vsftpd.pem 
[root@server1 ~]#

3) Configure the vsftpd file with SSL Details.

Edit the vsftpd configuration file and go to bottom of the file, modify the options as shown below.

#vim /etc/vsftpd/vsftpd.conf

### Add Passive ports  #### 
pasv_enable=YES 
pasv_min_port=21000 
pasv_max_port=21010 
 
##### TLS/SSL certificates ##### 
#This values must be adjust according with you environment 
rsa_cert_file=/etc/ssl/certificates/vsftpd.pem 
rsa_private_key_file=/etc/ssl/certificates/vsftpd.pem 
ssl_enable=YES 
# To allow anonymous users to use SSL 
allow_anon_ssl=NO 
# To force anonymous users to use SSL 
# force_anon_data_ssl=YES 
# force_anon_logins_ssl=YES 
# To force local users to use SSL 
force_local_data_ssl=YES 
force_local_logins_ssl=YES 
# The following option depend of the authentication mode you require 
ssl_tlsv1=YES 
ssl_sslv2=NO 
ssl_sslv3=NO 
##Add a few more configuration options 
require_ssl_reuse=NO 
ssl_ciphers=HIGH  
~
~
:wq

Note: In our case, We are not using anonymous user so that we put the comment before all anonymous ssl parameters.

4) Restart the vsftp service.

As shown command used for restart the service of vsftpd.

[root@server1 ~]# systemctl restart vsftpd
[root@server1 ~]# netstat -tulpn | grep :21
tcp6       0      0 :::21                   :::*                    LISTEN      4022/vsftpd         
[root@server1 ~]#

5) Allow Passive ports on firewall of the FTP server.

If your Firewall service is running, then allow Passive ports on it.

[root@server1 ~]# firewall-cmd --permanent --add-port=21000-21010/tcp
 success
[root@server1 ~]# firewall-cmd --reload
 success 
[root@server1 ~]#

Connect FTP Client to use FTPS connection from client Linux systems(CLI mode)

1) Install the lftp Packages.

Using Iftp command verify the ftps is worked or not.

#yum -y install lftp

[root@server1 ~]# yum install lftp 
Loaded plugins: fastestmirror 
Loading mirror speeds from cached hostfile 
Resolving Dependencies 
--> Running transaction check 
---> Package lftp.x86_64 0:4.4.8-7.el7 will be installed 
--> Finished Dependency Resolution 
 
Transaction Summary 
============================== 
Install  1 Package 
 
Total download size: 750 k 
Installed size: 2.4 M 
Is this ok [y/d/N]: y

2) Verify if ftps is well configured.

Use lftp command to verify the sftp is worked from client machine. First Make a file to set some ssl parameter on client side.

# vim ~/.lftprc

set ftp:ssl-auth TLS 
set ftp:ssl-force true 
set ftp:ssl-protect-list yes 
set ftp:ssl-protect-data yes 
set ftp:ssl-protect-fxp yes 
set ssl:verify-certificate no  
~ 
~ 
:wq

Now connect using sftp server using lftp command.

[root@client1 ~]# lftp -u gaurav server1.itcare.in 
Password:  
lftp gaurav@server1.itcare.in:~> ls 
-rw-r--r--    1 0        0               0 Oct 14 14:37 centos 
-rw-r--r--    1 0        0               0 Oct 14 14:37 debian 
-rw-r--r--    1 0        0               0 Oct 14 14:38 fedora 
-rw-r--r--    1 0        0               0 Oct 14 14:45 redhat 
-rw-r--r--    1 0        0               0 Oct 14 14:45 ubuntu 
lftp gaurav@server1.itcare.in:~>

or You can also verify ftps, using below command.

#lftp -d -u <username> -e ‘set ftp:ssl-force true’ <IP address of ftps server>

Connect to the vsftpd Server with FileZilla from window or Linux systems(GUI mode)

1) Open the FileZilla program.

In the filezilla interface, you can go to file and click on option to open “Site Manager”(File –> Site Manager..) Click on the “New Site” button in the lower left corner.

ftpnsite

On the “Host” field Fill the IP address and select “FTP – File Transfer Protocol” from the Protocol menu. For the Encryption menu, select “Use Require explicit FTP over TLS if available”. Select “Ask for password” from the Login menu. On user field fill the FTP user. You can click on “connect” option.

ftpsitemanager

Then it will prompted to enter the password for your FTP user.

ftppasswd

Last step, Accept the certificate to establish the connection.

ftpcertificate

Now you are connected to your FTPs server with SSL/TLS encryption.

ftpaccess

Hope this post will help Linux/Unix beginners. Please share you feedback and Comments.!!!

Leave a Reply

Be the First to Comment!

Notify of
avatar
wpDiscuz