Configure vsftpd with SSL/TLS on Centos7/RHEL7/Fedora22

Configure vsftpd with SSL/TLS

In this post, we will configure vsftpd to use TLS/SSL certificates on a Centos7 or RHEL7.

FTP server is the standard network protocol used to transfer computer files between one host(Server) to another host(Client) over a TCP-based network, such as the Internet. It also supports secure connections via SSL / TLS and same encryption used in different fields like online banking, shopping and many more.

vsftpd is a lighweight and GPL-licensed FTP server, built with security in mind. Many of the large sites like,,, currently utilize vsftpd as their FTP server.

Traditional FTP is insecure, When we login using username and password are transmitted in clear text. So if you want to share the files, you should at least secure the connection with SSL/TLS certificates.

To Enable SSL/TLS for Vsftpd to use secure FTP (SFTP) connections the steps are:

1) Configure the FTP server.

Previously article we have already seen how to configure the FTP server in Linux and some Tips and Tricks on FTP server, For this article, login purposes on FTP server we are using “gaurav” account, refer the below link.


2)Generate self-signed certificates.

First, Check OpenSSL package is installed or not, if not then install using yum command “yum install openssl -y“.

#rpm -qa openssl (To check the Package installed or not)

[root@server1 ~]# rpm -qa openssl  
[root@server1 ~]#

To operate vsftpd with SSL the first step to create SSL certificate. We will create a subdirectory within the SSL directory to store our files.

#mkdir /etc/ssl/certificates

[root@server1 ~]# mkdir /etc/ssl/certificates 
[root@server1 ~]#

To create the certificate, we use the following command.

#openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/ssl/certificates/vsftpd.pem -out /etc/ssl/certificates/vsftpd.pem

[root@server1 ~]# openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/ssl/certificates/vsftpd.pem -out /etc/ssl/certificates/vsftpd.pem 
Generating a 1024 bit RSA private key 
writing new private key to '/etc/ssl/certificates/vsftpd.pem' 
You are about to be asked to enter information that will be incorporated 
into your certificate request. 
What you are about to enter is what is called a Distinguished Name or a DN. 
There are quite a few fields but you can leave some blank 
For some fields there will be a default value, 
If you enter '.', the field will be left blank. 
Country Name (2 letter code) [XX]:IN 
State or Province Name (full name) []:Himachal 
Locality Name (eg, city) [Default City]:Shimla 
Organization Name (eg, company) [Default Company Ltd]:itcare 
Organizational Unit Name (eg, section) []:IT Troubleshooter 
Common Name (eg, your name or your server's hostname) []:server1 
Email Address [] 
[root@server1 ~]#

Note: You specified a lifetime for the certificate, here in our case we set a year (-days 365). After execution the command, It will prompt the some questions, fill out the questions that it ask.

Change the permission of vsftpd.pem file.

#chmod 400 <Filename>

[root@server1 ~]# chmod 400 /etc/ssl/certificates/vsftpd.pem  
[root@server1 ~]# ll /etc/ssl/certificates/vsftpd.pem 
-r--------. 1 root root 2015 Oct 15 03:34 /etc/ssl/certificates/vsftpd.pem 
[root@server1 ~]#

3) Configure the vsftpd file with SSL Details.

Edit the vsftpd configuration file and go to bottom of the file, modify the options as shown below.

#vim /etc/vsftpd/vsftpd.conf

### Add Passive ports  #### 
##### TLS/SSL certificates ##### 
#This values must be adjust according with you environment 
# To allow anonymous users to use SSL 
# To force anonymous users to use SSL 
# force_anon_data_ssl=YES 
# force_anon_logins_ssl=YES 
# To force local users to use SSL 
# The following option depend of the authentication mode you require 
##Add a few more configuration options 

Note: In our case, We are not using anonymous user so that we put the comment before all anonymous ssl parameters.

4) Restart the vsftp service.

As shown command used for restart the service of vsftpd.

[root@server1 ~]# systemctl restart vsftpd
[root@server1 ~]# netstat -tulpn | grep :21
tcp6       0      0 :::21                   :::*                    LISTEN      4022/vsftpd         
[root@server1 ~]#

5) Allow Passive ports on firewall of the FTP server.

If your Firewall service is running, then allow Passive ports on it.

[root@server1 ~]# firewall-cmd --permanent --add-port=21000-21010/tcp
[root@server1 ~]# firewall-cmd --reload
[root@server1 ~]#

Connect FTP Client to use FTPS connection from client Linux systems(CLI mode)

1) Install the lftp Packages.

Using Iftp command verify the ftps is worked or not.

#yum -y install lftp

[root@server1 ~]# yum install lftp 
Loaded plugins: fastestmirror 
Loading mirror speeds from cached hostfile 
Resolving Dependencies 
--> Running transaction check 
---> Package lftp.x86_64 0:4.4.8-7.el7 will be installed 
--> Finished Dependency Resolution 
Transaction Summary 
Install  1 Package 
Total download size: 750 k 
Installed size: 2.4 M 
Is this ok [y/d/N]: y

2) Verify if ftps is well configured.

Use lftp command to verify the sftp is worked from client machine. First Make a file to set some ssl parameter on client side.

# vim ~/.lftprc

set ftp:ssl-auth TLS 
set ftp:ssl-force true 
set ftp:ssl-protect-list yes 
set ftp:ssl-protect-data yes 
set ftp:ssl-protect-fxp yes 
set ssl:verify-certificate no  

Now connect using sftp server using lftp command.

[root@client1 ~]# lftp -u gaurav 
lftp> ls 
-rw-r--r--    1 0        0               0 Oct 14 14:37 centos 
-rw-r--r--    1 0        0               0 Oct 14 14:37 debian 
-rw-r--r--    1 0        0               0 Oct 14 14:38 fedora 
-rw-r--r--    1 0        0               0 Oct 14 14:45 redhat 
-rw-r--r--    1 0        0               0 Oct 14 14:45 ubuntu 

or You can also verify ftps, using below command.

#lftp -d -u <username> -e ‘set ftp:ssl-force true’ <IP address of ftps server>

Connect to the vsftpd Server with FileZilla from window or Linux systems(GUI mode)

1) Open the FileZilla program.

In the filezilla interface, you can go to file and click on option to open “Site Manager”(File –> Site Manager..) Click on the “New Site” button in the lower left corner.


On the “Host” field Fill the IP address and select “FTP – File Transfer Protocol” from the Protocol menu. For the Encryption menu, select “Use Require explicit FTP over TLS if available”. Select “Ask for password” from the Login menu. On user field fill the FTP user. You can click on “connect” option.


Then it will prompted to enter the password for your FTP user.


Last step, Accept the certificate to establish the connection.


Now you are connected to your FTPs server with SSL/TLS encryption.


Hope this post will help Linux/Unix beginners. Please share you feedback and Comments.!!!

Leave a Reply


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Notify of