'vsftpd' is a very popular package for FTP, but poses a security threat because it transfers username,passwords etc in plain text, I would explain in this article as how FTP offers encryption with the help of SSL and TLS protocols.
FTP defines a client-server architecture that uses two ports in-order to establish connectivity between server and the client.
1. Port # 20 : data transfer
2. Port # 21 : autentication connnections.
as a security measure, we have two options that offer secure file transfer capabilities, which are SFTP and FTPS.
SFTP uses a SSH connection to run file transfers over a secure channel, while FTPS uses cryptographic protocols such as SSL( Secure Socket Layer) and TLS (Transport Layer Security).
I would elobrate SFTP protocol in order to setup a secure FTP server using SSL certificates.
Environment: CentOS 6.6/Redhat 6.6 (x86_64)
Packages : vsftpd-2.2.2-12.el6_5.1.i686 / openssl-1.0.1e-30.el6.i686
Install openssl and vsftpd based on your distros:
sudo apt-get install vsftpd openssl -> Debian
yum install vsftpd openssl -> Redhat
zypper install vsftpd openssl -> SuSE
For, data encryption purpose we need to create a SSL certificate(rsa_cert_file)and RSA key file(rsa_private_key) which is used by 'vsftpd' in the configuration file (/etc/vsftpd/vsftpd.conf).
[root@centnode1]# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/vsftpd/vsftpd.pem -out /etc/vsftpd/vsftpd.pem
Generating a 2048 bit RSA private key
writing new private key to '/etc/vsftpd/vsftpd.pem'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) :Karnataka
Locality Name (eg, city) [Default City]:Bangalore
Organization Name (eg, company) [Default Company Ltd]:testlabs
Organizational Unit Name (eg, section) :OperatingSystems
Common Name (eg, your name or your server's hostname) :centnode1
Email Address :email@example.com
We need to instruct vsftpd to use that SSL certificate to carry encryption process for data and authentication:
[root@centnode1]# vi /etc/vsftpd/vsftpd.conf
#Turn on SSL
#Mention the certificate and key file location
#Enable TLS as it is more secure than SSL
#allow local users added to the system to use FTP
#Prevent anonymous logins
#accept FTP write command
start/restart your 'vsftpd' to take effect and make sure it start's during the boot time.
[root@centnode1]# service vsftpd start
[root@centnode1]# chkconfig vsftpd on
Now, your FTP server is ready and can add users who can access it. every user will get a separate home directory and with chroot jail activated users are forced to work within their home directories.
[root@centnode1 ~]# useradd ftpuser
[root@centnode1 ~]# passwd ftpuser
Test your SSL connection over 'vsftpd'
when you first try to connect using plain ftp, it must fail asking for encryption.
[root@centnode1 ~]# ftp 192.168.229.130
Connected to 192.168.229.130 (192.168.229.130).
220 (vsFTPd 2.2.2)
Name (192.168.229.130:root): ftpuser
530 Non-anonymous sessions must use encryption. <<<=====================
create few files in 'ftpuser' home directory and get them listed using 'curl'
[root@centnode1 ~]# curl --ftp-ssl --insecure --user ftpuser:password ftp://ftpserver
-rw-rw-r-- 1 500 500 0 Mar 13 06:15 ftptestfile
ftp-ssl : tells curl to use ftps
insecure : tells curl not to use any ssl certificate to authenticate and instead just connect.
user : specifies the username and password
Now, the user 'ftpuser' will be able to use the FTPS services with any FTP clients that supports SSL/TLS such as filezilla. If you want to limit access to FTPS server, but allow people to use FTPS services at the same time, by changing their shell to /sbin/nologin.