The Complete Magazine on Open Source

Set Up an FTPS Server in Linux

SHARE
/ 286 0
File Transfer
vsftpd is a very popular package for FTP (File Transfer Protocol) but poses a security threat because it transfers vital data like usernames, passwords, etc, in plain text. To eliminate this risk, FTP offers encryption with the help of the SSL and TLS protocols. This article explains how to set up an FTPS server in Linux.

FTP is a standardised network protocol and probably the quickest as well as easiest option available when a large chunk of data is to be transferred from one host to another, over a TCP-based network. FTP defines a client-server architecture that uses two separate well-known ports for data (Port No 20, used for data transfer) and control (Port No 21, used for authentication) connections, in order to establish connectivity between the server and the client.
When it comes to the Linux operating system, the most popular package used to set up an FTP server is vsftpd or ‘very secure FTP daemon’. It offers very basic features such as anonymous enabling/disabling, local enabling/disabling and chroot jail for the users. But, when looked at from the security perspective, vsftpd has very few features to offer. Whenever the file transfer is initiated, all the data, including user credentials and passwords, get transferred in an unencrypted format, as plain text, which is considered to be very risky in any public network.
As a security measure, we have two options that offer secure file transfer capabilities, which are SFTP and FTPS. SFTP uses an SSH connection to run file transfers over a secure channel, while FTPS uses cryptographic protocols such as SSL (Secure Socket Layer) and TLS (Transport Layer Security). This article elaborates on the SFTP protocol in order to set up a secure FTP server using SSL certificates.

Installation of the required packages
To install openssl and vsftpd in Debian-based systems,
you can run:

sudo apt-get install vsftpd
sudo apt-get install openssl

In Red Hat Linux-based systems, you can run:

yum install vsftpd
yum install openssl

Generating the SSL certificate and RSA key file
This step involves creating a SSL certificate file (rsa_cert_file) and RSA key file (rsa_private_key_file) that will be used by vsftpd for data encryption purposes. It is very important to set the paths of both these files, as those must be mentioned in the vsftpd configuration file (Red Hat -/etc/vsftpd/vsftpd.conf and Debian – /etc/vsftpd.conf) in the rsa_cert_file and rsa_private_key_file variables. By default (in RHEL), the rsa_cert_file will point to /usr/share/ssl/certs/vsftpd.pem.
For our convenience, let’s put the certificate and the key in the same file, and store that file as /etc/vsftpd/vsftpd.pem.

openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout \
/etc/vsftpd/vsftpd.pem -out /etc/vsftpd/vsftpd.pem

Once the above command is executed, you will be asked to provide some basic information. The output will be very similar to:

Generating a 1024 bit RSA private key
....................................................++++++
........++++++
writing new private key to ‘/etc/vsftpd/vsftpd.pem’
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
-----
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:Maharashtra
Locality Name (eg, city) [Default City]:Pune
Organization Name (eg, company) [Default Company Ltd]:MyTestOrganizationLtd
Organizational Unit Name (eg, section) []:Information Technology
Common Name (eg, your name or your server’s hostname) []:My Test FTP Server
Email Address []:[email protected]

The vsftpd configuration part
After generating the SSL certificate, we need to instruct vsftpd to use that SSL certificate to carry out the encryption process. Just like many services, vsftpd has its own configuration file, vsftpd.conf, which is located in /etc/vsftpd/vsftpd.conf for Red Hat-based systems and /etc/vsftpd.conf in Debian-based systems.
Now, let us edit the configuration file as per our requirements. You might need to find out the lines, or add them if they do not pre-exist.
Step 1: Turn on SSL.
We would like to enable encryption not only for data transfer, but also for authentication process. For this, you can edit following lines as:

ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES

Step 2: Mention the certificate and key file location.

rsa_cert_file=/etc/vsftpd/vsftpd.pem
rsa_private_key_file=/etc/vsftpd/vsftpd.pem

Step 3: Enable TLS. TLS is considered to be more secure than SSL so we would definitely like to use it whenever required.

ssl_sslv2=YES
ssl_sslv3=YES

Step 4: This includes other basic configurations. To allow all the local users added to the system to use FTP service, edit the following line:

local_enable=YES

To prevent anonymous logins, edit the following line:

anonymous_enable=NO

To accept FTP write commands, edit the following line:

write_enable=YES

With this setting, only a local user can access the FTP server and can issue write commands. But if you want to preserve the individuality of the users and their contents, you can set up a chroot jail for the users, so that users are bound to work in their home directories and are not permitted to access any files outside them.

chroot_local_user=YES

To enable logging of the transfers carried out, edit the following lines:

xferlog_enable=YES
xferlog_std_format=YES
xferlog_file=/var/log/ftp/xferlog

Add the vsftpd service to start up
With the configuration done, you will have to restart the service so that the changes incorporated can take effect:

service vsftpd restart

By default, after a fresh installation of any package, the service associated with that package is disabled on every run level. This indicates that you will have to manually restart the service after the operating system switches from one run level to another. In simple words, after every reboot or system startup, you will have to start the service manually.
You can verify this by issuing the chkconfig command
as follows:

chkconfig --list vsftpd

The output is:

$ chkconfig --list vsftpd
vsftpd   0:off  1:off  2:off  3:off  4:off  5:off   6:off

To overcome this and to configure the service to start automatically, you can use:

chkconfig vsftpd on

To confirm, run the command given below:

$ chkconfig --list vsftpd
vsftpd  0:off   1:off   2:on    3:on    4:on    5:on    6:off

Adding FTP users
Now, your FTP server is ready to used and you can add users who can access it. Adding FTP users is very similar to adding users in the operating system, using the useradd command. With this, every user will get a separate home directory and with the chroot jail activated, users will be forced to work within their home directories.
To add the user ‘mandar’, simply run:

useradd mandar

To set the password for ‘mandar’, use the passwd command as follows:

passwd mandar

You will have to mention the new password and confirm it once:

Changing password for user mandar.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

Now, the user ‘mandar’ will be able to use the FTPS services with any FTP client that supports SSL/TLS, such as FileZilla. In order to access the FTPS server through browsers, you may require to install some add-ons like ‘fireFTP’.
You can limit access to the FTPS server, but allow people to use FTPS services at the same time, by changing their shell to /sbin/nologin.  Further, you can set a password policy for the users (/etc/pam.d/system-auth) to make them select a strong password and change it regularly (chage command).