vsftpd is a very popular package for FTP (File Transfer Protocol) but poses a security threat because it transfers vital data like usernames, passwords, etc, in plain text. To eliminate this risk, FTP offers encryption with the help of the SSL and TLS protocols. This article explains how to set up an FTPS server in Linux.
FTP is a standardised network protocol and probably the quickest as well as easiest option available when a large chunk of data is to be transferred from one host to another, over a TCP-based network. FTP defines a client-server architecture that uses two separate well-known ports for data (Port No 20, used for data transfer) and control (Port No 21, used for authentication) connections, in order to establish connectivity between the server and the client.
When it comes to the Linux operating system, the most popular package used to set up an FTP server is vsftpd or very secure FTP daemon. It offers very basic features such as anonymous enabling/disabling, local enabling/disabling and chroot jail for the users. But, when looked at from the security perspective, vsftpd has very few features to offer.
Whenever the file transfer is initiated, all the data, including user credentials and passwords, get transferred in an unencrypted format, as plain text, which is considered to be very risky in any public network.
As a security measure, we have two options that offer secure file transfer capabilities, which are SFTP and FTPS. SFTP uses an SSH connection to run file transfers over a secure channel, while FTPS uses cryptographic protocols such as SSL (Secure Socket Layer) and TLS (Transport Layer Security). This article elaborates on the SFTP protocol in order to set up a secure FTP server using SSL certificates.
Installation of the required packages
To install openssl and vsftpd in Debian-based systems,
you can run:
sudo apt-get install vsftpd sudo apt-get install openssl
In Red Hat Linux-based systems, you can run:
yum install vsftpd yum install openssl
Generating the SSL certificate and RSA key file
This step involves creating a SSL certificate file (rsa_cert_file) and RSA key file (rsa_private_key_file) that will be used by vsftpd for data encryption purposes. It is very important to set the paths of both these files, as those must be mentioned in the vsftpd configuration file (Red Hat -/etc/vsftpd/vsftpd.conf and Debian – /etc/vsftpd.conf) in the rsa_cert_file and rsa_private_key_file variables. By default (in RHEL), the rsa_cert_file will point to /usr/share/ssl/certs/vsftpd.pem.
For our convenience, lets put the certificate and the key in the same file, and store that file as /etc/vsftpd/vsftpd.pem.
openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout \ /etc/vsftpd/vsftpd.pem -out /etc/vsftpd/vsftpd.pem
Once the above command is executed, you will be asked to provide some basic information. The output will be very similar to:
Generating a 1024 bit RSA private key ....................................................++++++ ........++++++ writing new private key to /etc/vsftpd/vsftpd.pem ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ., the field will be left blank. ----- Country Name (2 letter code) [XX]:IN State or Province Name (full name) []:Maharashtra Locality Name (eg, city) [Default City]:Pune Organization Name (eg, company) [Default Company Ltd]:MyTestOrganizationLtd Organizational Unit Name (eg, section) []:Information Technology Common Name (eg, your name or your servers hostname) []:My Test FTP Server Email Address []:mandar.shinde2007@gmail.com
The vsftpd configuration part
After generating the SSL certificate, we need to instruct vsftpd to use that SSL certificate to carry out the encryption process. Just like many services, vsftpd has its own configuration file, vsftpd.conf, which is located in /etc/vsftpd/vsftpd.conf for Red Hat-based systems and /etc/vsftpd.conf in Debian-based systems.
Now, let us edit the configuration file as per our requirements. You might need to find out the lines, or add them if they do not pre-exist.
Step 1: Turn on SSL
We would like to enable encryption not only for data transfer, but also for authentication process. For this, you can edit following lines as:
ssl_enable=YES allow_anon_ssl=NO force_local_data_ssl=YES force_local_logins_ssl=YES
Step 2: Mention the certificate and key file location.
rsa_cert_file=/etc/vsftpd/vsftpd.pem rsa_private_key_file=/etc/vsftpd/vsftpd.pem
Step 3: Enable TLS
TLS is considered to be more secure than SSL so we would definitely like to use it whenever required.
ssl_sslv2=YES ssl_sslv3=YES
Step 4: This includes other basic configurations
To allow all the local users added to the system to use FTP service, edit the following line:
local_enable=YES
To prevent anonymous logins, edit the following line:
anonymous_enable=NO
To accept FTP write commands, edit the following line:
write_enable=YES
With this setting, only a local user can access the FTP server and can issue write commands. But if you want to preserve the individuality of the users and their contents, you can set up a chroot jail for the users, so that users are bound to work in their home directories and are not permitted to access any files outside them.
chroot_local_user=YES
To enable logging of the transfers carried out, edit the following lines:
xferlog_enable=YES xferlog_std_format=YES xferlog_file=/var/log/ftp/xferlog
Add the vsftpd service to start up
With the configuration done, you will have to restart the service so that the changes incorporated can take effect:
service vsftpd restart
By default, after a fresh installation of any package, the service associated with that package is disabled on every run level. This indicates that you will have to manually restart the service after the operating system switches from one run level to another. In simple words, after every reboot or system startup, you will have to start the service manually.
You can verify this by issuing the chkconfig command
as follows:
chkconfig --list vsftpd
The output is:
$ chkconfig --list vsftpd vsftpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
To overcome this and to configure the service to start automatically, you can use:
chkconfig vsftpd on
To confirm, run the command given below:
$ chkconfig --list vsftpd vsftpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
Adding FTP users
Now, your FTP server is ready to used and you can add users who can access it. Adding FTP users is very similar to adding users in the operating system, using the useradd command. With this, every user will get a separate home directory and with the chroot jail activated, users will be forced to work within their home directories.
To add the user mandar, simply run:
useradd mandar
To set the password for mandar, use the passwd command as follows:
passwd mandar
You will have to mention the new password and confirm it once:
Changing password for user mandar. New password: Retype new password: passwd: all authentication tokens updated successfully.
Now, the user mandar will be able to use the FTPS services with any FTP client that supports SSL/TLS, such as FileZilla. In order to access the FTPS server through browsers, you may require to install some add-ons like fireFTP.
You can limit access to the FTPS server, but allow people to use FTPS services at the same time, by changing their shell to /sbin/nologin. Further, you can set a password policy for the users (/etc/pam.d/system-auth) to make them select a strong password and change it regularly (chage command).
“This article elaborates on the SFTP protocol in order to set up a secure FTP server using SSL certificates.”
You are elaborating FTPS and not SFTP. Confusing beginning of article. Kindly confirm.
Step 3 “Enable TLS ” enables old versions of SSL and does not use TLS.
This is bad:
ssl_sslv2=YES
ssl_sslv3=YES
Step 3: “Enable TLS” claims that it enables TLS. It does not; the settings allow old versions of SSL.