In this article, we are going to discuss How to Secure Linux FTP Server (Vsftpd Server) using SSL Encryption/TLS Encryption. In one of my previous articles I already explained How to configure Linux FTP Server (Vsftpd Server). The port number is used by the Secure FTP Server is 22.
Follow the below steps to Secure Linux FTP Server (Vsftpd Server) using SSL Encryption / TLS Encryption :
Step: 1 Install Required Packages
We need to install two Packages to configure Linux FTP Server (Vsftpd Server) using SSL Encryption / TLS Encryption. The Packages are :
- vsftpd
- mod_ssl
So let’s install the packages one by one.
- Installing vsftpd Package
[root@localhost ~]# yum -y install vsftpd # Installing vsftpd Package Loaded plugins: fastestmirror, refresh-packagekit, security Loading mirror speeds from cached hostfile * base: centos-hcm.viettelidc.com.vn * extras: centos-hcm.viettelidc.com.vn * updates: centos.excellmedia.net Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package vsftpd.x86_64 0:2.2.2-24.el6 will be installed --> Finished Dependency Resolution Dependencies Resolved =================================================================================================================================== Package Arch Version Repository Size =================================================================================================================================== Installing: vsftpd x86_64 2.2.2-24.el6 base 156 k Transaction Summary =================================================================================================================================== Install 1 Package(s) Total download size: 156 k Installed size: 340 k Downloading Packages: vsftpd-2.2.2-24.el6.x86_64.rpm | 156 kB 00:01 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Installing : vsftpd-2.2.2-24.el6.x86_64 1/1 Verifying : vsftpd-2.2.2-24.el6.x86_64 1/1 Installed: vsftpd.x86_64 0:2.2.2-24.el6 Complete!
- Installing the mod_ssl Package.
[root@localhost ~]# yum -y install mod_ssl # Installing mod_ssl Package Loaded plugins: fastestmirror, refresh-packagekit, security Loading mirror speeds from cached hostfile * base: centos-hcm.viettelidc.com.vn * extras: centos-hcm.viettelidc.com.vn * updates: centos.excellmedia.net Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package mod_ssl.x86_64 1:2.2.15-59.el6.centos will be installed --> Processing Dependency: httpd = 2.2.15-59.el6.centos for package: 1:mod_ssl-2.2.15-59.el6.centos.x86_64 --> Running transaction check ---> Package httpd.x86_64 0:2.2.15-29.el6.centos will be updated ---> Package httpd.x86_64 0:2.2.15-59.el6.centos will be an update --> Processing Dependency: httpd-tools = 2.2.15-59.el6.centos for package: httpd-2.2.15-59.el6.centos.x86_64 --> Running transaction check ---> Package httpd-tools.x86_64 0:2.2.15-29.el6.centos will be updated ---> Package httpd-tools.x86_64 0:2.2.15-59.el6.centos will be an update --> Finished Dependency Resolution Dependencies Resolved ========================================================================================================= Package Arch Version Repository Size ========================================================================================================= Installing: mod_ssl x86_64 1:2.2.15-59.el6.centos base 97 k Updating for dependencies: httpd x86_64 2.2.15-59.el6.centos base 834 k httpd-tools x86_64 2.2.15-59.el6.centos base 79 k Transaction Summary ========================================================================================================= Install 1 Package(s) Upgrade 2 Package(s) Total download size: 1.0 M Downloading Packages: (1/3): httpd-2.2.15-59.el6.centos.x86_64.rpm | 834 kB 00:02 (2/3): httpd-tools-2.2.15-59.el6.centos.x86_64.rpm | 79 kB 00:00 (3/3): mod_ssl-2.2.15-59.el6.centos.x86_64.rpm | 97 kB 00:00 --------------------------------------------------------------------------------------------------------- Total 291 kB/s | 1.0 MB 00:03 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Updating : httpd-tools-2.2.15-59.el6.centos.x86_64 1/5 Updating : httpd-2.2.15-59.el6.centos.x86_64 2/5 Installing : 1:mod_ssl-2.2.15-59.el6.centos.x86_64 3/5 Cleanup : httpd-2.2.15-29.el6.centos.x86_64 4/5 Cleanup : httpd-tools-2.2.15-29.el6.centos.x86_64 5/5 Verifying : httpd-tools-2.2.15-59.el6.centos.x86_64 1/5 Verifying : httpd-2.2.15-59.el6.centos.x86_64 2/5 Verifying : 1:mod_ssl-2.2.15-59.el6.centos.x86_64 3/5 Verifying : httpd-2.2.15-29.el6.centos.x86_64 4/5 Verifying : httpd-tools-2.2.15-29.el6.centos.x86_64 5/5 Installed: mod_ssl.x86_64 1:2.2.15-59.el6.centos Dependency Updated: httpd.x86_64 0:2.2.15-59.el6.centos httpd-tools.x86_64 0:2.2.15-59.el6.centos Complete!
You can confirm the installed packages by using rpm -qa command. Refer to the sample output below.
[root@localhost ~]# rpm -qa | grep vsftpd # Confirm the Vsftpd Package Installation vsftpd-2.2.2-24.el6.x86_64 [root@localhost ~]# rpm -qa | grep mod_ssl # Confirm the mod_ssl Package Installation mod_ssl-2.2.15-59.el6.centos.x86_64
To check the configuration files and directories path of mod_ssl we can use rpm -ql mod_ssl.
Sample Output :
[root@localhost ~]# rpm -ql mod_ssl # Checking Configuration Files and Directories Path /etc/httpd/conf.d/ssl.conf /usr/lib64/httpd/modules/mod_ssl.so /var/cache/mod_ssl /var/cache/mod_ssl/scache.dir /var/cache/mod_ssl/scache.pag /var/cache/mod_ssl/scache.sem
Start the Vsftpd Service using the below command.
[root@localhost ~]# /etc/init.d/vsftpd start # Start the Vsftpd Server Service Starting vsftpd for vsftpd: [ OK ]
Start the vsftpd service at startup using the below command.
[root@localhost ~]# chkconfig --level 35 vsftpd on # Start the Vsftpd Linux FTP Service at Startup [root@localhost ~]# chkconfig --list vsftpd vsftpd 0:off 1:off 2:off 3:on 4:off 5:on 6:off
Also Read – How To Configure vsftpd Linux FTP Server In Redhat/Centos/Fedora
Step: 2 Generate Certificates for Linux FTP Server (Vsftpd Server)
We have to generate a .pem certificate to secure Vsftpd Linux FTP Server. .pem stands for Privacy Enhanced Mail is a public certificate container that contains multiple certificates in one file. (eg: Public Key and Private Key certificates). To generate the .pem file we can use OpenSSL command. Refer to the below command to generate .pem certificate. Here I am generating a certificate named itsmarttricks.pem.
During Certificate creation It will ask for the below details :
- Country Name
- State Name
- City
- Organization Name
- Email Address, etc.
So enter the valid details to generate a .pem certificate.
[root@localhost ~]# /usr/bin/openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout itsmarttricks.pem -out itsmarttricks.pem Generating a 1024 bit RSA private key ...++++++ ...++++++ writing new private key to 'itsmarttricks.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:IN State or Province Name (full name) []:Maharashtra Locality Name (eg, city) [Default City]:Mumbai Organization Name (eg, company) [Default Company Ltd]:itsmarttricks Organizational Unit Name (eg, section) []:Internet Marketing Common Name (eg, your name or your server's hostname) []:itsmarttricks Email Address []:admin@itsmarttricks.com
The generated certificate file will create and store in your current directory where you run the OpenSSL command. As you can see below I created the certificate in the home directory of root. Refer to the Sample Output below.
[root@localhost ~]# ls anaconda-ks.cfg Documents itsmarttricks.pem install.log.syslog Pictures Templates Desktop Downloads install.log Music Public Videos
Once the certificate generated, just copy the certificate file in /etc/vsftpd directory. Refer to the below command.
[root@localhost ~]# cp itsmarttricks.pem /etc/vsftpd/ # Copy the Certificate File
Step : 3 Configure Main configuration file of Vsftpd Server (/etc/vsftpd.conf)
Before enabling the SSL configuration for Vsftpd Linux FTP Server let’s do some basic settings. Refer to the sample output below.
[root@localhost ~]# nano /etc/vsftpd/vsftpd.conf # Allow anonymous FTP? (Beware - allowed by default if you comment this out). anonymous_enable=NO # Disable Anonymous Login # # Uncomment this to allow local users to log in. local_enable=YES # Enable Local User Login # # Uncomment this to enable any form of FTP write command. write_enable=YES # Write enable for any form of FTP
Save the configuration file after all the above changes and restart the Vsftpd Linux FTP server.
[root@localhost ~]# /etc/init.d/vsftpd restart Shutting down vsftpd: [ OK ] Starting vsftpd for vsftpd: [ OK ]
Step : 4 Enable SSL Encryption Support for Vsftpd Linux FTP Server
To enable SSL encryption support for Vsftpd Linux FTP Server just edit the main configuration file i.e. /etc/vsftpd/vsftpd.conf and go to the end of the file. and enter the below syntax.
[root@localhost ~]# nano /etc/vsftpd/vsftpd.conf ###SSL Support for Vsftpd### ssl_enable=YES # Enable SSL Encryption for VSftpd Linux FTP Server ssl_tlsv1=YES # Enable SSL & TLS Version 1 ssl_sslv2=NO ssl_sslv3=NO rsa_cert_file=/etc/vsftpd/itsmarttricks.pem # Path for Certificate File rsa_private_key_file=/etc/vsftpd/itsmarttricks.pem # Path for Private Key File force_local_logins_ssl=YES # Force LOcal users to login using SSL Encryption / TLS Encryption force_local_data_ssl=YES # Force To use SSL Encryption / TLS Encryption during Data Upload in FTP
After all the above changes restart the Vsftpd Linux FTP Service using the below command.
[root@localhost ~]# /etc/init.d/vsftpd restart Shutting down vsftpd: [ OK ] Starting vsftpd for vsftpd: [ OK ]
Now stop the IPtables service using the below command.
[root@localhost ~]# /etc/init.d/iptables stop iptables: Setting chains to policy ACCEPT: filter [ OK ] iptables: Flushing firewall rules: [ OK ] iptables: Unloading modules: [ OK ]
We are done with all the required configurations. Now it’s time for testing. As we enabled SSL Encryption / TLS Encryption for Vsftpd Linux FTP Server we cannot access the FTP Server without SSL i.e. in normal FTP access. I tried to do so and here I got the below error.
[root@localhost ~]# ftp localhost Trying ::1... ftp: connect to address ::1Connection refused Trying 127.0.0.1... Connected to localhost (127.0.0.1). 220 (vsFTPd 2.2.2) Name (localhost:root): helpdesk 530 Non-anonymous sessions must use encryption. Login failed.
To access Secured Vsftpd Server we have a tool in Linux i.e. sftp. So Let’s access the Vsftpd Server by using sftp command.
[root@localhost ~]# sftp helpdesk@localhost Connecting to localhost... helpdesk@localhost's password: sftp>
As you can see on the output above we are successfully able to log in to the Vsftpd Linux FTP Server using SSL Encryption Certificate.
There is also a Third-Party tool is available by which we can access the Vsftpd Server i.e. File Zilla. Access the FTP Server without SSL Encryption using File Zilla.
Now try to login vsftpd server using an SSL certificate.
Accept the SSL Certificate by pressing OK.
Now you have successfully connected to Vsftpd Linux FTP Server.
That’s all, In this article, we have explained the Secure Linux FTP Server (VSFTPD Server) Using SSL Encryption/TLS Encryption. I hope you enjoy this article. If you like this article, then just share it. If you have any questions about this article, please comment.