Vsftpd FTP server supports secure connections via SSL / TLS, same encryption used with online banking and shopping. This applies to the control connection (including login) and also data connections. You will need a ftp client with SSL support too.
Create SSL Certificate
Type the following command to create self-signed certificate (you can also use certificate issued by 3rd party CA):
# cd /etc/vsftpd/
# /usr/bin/openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout vsftpd.pem -out vsftpd.pem
Generating a 1024 bit RSA private key .......++++++ ........................................++++++ writing new private key to '/etc/vsftpd/vsftpd.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:IN State or Province Name (full name) [Berkshire]:Maharashtra Locality Name (eg, city) [Newbury]:Pune Organization Name (eg, company) [My Company Ltd]:nixCraft Ltd Organizational Unit Name (eg, section) :IT Common Name (eg, your name or your server's hostname) :ftp.nixcraft.net.in Email Address :email@example.com
Edit the vsftpd configuration file, enter:
# vi vsftpd.conf
Add or correct the following configuration option:
# Turn on SSL ssl_enable=YES # Allow anonymous users to use secured SSL connections allow_anon_ssl=YES # All non-anonymous logins are forced to use a secure SSL connection in order to # send and receive data on data connections. force_local_data_ssl=YES # All non-anonymous logins are forced to use a secure SSL connection in order to send the password. force_local_logins_ssl=YES # Permit TLS v1 protocol connections. TLS v1 connections are preferred ssl_tlsv1=YES # Permit SSL v2 protocol connections. TLS v1 connections are preferred ssl_sslv2=NO # permit SSL v3 protocol connections. TLS v1 connections are preferred ssl_sslv3=NO # Specifies the location of the RSA certificate to use for SSL encrypted connections rsa_cert_file=/etc/vsftpd/vsftpd.pem </PRE> Restart the ftp server: <code># service vsftpd restart # <a href="http://www.cyberciti.biz/tips/linux-display-open-ports-owner.html">netstat -tulpn | grep :21</a></code> <h2>Test SSL Aware FTP Server With ftp-ssl</h2> ftp-ssl is the FTP client with SSL or TLS encryption support. Install ftp-ssl under Debian / Ubuntu desktop, enter: <code>$ sudo apt-get update $ sudo apt-get install ftp-ssl</code> Sample ssl aware ftp session: <code>$ ftp-ssl ftp.nixcraft.net.in</code> Sample output: <pre>Connected to ftp.nixcraft.net.in. 220-NOTICE TO USERS 220- 220-Use of this system constitutes consent to security monitoring and testing. 220-All activity is logged with your host name and IP address. 220 Name (ftp.nixcraft.net.in:sayali): <span style='color: rgb(255, 0, 0);'>vivek</span> 234 Proceed with negotiation. <strong><em>[SSL Cipher DES-CBC3-SHA]</em></strong> 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp>
lftp is a file transfer program that allows sophisticated ftp, ftp-ssl, http and other connections to other hosts. Use lftp as follows (it is available under all UNIX / BSD / Linux distributions)
$ lftp -u vivek -e 'set ftp:ssl-force true' ftp.nixcraft.net.in
List of SSL Aware FTP Client
- lftp UNIX / Linux client is also SSL aware client. It needs to compiled with OpenSSL (configure --with-openssl).
- WinSCP FTP / SFTP / SCP client
- Fireftp Cross-platform: Windows, Mac OS X, Linux FTP / SFTP / SCP client
- FreeBSD /usr/ports/ftp/ftp-tls/ - Ftp client based on the OpenBSD ftp client code, implements the FTP AUTH TLS IETF draft.
This blog post is 3 of 5 in the "Redhat / CentOS VSFTPD FTP Server Tutorial" series. Keep reading the rest of the series: