Vsftpd FTP server supports secure connections via SSL / TLS, same encryption used with online banking and shopping. This applies to the control connection (including login) and also data connections. You will need a ftp client with SSL support too. In this post, I am going to show you how To configure vsftpd to yse SSL/TLS on a CentOS or Red Hat Enterprise Linux (RHEL) version 5.x/6.x to secure communication.
VSFTPD: Create SSL Certificate on a CentOS / RHEL Server
Type the following command to create self-signed certificate (you can also use certificate issued by 3rd party CA):
# cd /etc/vsftpd/
# /usr/bin/openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout vsftpd.pem -out vsftpd.pem
Sample outputs:
Generating a 1024 bit RSA private key .......++++++ ........................................++++++ writing new private key to '/etc/vsftpd/vsftpd.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:IN State or Province Name (full name) [Berkshire]:Maharashtra Locality Name (eg, city) [Newbury]:Pune Organization Name (eg, company) [My Company Ltd]:nixCraft Ltd Organizational Unit Name (eg, section) []:IT Common Name (eg, your name or your server's hostname) []:ftp.nixcraft.net.in Email Address []:vivek@nixcraft.net.in
Edit the vsftpd configuration file, enter:
# vi vsftpd.conf
Add or correct the following configuration option:
# Turn on SSL ssl_enable=YES # Allow anonymous users to use secured SSL connections allow_anon_ssl=YES # All non-anonymous logins are forced to use a secure SSL connection in order to # send and receive data on data connections. force_local_data_ssl=YES # All non-anonymous logins are forced to use a secure SSL connection in order to send the password. force_local_logins_ssl=YES # Permit TLS v1 protocol connections. TLS v1 connections are preferred ssl_tlsv1=YES # Permit SSL v2 protocol connections. TLS v1 connections are preferred ssl_sslv2=NO # permit SSL v3 protocol connections. TLS v1 connections are preferred ssl_sslv3=NO # Specifies the location of the RSA certificate to use for SSL encrypted connections rsa_cert_file=/etc/vsftpd/vsftpd.pem |
Restart the vsftpd ftp server:
# service vsftpd restart
# netstat -tulpn | grep :21
Test SSL Aware FTP Server With ftp-ssl command
ftp-ssl is the FTP client with SSL or TLS encryption support. Install ftp-ssl under Debian / Ubuntu desktop, enter:
$ sudo apt-get update
$ sudo apt-get install ftp-ssl
Sample ssl aware ftp session:
$ ftp-ssl ftp.nixcraft.net.in
Sample output:
Connected to ftp.nixcraft.net.in.
220-NOTICE TO USERS
220-
220-Use of this system constitutes consent to security monitoring and testing.
220-All activity is logged with your host name and IP address.
220
Name (ftp.nixcraft.net.in:sayali): vivek
234 Proceed with negotiation.
[SSL Cipher DES-CBC3-SHA]
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> lftp is a file transfer program that allows sophisticated ftp, ftp-ssl, http and other connections to other hosts. Use lftp as follows (it is available under all UNIX / BSD / Linux distributions)
$ lftp -u vivek -e 'set ftp:ssl-force true' ftp.nixcraft.net.in
List of SSL Aware FTP Client
- lftp UNIX / Linux client is also SSL aware client. It needs to compiled with OpenSSL (configure –with-openssl).
- WinSCP FTP / SFTP / SCP client
- Fireftp Cross-platform: Windows, Mac OS X, Linux FTP / SFTP / SCP client
- FreeBSD /usr/ports/ftp/ftp-tls/ – Ftp client based on the OpenBSD ftp client code, implements the FTP AUTH TLS IETF draft.
ADVERTISEMENTS
10 comment
hi mr vivek,
is there any problem if im using secure connection plus quota tools to limit the disk capacity on users account on vsftp ?? example like, slow connection to upload or download data –maybe,
thx
I love the guide, but i have this problem, using WinSCP or even Filezilla and setting them to use Implicit TLS /SSL wont let me connect
16:53:43 Status: Connection established, waiting for welcome message…
16:53:43 Response: 220-NOTICE TO USERS
16:53:43 Response: 220-
16:53:43 Response: 220-Use of this system constitutes consent to security monitoring and testing.
16:53:43 Response: 220-All activity is logged with your host name and IP address.
16:53:43 Response: 220
16:53:43 Command: AUTH TLS
16:53:43 Response: 234 Proceed with negotiation.
16:53:43 Status: Initializing TLS…
16:53:43 Status: Verifying certificate…
16:53:43 Command: USER ***************
16:53:43 Status: TLS/SSL connection established.
16:53:43 Response: 331 Please specify the password.
16:53:43 Command: PASS ************
16:53:43 Response: 230 Login successful.
16:53:43 Command: SYST
16:53:43 Response: 215 UNIX Type: L8
16:53:43 Command: FEAT
16:53:43 Response: 211-Features:
16:53:43 Response: AUTH SSL
16:53:43 Response: AUTH TLS
16:53:43 Response: EPRT
16:53:43 Response: EPSV
16:53:43 Response: MDTM
16:53:43 Response: PASV
16:53:43 Response: PBSZ
16:53:43 Response: PROT
16:53:43 Response: REST STREAM
16:53:43 Response: SIZE
16:53:43 Response: TVFS
16:53:43 Response: 211 End
16:53:43 Command: PBSZ 0
16:53:43 Response: 200 PBSZ set to 0.
16:53:43 Command: PROT P
16:53:43 Response: 200 PROT now Private.
16:53:43 Status: Connected
16:53:43 Status: Retrieving directory listing…
16:53:43 Command: PWD
16:53:43 Response: 257 “/”
16:53:43 Command: TYPE I
16:53:43 Response: 200 Switching to Binary mode.
16:53:43 Command: PASV
16:53:43 Response: 227 Entering Passive Mode (10,0,7,1,184,39)
16:53:43 Status: Server sent passive reply with unroutable address. Using server address instead.
16:53:43 Command: LIST
That is with Active mode on in Filezilla, it still tries passive, but, using FlashFXP and choosing option Use ‘STAT -L’ to list directory it works perfectly.. is there something i can do to make this work with Filezilla or even dreamweaver, i want a secure connection to our server but i have 2 outside people who need access to this server and prefer to use Filezilla or dreamweaver built in ftp client.
I took the easy way out and just enabled passive mode adding the various passive_ options instead of trying to make it work under active mode.
The various passive_options you mention….are they enabled in the vsftpd.conf file? I’m not real familiar with vsftpd but I also need to use Filezilla as an ftp client. Thanks!
I also had a problem with selinux !
It just wouldn’t start with error : Starting vsftpd for vsftpd: 500 OOPS: SSL: cannot load RSA certificate
My certificate is in /etc/vsfptd/vsftpd.pem
so just allow the ftp service to read files in /etc/vsftpf
this won’t work because FTPS (vsftpd supports this) and SFTP (vsftpd doesn’t) are completely different protocols. There’s a lot of confusion on the net about this. I don’t think vsftpd can be used on port 22 at an SFTP client.
@eriik
VSFTPD definitely supports SFTP and has for many years.
The certificate creation command should disambiguate the -keyout and -out parameter values. For example:
/usr/bin/openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout vsftpd_privkey.pem -out vsftpd_cert.pem
Then add the following in vsftpd.conf:
rsa_cert_file=/etc/vsftpd/vsftpd_cert.pem
rsa_private_key_file=/etc/vsftpd/vsftpd_privkey.pem
This FINALLY made mine work. I’m using the latest SLES 11 SP2 and turning on SSL did not allow vsftpd to start. I split the cert + key as you suggested and changed the conf file to have rsa_ lines instead of dsa_ ones and it finally runs
Thanks for this info!
Hello,
I’m running Debian (old-Sarge) and I’m using lftp to connect to a UNIX FTP server via ftps. In trying to get or put, i receive: get/put: Fatal Error: SSL_READ Wrong Version Number. I’ve tried self signing a certificate (although I’m not sure I did it right), and all of the other really scarce information I’ve found on this subject. The server isn’t mine, it belongs to a customer, so I have no insight into their configuration. Can someone give me an idea of where to go here?
Thank you,
BB