CentOS / RHEL: Vsftpd SSL / TLS FTP Server Configuration

Vsftpd FTP server supports secure connections via SSL / TLS, same encryption used with online banking and shopping. This applies to the control connection (including login) and also data connections. You will need a ftp client with SSL support too. In this post, I am going to show you how To configure vsftpd to yse SSL/TLS on a CentOS or Red Hat Enterprise Linux (RHEL) version 5.x/6.x to secure communication.

VSFTPD: Create SSL Certificate on a CentOS / RHEL Server

Type the following command to create self-signed certificate (you can also use certificate issued by 3rd party CA):
# cd /etc/vsftpd/
# /usr/bin/openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout vsftpd.pem -out vsftpd.pem

Sample outputs:

Generating a 1024 bit RSA private key
.......++++++
........................................++++++
writing new private key to '/etc/vsftpd/vsftpd.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:IN
State or Province Name (full name) [Berkshire]:Maharashtra 
Locality Name (eg, city) [Newbury]:Pune
Organization Name (eg, company) [My Company Ltd]:nixCraft Ltd
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:ftp.nixcraft.net.in
Email Address []:vivek@nixcraft.net.in

Edit the vsftpd configuration file, enter:
# vi vsftpd.conf

Add or correct the following configuration option:

# Turn on SSL
ssl_enable=YES
 
# Allow anonymous users to use secured SSL connections
allow_anon_ssl=YES
 
# All non-anonymous logins are forced to use a secure SSL connection in order to
# send and receive data on data connections.
force_local_data_ssl=YES
 
# All non-anonymous logins are forced to use a secure SSL connection in order to send the password.
force_local_logins_ssl=YES
 
# Permit TLS v1 protocol connections. TLS v1 connections are preferred
ssl_tlsv1=YES
 
# Permit SSL v2 protocol connections. TLS v1 connections are preferred
ssl_sslv2=NO
 
# permit SSL v3 protocol connections. TLS v1 connections are preferred
ssl_sslv3=NO
 
# Specifies the location of the RSA certificate to use for SSL encrypted connections
rsa_cert_file=/etc/vsftpd/vsftpd.pem

Restart the vsftpd ftp server:
# service vsftpd restart
# netstat -tulpn | grep :21

Test SSL Aware FTP Server With ftp-ssl command

ftp-ssl is the FTP client with SSL or TLS encryption support. Install ftp-ssl under Debian / Ubuntu desktop, enter:
$ sudo apt-get update
$ sudo apt-get install ftp-ssl
Sample ssl aware ftp session:
$ ftp-ssl ftp.nixcraft.net.in
Sample output:

Connected to ftp.nixcraft.net.in.
220-NOTICE TO USERS
220-
220-Use of this system constitutes consent to security monitoring and testing.
220-All activity is logged with your host name and IP address.
220
Name (ftp.nixcraft.net.in:sayali): vivek
234 Proceed with negotiation.
[SSL Cipher DES-CBC3-SHA]
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> 

lftp is a file transfer program that allows sophisticated ftp, ftp-ssl, http and other connections to other hosts. Use lftp as follows (it is available under all UNIX / BSD / Linux distributions)
$ lftp -u vivek -e 'set ftp:ssl-force true' ftp.nixcraft.net.in

List of SSL Aware FTP Client

• lftp UNIX / Linux client is also SSL aware client. It needs to compiled with OpenSSL (configure –with-openssl).
• WinSCP FTP / SFTP / SCP client
• Fireftp Cross-platform: Windows, Mac OS X, Linux FTP / SFTP / SCP client
• FreeBSD /usr/ports/ftp/ftp-tls/ – Ftp client based on the OpenBSD ftp client code, implements the FTP AUTH TLS IETF draft.