CentOS / RHEL: Vsftpd SSL / TLS FTP Server Configuration

Posted on in Categories CentOS, FTP Server, Linux, Networking, RedHat/Fedora Linux, Security last updated January 8, 2014

Vsftpd FTP server supports secure connections via SSL / TLS, same encryption used with online banking and shopping. This applies to the control connection (including login) and also data connections. You will need a ftp client with SSL support too. In this post, I am going to show you how To configure vsftpd to yse SSL/TLS on a CentOS or Red Hat Enterprise Linux (RHEL) version 5.x/6.x to secure communication.

nixCraft FAQ Roundup – Dec 8, 2008

Posted on in Categories FAQ last updated October 30, 2008

Recently updated/posted Linux and UNIX FAQ:

=> Boot Ubuntu Linux into Rescue mode to fix system – How do I boot my Ubuntu Linux server into Rescue mode to fix system?

=> Unable to create installation source – Add directories into YaST as an installation source – I have created my own patch files on the hard drive. How do I add all those directories into Suse Linux YaST as an installation source?

=> How to uninstall GRUB – How do I uninstall GRUB using old good MS-DOS fdisk or Linux/UNIX dd command?

=> Can I run fsck or e2fsck when Linux file system is mounted? Can I run run fsck/e2fsc on a live Linux file system?

=> Configure Sendmail SSL encryption for sending and receiving email – Configure Sendmail MTA to use SSL encryption for sending/receiving email using valid SSL certificate.

=> Linux configure Network Address Translation or NAT – Old good Linux NAT!

=> Use sudo or sudoers to start, stop & restart Apache – Sudo to stop and/or restart Apache web server!

=> How to install firefox-2.0.tar.gz in Linux – I have downloaded firefox file from mozilla web site to my Linux desktop system. The name of file is firefox-2.0.tar.gz. How do I install firefox-2.0.tar.gz in Fedora Core Linux?

Enjoy!

How To Lighttpd Create Self Signed SSL Certificates

Posted on in Categories lighttpd, Linux, OS X, Security, UNIX last updated April 2, 2008
Lighttpd logo

If you are testing an application (web based) or just want secure login page for your application, you can create a self signed SSL Certificates. I have already explained the procedure for installing real third party signed SSL certificate.

Procedure is as follows:

Step # 1: Create self signed SSL Certificates

Create a directory to store SSL certificate:

# mkdir /etc/lighttpd/ssl/domain.com -p
# cd /etc/lighttpd/ssl/domain.com
# openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes
# chown lighttpd:lighttpd /etc/lighttpd/ssl -R
# chmod 0600 /etc/lighttpd/ssl/domain.com

You need to provide information such as country name, your domain name etc.

Step # 2: Configure Lighttpd

Open lighttpd configuration file:
# vi /etc/lighttpd/lighttpd.conf Add config directives as follows:
$SERVER["socket"] == "192.168.1.100:443" {
server.document-root = "/home/lighttpd/domain.com"
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/ssl/domain.com/server.pem"
}

Make sure you replace ip 192.168.1.100 with your actual IP address.

Step # 3: Restart Lighttpd

Test config file for errors:
# lighttpd -t -f /etc/lighttpd/lighttpd.conf
Now Restart lighttpd:
# /etc/init.d/lighttpd restart

Make sure port 443 is open
# netstat -tulpn | grep :443

Configure firewall/iptables and open port 443. Following is sample iptabables rules. You need to append code to your iptables shell script:
SERVER_IP="192.168.1.100"
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d $SERVER_IP --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s $SERVER_IP --sport 443 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

Redirect plain text login page to secure login page

Let us assume you would like to redirect all incoming wordpress requests http://domain.com/blog/wp-login.php request to https://domain.com/blog/wp-login.php
Add following code snippet to your lighttpd.conf file’s port 80 section:
$HTTP["url"] =~ "^/blog/wp-login.php*" {
url.redirect = ( "^/(.*)" => "https://www.domain.com/$1" )
}

You may need to modify your login page to submit form over SSL.