Introduction
Running an FTP server over a Secure Sockets Layer (SSL) encrypts the connection and helps secure your data. This connection uses an SSL certificate for encryption.
You can use a self-signed SSL certificate or one issued by a Certified Authority (CA).
-
An SSL certificate signed by a Certificate Authority is trusted and considered legitimate.
-
A self-signed SSL certificate is insecure because there is no verification process by a trusted Certificate Authority.
Getting Started
This tutorial uses vsftpd as the FTP server application and Fedora as the operating system.
The vsftpd package is a mature, stable, secure FTP server application.
One of the reasons that I use Fedora is the default security measures enabled by default.
I’m referring specifically to SELinux and Firewalld.
SELinux adds an extra layer of security by forcing services and network ports to run with their default settings.
The Firewalld service only allows connections to the system that are specified in it’s configuration.
For these reasons, always leave SELinux and firewalld enabled and actively running.
We’ll be using a self-signed certificate.
Installation
- Install the vsftpd package.
$ sudo install -y vsftpd
- Create a subdirectory within the SSL directory to store the SSL certificate.
$ sudo mkdir /etc/ssl/private
- Create a self-signed certificate and key in a single file by running the following command and answering all of the prompts.
$ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem
Configuration
- Backup the /etc/vsftpd/vsftpd.conf file.
$ sudo cp /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.backup
- Create a new /etc/vsftpd/vsftpd.conf file.
$ sudo vi /etc/vsftpd/vsftpd.conf
The following options will be used:
pam_service_name - The name of the PAM service used by vsftpd.
anonymous_enable - Allow or prevent anonymous logins.
local_enable - Allow or prevent local logins.
write_enable - Allow or prevent write access.
pasv_min_port - Minimum port to allocate for PASV style data connections.
pasv_max_port - Maximum port to allocate for PASV style data connections.
rsa_cert_file - The location of the SSL certificate.
rsa_private_key_file - The location of the SSL private key.
ssl_enable - Allow or prevent SSL connections.
force_local_data_ssl - Force SSL connections in order to send and receive data.
force_local_logins_ssl - Force SSL connections in order to send user's password.
ssl_ciphers - Select SSL ciphers.
Here is the completed configuration:
pam_service_name=vsftpd
anonymous_enable=NO
local_enable=YES
write_enable=YES
pasv_min_port=40000
pasv_max_port=40001
rsa_cert_file=/etc/ssl/private/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem
ssl_enable=YES
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_ciphers=HIGH
The
pasv_min_portandpasv_max_portvalues in this configuration are only an example. Use values to create a port range not in use on your system.
- Restart and enable the vsftpd daemon.
$ sudo systemctl restart vsftpd
$ sudo systemctl enable vsftpd
- Configure SELinux to allow passive FTP connections.
$ sudo setsebool -P ftpd_use_passive_mode on
- Add the appropriate firewalld rules to allow ftp connections.
$ sudo firewall-cmd --add-service=ftp --perm
$ sudo firewall-cmd --add-port=40000-40001/tcp --perm
$ sudo firewall-cmd --reload
The
--add-port=parameter specifies thepasv_min_portandpasv_max_portoption in your configuration.
Conclusion
Once you have completed the installation and configuration, you can now access your system via an SSL FTP connection using a client such as FileZilla or WinSCP .
Because you are using a self-signed certificate, you will get a warning that the server’s certificate is unknown. If you are using FileZilla, you can simply click on the option to Always trust certificate in future sessions and click OK to continue.
I will post a future article that discusses how to add a self-signed certificate to your trusted root certificates to eliminate this warning.
A digitally signed SSL certificate from a CA vendor such Lets Encrypt will not have this issue.