SECURE LINUX FTP SERVER (VSFTPD SERVER) USING SSL ENCRYPTION / TLS ENCRYPTION
SECURE LINUX FTP SERVER (VSFTPD SERVER) USING SSL ENCRYPTION / TLS ENCRYPTION
Introduction
One of my previous article I already explained How to configure Linux FTP Server (Vsftpd Server). In this article we are going to discuss on How to Secure Linux FTP Server (Vsftpd Server) using SSL Encryption / TLS Encryption. The port number is used by Secure FTP Server is 22.
Follow the below steps to Secure Linux FTP Server (Vsftpd Server) using SSL Encryption / TLS Encryption :
Step : 1 Install Required Packages
We need to install two Packages to configure Linux FTP Server (Vsftpd Server) using SSL Encryption / TLS Encryption. The Packages are :
- vsftpd
- mod_ssl
So let’s install the packages one by one.
- Installing vsftpd Package
[root@localhost ~]# yum -y install vsftpd # Installing vsftpd Package
Loaded plugins: fastestmirror, refresh-packagekit, security
Loading mirror speeds from cached hostfile
* base: centos-hcm.viettelidc.com.vn
* extras: centos-hcm.viettelidc.com.vn
* updates: centos.excellmedia.net
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package vsftpd.x86_64 0:2.2.2-24.el6 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
===================================================================================================================================
Package Arch Version Repository Size
===================================================================================================================================
Installing:
vsftpd x86_64 2.2.2-24.el6 base 156 k
Transaction Summary
===================================================================================================================================
Install 1 Package(s)
Total download size: 156 k
Installed size: 340 k
Downloading Packages:
vsftpd-2.2.2-24.el6.x86_64.rpm | 156 kB 00:01
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : vsftpd-2.2.2-24.el6.x86_64 1/1
Verifying : vsftpd-2.2.2-24.el6.x86_64 1/1
Installed:
vsftpd.x86_64 0:2.2.2-24.el6
Complete!
- Installing mod_ssl Package.
[root@localhost ~]# yum -y install mod_ssl # Installing mod_ssl Package
Loaded plugins: fastestmirror, refresh-packagekit, security
Loading mirror speeds from cached hostfile
* base: centos-hcm.viettelidc.com.vn
* extras: centos-hcm.viettelidc.com.vn
* updates: centos.excellmedia.net
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package mod_ssl.x86_64 1:2.2.15-59.el6.centos will be installed
--> Processing Dependency: httpd = 2.2.15-59.el6.centos for package: 1:mod_ssl-2.2.15-59.el6.centos.x86_64
--> Running transaction check
---> Package httpd.x86_64 0:2.2.15-29.el6.centos will be updated
---> Package httpd.x86_64 0:2.2.15-59.el6.centos will be an update
--> Processing Dependency: httpd-tools = 2.2.15-59.el6.centos for package: httpd-2.2.15-59.el6.centos.x86_64
--> Running transaction check
---> Package httpd-tools.x86_64 0:2.2.15-29.el6.centos will be updated
---> Package httpd-tools.x86_64 0:2.2.15-59.el6.centos will be an update
--> Finished Dependency Resolution
Dependencies Resolved
=========================================================================================================
Package Arch Version Repository Size
=========================================================================================================
Installing:
mod_ssl x86_64 1:2.2.15-59.el6.centos base 97 k
Updating for dependencies:
httpd x86_64 2.2.15-59.el6.centos base 834 k
httpd-tools x86_64 2.2.15-59.el6.centos base 79 k
Transaction Summary
=========================================================================================================
Install 1 Package(s)
Upgrade 2 Package(s)
Total download size: 1.0 M
Downloading Packages:
(1/3): httpd-2.2.15-59.el6.centos.x86_64.rpm | 834 kB 00:02
(2/3): httpd-tools-2.2.15-59.el6.centos.x86_64.rpm | 79 kB 00:00
(3/3): mod_ssl-2.2.15-59.el6.centos.x86_64.rpm | 97 kB 00:00
---------------------------------------------------------------------------------------------------------
Total 291 kB/s | 1.0 MB 00:03
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Updating : httpd-tools-2.2.15-59.el6.centos.x86_64 1/5
Updating : httpd-2.2.15-59.el6.centos.x86_64 2/5
Installing : 1:mod_ssl-2.2.15-59.el6.centos.x86_64 3/5
Cleanup : httpd-2.2.15-29.el6.centos.x86_64 4/5
Cleanup : httpd-tools-2.2.15-29.el6.centos.x86_64 5/5
Verifying : httpd-tools-2.2.15-59.el6.centos.x86_64 1/5
Verifying : httpd-2.2.15-59.el6.centos.x86_64 2/5
Verifying : 1:mod_ssl-2.2.15-59.el6.centos.x86_64 3/5
Verifying : httpd-2.2.15-29.el6.centos.x86_64 4/5
Verifying : httpd-tools-2.2.15-29.el6.centos.x86_64 5/5
Installed:
mod_ssl.x86_64 1:2.2.15-59.el6.centos
Dependency Updated:
httpd.x86_64 0:2.2.15-59.el6.centos httpd-tools.x86_64 0:2.2.15-59.el6.centos
Complete!
You can confirm the installed packages by using rpm -qa command. Refer the sample output below.
[root@localhost ~]# rpm -qa | grep vsftpd # Confirm the Vsftpd Package Installation vsftpd-2.2.2-24.el6.x86_64 [root@localhost ~]# rpm -qa | grep mod_ssl # Confirm the mod_ssl Package Installation mod_ssl-2.2.15-59.el6.centos.x86_64
To check the configuration files and directories path of mod_ssl we can use rpm -ql mod_ssl.
Sample Output :
[root@localhost ~]# rpm -ql mod_ssl # Checking Configuration Files and Directories Path
/etc/httpd/conf.d/ssl.conf
/usr/lib64/httpd/modules/mod_ssl.so
/var/cache/mod_ssl
/var/cache/mod_ssl/scache.dir
/var/cache/mod_ssl/scache.pag
/var/cache/mod_ssl/scache.sem
Start the Vsftpd Service using below command.
[root@localhost ~]# /etc/init.d/vsftpd start # Start the Vsftpd Server Service
Starting vsftpd for vsftpd: [ OK ]
Start the vsftpd service at startup using below command.
[root@localhost ~]# chkconfig --level 35 vsftpd on # Start the Vsftpd Linux FTP Service at Startup [root@localhost ~]# chkconfig --list vsftpd vsftpd 0:off 1:off 2:off 3:on 4:off 5:on 6:off
Also Read :
- STEP BY STEP SSL CONFIGURATION IN APACHE WEB SERVER
- HOW TO SETUP NFS SERVER (NETWORK FILE SYSTEM) ON REDHAT/CENTOS/FEDORA
Step : 2 Generate Certificates for Linux FTP Server (Vsftpd Server)
We have to generate .pem certificate to secure Vsftpd Linux FTP Server. .pem stands for Privacy Enhanced Mail is a public certificate container which contains multiple certificates in one file. (eg: Public Key and Private Key certificates). To generate the .pem file we can use openssl command. Refer the below command to generate .pem certificate. Here I am generating a certificate named elinuxbook.pem.
During Certificate creation It will ask for below details :
- Country Name
- State Name
- City
- Organisation Name
- Email Address…etc..
So enter the valid details to generate a .pem certificate.
[root@localhost ~]# /usr/bin/openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout elinuxbook.pem -out elinuxbook.pem Generating a 1024 bit RSA private key ...++++++ ...++++++ writing new private key to 'elinuxbook.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:IN State or Province Name (full name) []:Maharashtra Locality Name (eg, city) [Default City]:Mumbai Organization Name (eg, company) [Default Company Ltd]:ElinuxBook Organizational Unit Name (eg, section) []:Internet Marketing Common Name (eg, your name or your server's hostname) []:ElinuxBook Email Address []:admin@elinuxbook.com
The generated certificate file will create and store in your current directory where you run the openssl command. As you can see below I created the certificate in home directory of root. Refer the Sample Output below.
[root@localhost ~]# ls
anaconda-ks.cfg Documents elinuxbook.pem install.log.syslog Pictures Templates
Desktop Downloads install.log Music Public Videos
Once the certificate generated, just copy the certificate file in /etc/vsftpd directory. Refer the below command.
[root@localhost ~]# cp elinuxbook.pem /etc/vsftpd/ # Copy the Certificate File
Step : 3 Configure Main configuration file of Vsftpd Server (/etc/vsftpd.conf)
Before enable the SSL configuration for Vsftpd Linux FTP Server let’s do some basic settings. Refer the Sample output below.
[root@localhost ~]# nano /etc/vsftpd/vsftpd.conf # Allow anonymous FTP? (Beware - allowed by default if you comment this out). anonymous_enable=NO # Disable Anonymous Login # # Uncomment this to allow local users to log in. local_enable=YES # Enable Local User Login # # Uncomment this to enable any form of FTP write command. write_enable=YES # Write enable for any form of FTP
Save the configuration file after all above changes and restart the Vsftpd Linux ftp server.
[root@localhost ~]# /etc/init.d/vsftpd restart Shutting down vsftpd: [ OK ] Starting vsftpd for vsftpd: [ OK ]
Step : 4 Enable SSL Encryption Support for Vsftpd Linux FTP Server
To enable SSL encryption support for Vsftpd Linux FTP Server just edit the main configuration file i.e. /etc/vsftpd/vsftpd.conf and go to the end of the file. and enter the below syntax.
[root@localhost ~]# nano /etc/vsftpd/vsftpd.conf ###SSL Support for Vsftpd### ssl_enable=YES # Enable SSL Encryption for VSftpd Linux FTP Server ssl_tlsv1=YES # Enable SSL & TLS Version 1 ssl_sslv2=NO ssl_sslv3=NO rsa_cert_file=/etc/vsftpd/elinuxbook.pem # Path for Certificate File rsa_private_key_file=/etc/vsftpd/elinuxbook.pem # Path for Private Key File force_local_logins_ssl=YES # Force LOcal users to login using SSL Encryption / TLS Encryption force_local_data_ssl=YES # Force To use SSL Encryption / TLS Encryption during Data Upload in FTP
After all above changes restart the Vsftpd Linux FTP Service using below command.
[root@localhost ~]# /etc/init.d/vsftpd restart Shutting down vsftpd: [ OK ] Starting vsftpd for vsftpd: [ OK ]
Now stop the IPtables service using below command.
[root@localhost ~]# /etc/init.d/iptables stop iptables: Setting chains to policy ACCEPT: filter [ OK ] iptables: Flushing firewall rules: [ OK ] iptables: Unloading modules: [ OK ]
We are done with all required configurations. Now it’s time for testing. As we enabled SSL Encryption / TLS Encryption for Vsftpd Linux FTP Server we cannot access the FTP Server without SSL i.e. in normal FTP access. I tried to do so and here i got the below error.
[root@localhost ~]# ftp localhost
Trying ::1...
ftp: connect to address ::1Connection refused
Trying 127.0.0.1...
Connected to localhost (127.0.0.1).
220 (vsFTPd 2.2.2)
Name (localhost:root): helpdesk
530 Non-anonymous sessions must use encryption.
Login failed.
To access Secured Vsftpd Server we have a tool in Linux i.e. sftp. So Let’s access the Vsftpd Server by using sftp command.
[root@localhost ~]# sftp helpdesk@localhost Connecting to localhost... helpdesk@localhost's password: sftp>
As you can see on the output above we are successfully able to login the Vsftpd Linux FTP Server using SSL Encryption Certificate.
There is also a Third-Party tool is available by which we can access the Vsftpd Server i.e. File Zilla. Refer the Snaps Below.
Access the FTP Server without SSL Encryption using File Zilla.
Snap : 1
ACCESS VSFTPD LINUX FTP SERVER WITHOUT SSL ENCRYPTION
Snap : 2
VSFTPD LINUX FTP SERVER NOT ALLOWING TO LOGIN WITHOUT SSL ENCRYPTION
As you can see on snapshot above we are unable to access the Vsftpd Linux FTP server using Non Secure details i.e. without SSL Certificate.
Snap : 3
Now try to login vsftpd server using ssl certificate.
ACCESS VSFTPD LINUX FTP SERVER USING SSL ENCRYPTION
Snap : 4
Accept the SSl Certificate by pressing OK.
ACCEPT THE SSL ENCRYPTION CERTIFICATE
Snap : 5
And you have successfully connected to Vsftpd Linux FTP Server.
VSFTPD LINUX FTP SERVER CONNECTED SUCCESSFULLY
So this is How we can Secure Vsftpd Linux FTP Server using SSL Encryption / TLS Encryption.
If you found this article useful then Like Us, Share Us, Subscribe our Newsletter OR if you have something to say then feel free to comment on the comment box below.
