Adding SSL/TLS encryption to FTP server

Be default FTP server does Cleartext transactions.

It is always better to secure FTP server with adding SSL encryption.

We have used vsftpd server.

Prerequisite:

FTP server à VSFTPD

Encryption à OpenSSL / TLS

 

Step1. Install VSFTPD and OpenSSL

 

Step 2. Configure Plain VSFTPD server as per your requirement. Please note: Don’t keep anonymous enable & Keep login shell for all local users as /bin/nologin

 

Step3. Generate OpenSSL certificate file using below command:

 

$ openssl req -x509 -nodes -days 365 -newkey rsa:1024

 -keyout /etc/vsftpd/vsftpd.pem

 -out /etc/vsftpd/vsftpd.pem

 

It will generate vsftpd.pem file under /etc/vsftpd

 

Encryption is rsa

Validity is 365 days. We can modify it as per our requirement.

 

Step 3. Check weather vsftpd server supports SSL or not.

 

$ ldd /usr/sbin/vsftpd | grep libssl

libssl.so.4 => /lib/libssl.so.4 (0x4001e000)   à If this comes then it  

                                                  supports.

 

Step4. Add below lines to /etc/vsftpd/vsftpd.conf

 

 ssl_enable=YES

 allow_anon_ssl=NO

 force_local_data_ssl=YES

 force_local_logins_ssl=YES   à It will force users to connect with FTPS. FTP 

 ssl_tlsv1=YES                   wont be allowed

 ssl_sslv2=NO             

 ssl_sslv3=NO

 rsa_cert_file=/etc/vsftpd/vsftpd.pem

 chroot_local_user=YES        à It is for restricting FTP access.

 

You can enable ssl_sslv2 and v3 encryption but then your client must support that.

 

Step6. Restart vsftpd server.

$ /etc/rc.d/init.d/vsftpd restart

 

 

Step8. Put “/bin/false” in /etc/shells

Step9. While Creating users please use shell as “/bin/false”

$ useradd ls /bin/false <username>

 

Step7. You need to install Filezilla on client machine. Filezilla is more secured and supports higher level encryptions. Here while configuring server

Select “Server Type” -> FTPES   . And enter your credentials. It will connect FTP server.