SSL/TLS
----------
Create the SSL Certificate
The first thing to do is to create a /etc/ssl/private/ folder on the server, which we’ll use to store the SSL/TLS key and certificate files:
1
mkdir /etc/ssl/private/
Once done, we can run the terminal command below to create the certificate and key for VSFTPD in a single file:
1
sudo openssl req -x509 -nodes -keyout /etc/ssl/private/vsftpd-selfsigned.pem -out /etc/ssl/private/vsftpd-selfsigned.pem -days 365 -newkey rsa:2048
Here’s a useful explanation of the above switches:
req – is a command for X.509 Certificate Signing Request (CSR) management.
x509 – means X.509 certificate data management.
days – defines number of days certificate is valid for.
newkey – specifies certificate key processor.
rsa:2048 – RSA key processor, will generate a 2048 bit private key.
keyout – sets the key storage file.
out – sets the certificate storage file.
Note that both the certificate and the key will be stored in the same file: /etc/ssl/private/vsftpd-selfsigned.pem.
Once submitted, the above command will ask you to answer the questions below:
Country Name (2 letter code) [XX]: the ISO 3166-1 two-letter country code for your country. Example: US
State or Province Name (full name) []: the state or province name. Example: Massachusetts
Locality Name (eg, city) [Default City]: the city of the service. Example: Boston
Organization Name (eg, company) [Default Company Ltd]: the FTP company name. Example: Example.com
Organizational Unit Name (eg, section) []: The company main area of interest. Example: Information Technology
Common Name (eg, your name or your server’s hostname) []: the hostname required to connect to the FTP server. Example: example.com
Email Address []: the admin e-mail address. Example: ftp-admin@example.com
Fill out the prompts appropriately. The most important line is the one that requests the Common Name: we need to enter the domain name associated with our server or our server’s public IP address.
Configuring VSFTPD To Use SSL/TLS
Before we perform any VSFTPD configurations, we need to open the TCP port 990 on the firewall in order to allow TLS connections:
1
2
firewall-cmd --zone=public --add-port=990/tcp --permanent
firewall-cmd --reload
Needless to say, the above lines take for granted that the public zone is bound to the WAN: if this is not the case, be sure to open these ports on the right zone.
Right after that, we can open the VSFTPD config file in /etc/vsftpd/vsftpd.conf and specify the SSL details in the following way:
1
2
3
4
5
# SSL configuration (TLS v1.2)
ssl_enable=YES
ssl_tlsv1_2=YES
ssl_sslv2=NO
ssl_sslv3=NO
It’s worth noting that, since TSL is more secure than SSL, we also took the chance to restrict VSFTPD to employ TLS instead, using the ssl_tlsv1_2 option: doing that will shield your server from some malicious exploits which take advantage of known SSL vulnerabilities, such as POODLE.
The next options to set are those required to define the location of the SSL certificate and key file:
1
2
3
# configure the location of the SSL certificate and key file
rsa_cert_file=/etc/ssl/private/vsftpd-selfsigned.pem
rsa_private_key_file=/etc/ssl/private/vsftpd-selfsigned.pem
Now that SSL has been set, it’s highly advisable to force it whenever possible with the following directives:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
# prevent anonymous users from using SSL
allow_anon_ssl=NO
# force all non-anonymous logins to use SSL for data transfer
force_local_data_ssl=YES
# force all non-anonymous logins to use SSL to send passwords
force_local_logins_ssl=YES
# Select the SSL ciphers VSFTPD will permit for encrypted SSL connections with the ssl_ciphers option.
ssl_ciphers=HIGH
# turn off SSL reuse
require_ssl_reuse=NO
The last two options specified above is meant to boost up FTP server security. Setting the ssl_ciphers value to HIGH will greatly limit efforts of attackers who try to force a particular cipher which they probably discovered vulnerabilities in; setting require_ssl_reuse to NO won’t force all SSL data connections to exhibit SSL session reuse, thus proving that they know the same master secret as the control channel – which is an info we wouldn’t like to give.
Enabling Passive Mode
The last thing we need to do is to set the port range (min and max port) of passive ports:
1
2
pasv_min_port=40001
pasv_max_port=40100
Remember to also open them within the firewall, as explained in this post.
Setting up SSL debug
If we feel like we need to we can allow SSL debugging, meaning that all openSSL connection diagnostic info will be recorded to the VSFTPD log file:
1
debug_ssl=YES
Once done, save all the changes and close the file, then let’s restart VSFTPD service in the following way:
1
systemctl restart vsftpd
That’s about it. We can now easily test our new FTPS server from a remote client by typing the following line from its command-line terminal:
Shell
1
ftp <VSFTPD_ip_address>
------