FTP communication is not secure, all communication is plain text and can be easily captured. Despite this serious weakness, few do anything to secure it. There are simple ways to correct this with VSFTPD.
Lesson 7 / Lesson 9
SSL/TLS With FTP FTPS is also known as FTPS Secure or FTP-SSL. What FTPS does is add the Transport Layer Security (TLS) and the Secure Sockets Layer (SSL) to the normal FTP on the same port 21. It is easy to confuse FTPS on port 21 with SFTP which is actually SSH on port 22.
Add these settings to your /etc/vsftpd.conf file and you will have an anonymous ftp server that will allow anyone to download files from /var/ftp but they cannot upload. It will also protect all of your users as they must ftp into their home accounts using ssl.
anonymous_enable=YES local_enable=YES
rsa_cert_file=/ etc/vsftpd/vsftpd.pem ssl_enable=YES force_local_logins_ssl=YES force_local_data_ssl=YES ssl_tlsv1=YES ssl_sslv2=YES ssl_sslv3=YES
You do not need to create the self-signed certificate as they are already created by the vsftpd server as you can see listed. Notice that ssl is enabled only for local logins, users who have accounts on the machine. The connection will still be on port 21. Once you have the server set up you will need a client that is ftps compatible. Create Self-Signed Certificate You can create a self-signed certificate with this command which will create a certificate for 1 year and the pem file is then saved in the /etc/directory. Note that you will need to change the /etc/vsftpd.conf file to enter the path of this file. You will be asked several questions which will identify your organization. # openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/vsftpd.pem -out /etc/vsftpd.pem Generating a 1024 bit RSA private key ......++++++ ..++++++ writing new private key to '/etc/vsftpd.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:MT Locality Name (eg, city) []:Trout Creek Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example LTD Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:example.com Email Address []:
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
Be sure to add the settings fro your site, not this example.
Using a FTP Client that is SSL/TLS Compatible
The popular Linux ftp client gFTP will not connect using SSL when you are using self-signed certificates, you would have to purchase a real certificate for your business. Another Linux alternative is to use ftp-ssl. This is a command line version of ftp and actually will replace ftp with this client. It functions that same as ftp. It will attempt to connect using ssl, if it is not enabled it will drop back to regular ftp. The Filezilla version for Linux continued to crash when the connection was made, so it is not a reliable option. When you connect you will be asked to accept the self-signed certificate, either which you made or the default for vsftp.
lftp works well from the command line.
Accept the certificate and you have encrypted FTP on port 21. If you have users connecting with FileZilla for Windows, which is reliable, you will need to make these changes so they can log in with SSL. Note the port is still 21 but the Servertype is now FTP over SSL.
|