Secure FTP Site with FileZilla
Server - Ubuntu

Secure FTP Site With Filezilla
There are three elements you will need to deal with when you are setting up SSL with VSFTPD. First, you will need to set up a self-signed certificate for VSFTPD and configure the VSFTPD to use that certificate. Second, you will need to set up FileZilla to connect on port 21 but use SSL to make the connection so all data and passwords are transferred encrypted. The third problem is to configure the UFW firewall to allow your connections.

 

Set Up VSFTPD

 

Create the self-signed certificate.

openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout vsftpd.pem -out vsftpd.pem

 

Enter the information that reflects your site.

Country Name (2 letter code) [AU]:US

State or Province Name (full name) [Some-State]:MT

Locality Name (eg, city) []:TC

Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompany

Organizational Unit Name (eg, section) []:

Common Name (eg, YOUR name) []:Fred Smith

Email Address []: This e-mail address is being protected from spambots. You need JavaScript enabled to view it

This will then be reflected in the certificate when you see it.

 

 

Copy the resulting vsftpd.pem to /etc/ssl/certs

cp vsftpd.pem /etc/ssl/certs/

 

Edit /etc/vsftpd.conf to allow SSL.

 

listen=YES

#### No Anonymous Connections Allowed #####

anonymous_enable=NO

##### Customer Connections #####

local_enable=YES

write_enable=YES

chroot_local_user=YES

use_localtime=YES

dirmessage_enable=YES

pam_service_name=vsftpd

rsa_cert_file=/etc/ssl/certs/vsftpd.pem

xferlog_std_format=YES

ssl_enable=YES

force_local_data_ssl=YES

force_local_logins_ssl=YES

ssl_tlsv1=YES

ssl_sslv2=NO

ssl_sslv3=NO

ssl_ciphers=HIGH

pasv_min_port=30000

pasv_max_port=40000

 

 

Several items to note in this configuration. The newer versions of FileZilla will require higher level encryption from VSFPTD. As a result this line must be added to the VSFTPD file:

 

ssl_ciphers=HIGH

 

The passive ports which will transfer data must be indicated:

 

pasv_min_port=30000

pasv_max_port=40000

 

You can use any port range above 1024. It has to be a port range because passive FTP will use a number of ports.

 

 

FileZilla v.3.5.3

This example is using the popular FileZilla which has both a Windows and Linux client to use to connect to a FTP server.

 

With this setup all data and user authentication is forced to be encrypted.

 

Proceed to this URL to download the FileZilla program (the example install on Windows):

http://filezilla-project.org/download.php

 

Scan the file for viruses (just a normal Windows precaution) and then install the file. Open FileZilla, you will find a link in the menu.

 

SSL on VSFTPD and FileZilla

 

 

When FileZilla opens click the Site Manager, it is highlighted in the example.

SSL on VSFTPD and FileZilla

 

The Site Manager will allow you to set the FTP site for your backups. Enter the information exactly as it is highlighted in the example.

SSL on VSFTPD and FileZilla

 

 

 

The next step is to enter the username and password you were provided when you had your account created for remote backups. Do not put what is in this example as your username/password are going to be different.

SSL on VSFTPD and FileZilla

 

When this is complete click “OK” to save your settings.

 

Next navigate to the location on your local machine where the backups are that you want to copy to the backup server. Note your location may be different.

SSL on VSFTPD and FileZilla

 

Next connect to the server by clicking the Site Manager and “FTP” which will connect you to your remote backup server and home location.

SSL on VSFTPD and FileZilla

 

When you connect to the server the first time you will see a certificate which indicates that the server is using encryption so your data is protected while it transfers. Be sure to check the box on the certificate so you do not have to view the certificate each time.

 

Now to transfer files, just drag from your local machine to the remote machine. Drag your files you want to backup to the directory highlighted.

SSL on VSFTPD and FileZilla

 

You will be able to see the files being transferred.

 

You can also drag files from the backup server to your local machine by dragging to the local directory.

SSL on VSFTPD and FileZilla

 

Firewall

You must add several rules to allow the passive connections to your FTP server. The remote machines will connect on port 21 and then transfer data on ports 30000:40000 (your port choice may be different).

 

ufw allow proto tcp from any to any port 21

ufw allow proto tcp from any to any port 30000:40000

 

ufw status

Status: active

 

To Action From

-- ------ ----

20/tcp ALLOW 192.168.2.1

30000:40000/tcp ALLOW Anywhere

21/tcp ALLOW Anywhere

 

That should do it, make sure you check /var/log/messages for errors or dropped connections.