Secure Linux FTP Server (VSFTPD Server) Using SSL Encryption/TLS Encryption

In this article, we are going to discuss How to Secure Linux FTP Server (Vsftpd Server) using SSL Encryption/TLS Encryption. In one of my previous articles I already explained How to configure Linux FTP Server (Vsftpd Server). The port number is used by the Secure FTP Server is 22.

Secure Linux FTP Server (VSFTPD Server) Using SSL Encryption/TLS Encryption
Secure Linux FTP Server (VSFTPD Server) Using SSL Encryption/TLS Encryption

Follow the below steps to Secure Linux FTP Server (Vsftpd Server) using SSL Encryption / TLS Encryption :

Step: 1 Install Required Packages

We need to install two Packages to configure Linux FTP Server (Vsftpd Server) using SSL Encryption / TLS Encryption. The Packages are :

  • vsftpd
  • mod_ssl

So let’s install the packages one by one.

  • Installing vsftpd Package
[root@localhost ~]# yum -y install vsftpd   # Installing vsftpd Package
Loaded plugins: fastestmirror, refresh-packagekit, security
Loading mirror speeds from cached hostfile
 * base: centos-hcm.viettelidc.com.vn
 * extras: centos-hcm.viettelidc.com.vn
 * updates: centos.excellmedia.net
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package vsftpd.x86_64 0:2.2.2-24.el6 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

===================================================================================================================================
 Package                       Arch                          Version                             Repository                   Size
===================================================================================================================================
Installing:
 vsftpd                        x86_64                        2.2.2-24.el6                        base                        156 k

Transaction Summary
===================================================================================================================================
Install       1 Package(s)

Total download size: 156 k
Installed size: 340 k
Downloading Packages:
vsftpd-2.2.2-24.el6.x86_64.rpm                                                                              | 156 kB     00:01     
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : vsftpd-2.2.2-24.el6.x86_64                                                                                      1/1 
  Verifying  : vsftpd-2.2.2-24.el6.x86_64                                                                                      1/1 

Installed:
  vsftpd.x86_64 0:2.2.2-24.el6                                                                                                     

Complete!
  • Installing the mod_ssl Package.
[root@localhost ~]# yum -y install mod_ssl   # Installing mod_ssl Package
Loaded plugins: fastestmirror, refresh-packagekit, security
Loading mirror speeds from cached hostfile
 * base: centos-hcm.viettelidc.com.vn
 * extras: centos-hcm.viettelidc.com.vn
 * updates: centos.excellmedia.net
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package mod_ssl.x86_64 1:2.2.15-59.el6.centos will be installed
--> Processing Dependency: httpd = 2.2.15-59.el6.centos for package: 1:mod_ssl-2.2.15-59.el6.centos.x86_64
--> Running transaction check
---> Package httpd.x86_64 0:2.2.15-29.el6.centos will be updated
---> Package httpd.x86_64 0:2.2.15-59.el6.centos will be an update
--> Processing Dependency: httpd-tools = 2.2.15-59.el6.centos for package: httpd-2.2.15-59.el6.centos.x86_64
--> Running transaction check
---> Package httpd-tools.x86_64 0:2.2.15-29.el6.centos will be updated
---> Package httpd-tools.x86_64 0:2.2.15-59.el6.centos will be an update
--> Finished Dependency Resolution

Dependencies Resolved

=========================================================================================================
 Package                 Arch               Version                               Repository        Size
=========================================================================================================
Installing:
 mod_ssl                 x86_64             1:2.2.15-59.el6.centos                base              97 k
Updating for dependencies:
 httpd                   x86_64             2.2.15-59.el6.centos                  base             834 k
 httpd-tools             x86_64             2.2.15-59.el6.centos                  base              79 k

Transaction Summary
=========================================================================================================
Install       1 Package(s)
Upgrade       2 Package(s)

Total download size: 1.0 M
Downloading Packages:
(1/3): httpd-2.2.15-59.el6.centos.x86_64.rpm                                      | 834 kB     00:02     
(2/3): httpd-tools-2.2.15-59.el6.centos.x86_64.rpm                                |  79 kB     00:00     
(3/3): mod_ssl-2.2.15-59.el6.centos.x86_64.rpm                                    |  97 kB     00:00     
---------------------------------------------------------------------------------------------------------
Total                                                                    291 kB/s | 1.0 MB     00:03     
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Updating   : httpd-tools-2.2.15-59.el6.centos.x86_64                                               1/5 
  Updating   : httpd-2.2.15-59.el6.centos.x86_64                                                     2/5 
  Installing : 1:mod_ssl-2.2.15-59.el6.centos.x86_64                                                 3/5 
  Cleanup    : httpd-2.2.15-29.el6.centos.x86_64                                                     4/5 
  Cleanup    : httpd-tools-2.2.15-29.el6.centos.x86_64                                               5/5 
  Verifying  : httpd-tools-2.2.15-59.el6.centos.x86_64                                               1/5 
  Verifying  : httpd-2.2.15-59.el6.centos.x86_64                                                     2/5 
  Verifying  : 1:mod_ssl-2.2.15-59.el6.centos.x86_64                                                 3/5 
  Verifying  : httpd-2.2.15-29.el6.centos.x86_64                                                     4/5 
  Verifying  : httpd-tools-2.2.15-29.el6.centos.x86_64                                               5/5 

Installed:
  mod_ssl.x86_64 1:2.2.15-59.el6.centos                                                                  

Dependency Updated:
  httpd.x86_64 0:2.2.15-59.el6.centos              httpd-tools.x86_64 0:2.2.15-59.el6.centos             

Complete!

You can confirm the installed packages by using rpm -qa command. Refer to the sample output below.

[root@localhost ~]# rpm -qa | grep vsftpd   # Confirm the Vsftpd Package Installation
vsftpd-2.2.2-24.el6.x86_64

[root@localhost ~]# rpm -qa | grep mod_ssl  # Confirm the mod_ssl Package Installation
mod_ssl-2.2.15-59.el6.centos.x86_64

To check the configuration files and directories path of mod_ssl we can use rpm -ql mod_ssl.

Sample Output : 

[root@localhost ~]# rpm -ql mod_ssl  # Checking Configuration Files and Directories Path
/etc/httpd/conf.d/ssl.conf
/usr/lib64/httpd/modules/mod_ssl.so
/var/cache/mod_ssl
/var/cache/mod_ssl/scache.dir
/var/cache/mod_ssl/scache.pag
/var/cache/mod_ssl/scache.sem

Start the Vsftpd Service using the below command.

[root@localhost ~]# /etc/init.d/vsftpd start   # Start the Vsftpd Server Service
Starting vsftpd for vsftpd:                                [  OK  ]

Start the vsftpd service at startup using the below command.

[root@localhost ~]# chkconfig --level 35 vsftpd on   # Start the Vsftpd Linux FTP Service at Startup
[root@localhost ~]# chkconfig --list vsftpd
vsftpd          0:off   1:off   2:off   3:on      4:off   5:on      6:off

Also Read – How To Configure vsftpd Linux FTP Server In Redhat/Centos/Fedora

Step: 2 Generate Certificates for Linux FTP Server (Vsftpd Server)

We have to generate a .pem certificate to secure Vsftpd Linux FTP Server. .pem stands for Privacy Enhanced Mail is a public certificate container that contains multiple certificates in one file. (eg: Public Key and Private Key certificates). To generate the .pem file we can use OpenSSL command. Refer to the below command to generate .pem certificate. Here I am generating a certificate named itsmarttricks.pem.

During Certificate creation It will ask for the below details :

  • Country Name
  • State Name
  • City
  • Organization Name
  • Email Address, etc.

So enter the valid details to generate a .pem certificate.

[root@localhost ~]# /usr/bin/openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout itsmarttricks.pem -out itsmarttricks.pem
Generating a 1024 bit RSA private key
...++++++
...++++++
writing new private key to 'itsmarttricks.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:Maharashtra
Locality Name (eg, city) [Default City]:Mumbai
Organization Name (eg, company) [Default Company Ltd]:itsmarttricks
Organizational Unit Name (eg, section) []:Internet Marketing
Common Name (eg, your name or your server's hostname) []:itsmarttricks
Email Address []:[email protected]

The generated certificate file will create and store in your current directory where you run the OpenSSL command. As you can see below I created the certificate in the home directory of root. Refer to the Sample Output below.

[root@localhost ~]# ls
anaconda-ks.cfg  Documents  itsmarttricks.pem  install.log.syslog  Pictures  Templates
Desktop          Downloads  install.log     Music               Public    Videos

Once the certificate generated, just copy the certificate file in /etc/vsftpd directory. Refer to the below command.

[root@localhost ~]# cp itsmarttricks.pem /etc/vsftpd/   # Copy the Certificate File

Step : 3 Configure Main configuration file of Vsftpd Server (/etc/vsftpd.conf)

Before enabling the SSL configuration for Vsftpd Linux FTP Server let’s do some basic settings. Refer to the sample output below.

[root@localhost ~]# nano /etc/vsftpd/vsftpd.conf

# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=NO   # Disable Anonymous Login
# 
# Uncomment this to allow local users to log in.
local_enable=YES   # Enable Local User Login
# 
# Uncomment this to enable any form of FTP write command.
write_enable=YES   # Write enable for any form of FTP

Save the configuration file after all the above changes and restart the Vsftpd Linux FTP server.

[root@localhost ~]# /etc/init.d/vsftpd restart
Shutting down vsftpd:                                      [  OK  ]
Starting vsftpd for vsftpd:                                [  OK  ]

Step : 4 Enable SSL Encryption Support for Vsftpd Linux FTP Server

To enable SSL encryption support for Vsftpd Linux FTP Server just edit the main configuration file i.e. /etc/vsftpd/vsftpd.conf  and go to the end of the file. and enter the below syntax.

[root@localhost ~]# nano /etc/vsftpd/vsftpd.conf

###SSL Support for Vsftpd###

ssl_enable=YES  # Enable SSL Encryption for VSftpd Linux FTP Server
ssl_tlsv1=YES  # Enable SSL & TLS Version 1
ssl_sslv2=NO
ssl_sslv3=NO
rsa_cert_file=/etc/vsftpd/itsmarttricks.pem   # Path for Certificate File
rsa_private_key_file=/etc/vsftpd/itsmarttricks.pem   # Path for Private Key File
force_local_logins_ssl=YES   # Force LOcal users to login using SSL Encryption / TLS Encryption
force_local_data_ssl=YES   # Force To use SSL Encryption / TLS Encryption during Data Upload in FTP

After all the above changes restart the Vsftpd Linux FTP Service using the below command.

[root@localhost ~]# /etc/init.d/vsftpd restart
Shutting down vsftpd:                                      [  OK  ]
Starting vsftpd for vsftpd:                                [  OK  ]

Now stop the IPtables service using the below command.

[root@localhost ~]# /etc/init.d/iptables stop
iptables: Setting chains to policy ACCEPT: filter          [  OK  ]
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Unloading modules:                               [  OK  ]

We are done with all the required configurations. Now it’s time for testing. As we enabled SSL Encryption / TLS Encryption for Vsftpd Linux FTP Server we cannot access the FTP Server without SSL i.e. in normal FTP access. I tried to do so and here I got the below error.

[root@localhost ~]# ftp localhost
Trying ::1...
ftp: connect to address ::1Connection refused
Trying 127.0.0.1...
Connected to localhost (127.0.0.1).
220 (vsFTPd 2.2.2)
Name (localhost:root): helpdesk
530 Non-anonymous sessions must use encryption.
Login failed.

To access Secured Vsftpd Server we have a tool in Linux i.e. sftp. So Let’s access the Vsftpd Server by using sftp command.

[root@localhost ~]# sftp helpdesk@localhost
Connecting to localhost...
helpdesk@localhost's password: 
sftp> 

As you can see on the output above we are successfully able to log in to the Vsftpd Linux FTP Server using SSL Encryption Certificate.
There is also a Third-Party tool is available by which we can access the Vsftpd Server i.e. File Zilla. Access the FTP Server without SSL Encryption using File Zilla.

Now try to login vsftpd server using an SSL certificate.

Secure Linux FTP Server (VSFTPD Server) Using SSL Encryption/TLS Encryption
Access Vsftpd Linux Ftp Server Using SSL Encryption

Accept the SSL Certificate by pressing OK.

Secure Linux FTP Server (VSFTPD Server) Using SSL Encryption/TLS Encryption
Accept The SSL Encryption Certificate

Now you have successfully connected to Vsftpd Linux FTP Server.

That’s all, In this article, we have explained the Secure Linux FTP Server (VSFTPD Server) Using SSL Encryption/TLS Encryption. I hope you enjoy this article. If you like this article, then just share it. If you have any questions about this article, please comment.

Share this:
WhatsApp Channel Join Now
Telegram Channel Join Now
Instagram Channel Join Now

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.