Do you know what is a File Transfer Protocol (FTP)? FTP (RFC959) is a network protocol used to transfer data files from one computer to another through a network. The risk of using FTP is notable by using plaintext username and password. This is very insecure. Your login and password can be easily sniffed.
This post describes how to install and setup a secured FTP server using vsftpd 2.0.5 with TLS in CentOS 5.5 the easy way.
Pre-requisite Check
Run the command below to query for vsftpd rpm: -
rpm -qa vsftpd
If vsftpd is not installed, you can use yum to install it using the command below:
yum install vsftpd
Initial Configuration
The configuration directory of vsftpd is located in /etc/vsftpd path. It is advisable to backup the good known configuration files for easier quick restoration. Run the command below: -
cp /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf.original
Control User Access
Change the following parameter below in your /etc/vsftpd/vsftpd.conf file to disable anonymous users access: -
anonymous_enable=NO
Change the following parameter below in your /etc/vsftpd/vsftpd.conf file to lock users in their home directory: -
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list
chroot_local_user=YES
Run the following command below to create /etc/vsftpd/chroot_list file: -
touch /etc/vsftpd/chroot_list
chmod 600 /etc/vsftpd/chroot_list
Enable TLS Encryption
Run the following command below to check an installation of vsftpd for SSL support: -
ldd /usr/sbin/vsftpd | grep ssl
You will get the following result below if your vsftpd is SSL supported: -
libssl.so.6 => /lib/libssl.so.6 (0x001e3000)
To use TLS you will need to generate a key by using the openssl command below: -
openssl req -x509 -nodes -days 3650 -newkey rsa:1024 -keyout /etc/vsftpd/vsftpd.pem -out /etc/vsftpd/vsftpd.pem
The above command prompts you for series of questions for creating your certificate with a life of 10 years (-days 3650): -
Country Name (2 letter code) [GB]:MY
State or Province Name (full name) [Berkshire]:WP
Locality Name (eg, city) [Newbury]:KL
Organization Name (eg, company) [My Company Ltd]:Company
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server’s hostname) []:localhost
Email Address []:ftpmaster@localhost
Run the following command below to change the permission of the /etc/vsftpd/vsftpd.pem file: -
chmod 600 /etc/vsftpd/vsftpd.pem
Add this to your /etc/vsftpd/vsftpd.conf file: -
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=NO
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
rsa_cert_file=/etc/vsftpd/vsftpd.pem
You need to restart vsftpd to take effect using the command below: -
service vsftpd restart
You may use FileZilla as the FTP client that supports TLS encryption connection. Be sure to select FTPES – FTP over explicit TLS/SSL under the Servertype in the FileZilla Site Manager.
0 comments:
Post a Comment