Thursday, December 1, 2011

Vsftpd SSL / TLS FTP Server Configuration


Vsftpd FTP server supports secure connections via SSL / TLS, same encryption used with online banking and shopping. This applies to the control connection (including login) and also data connections. You will need a ftp client with SSL support too.

Create SSL Certificate

Type the following command to create self-signed certificate (you can also use certificate issued by 3rd party CA):
# cd /etc/vsftpd/
# /usr/bin/openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout vsftpd.pem -out vsftpd.pem
Sample output:
Generating a 1024 bit RSA private key
.......++++++
........................................++++++
writing new private key to '/etc/vsftpd/vsftpd.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:IN
State or Province Name (full name) [Berkshire]:Maharashtra 
Locality Name (eg, city) [Newbury]:Pune
Organization Name (eg, company) [My Company Ltd]:nixCraft Ltd
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:ftp.nixcraft.net.in
Email Address []:vivek@nixcraft.net.in
Edit the vsftpd configuration file, enter:
# vi vsftpd.conf
Add or correct the following configuration option:
# Turn on SSL
ssl_enable=YES
# Allow anonymous users to use secured SSL connections
allow_anon_ssl=YES
# All non-anonymous logins are forced to use a secure SSL connection in order to
# send and receive data on data connections.
force_local_data_ssl=YES
# All non-anonymous logins are forced to use a secure SSL connection in order to send the password.
force_local_logins_ssl=YES
# Permit TLS v1 protocol connections. TLS v1 connections are preferred
ssl_tlsv1=YES
# Permit SSL v2 protocol connections. TLS v1 connections are preferred
ssl_sslv2=NO
# permit SSL v3 protocol connections. TLS v1 connections are preferred
ssl_sslv3=NO
# Specifies the location of the RSA certificate to use for SSL encrypted connections
rsa_cert_file=/etc/vsftpd/vsftpd.pem
 

Restart the ftp server:
# service vsftpd restart
# netstat -tulpn | grep :21

Test SSL Aware FTP Server With ftp-ssl

ftp-ssl is the FTP client with SSL or TLS encryption support. Install ftp-ssl under Debian / Ubuntu desktop, enter:
$ sudo apt-get update
$ sudo apt-get install ftp-ssl
Sample ssl aware ftp session:
$ ftp-ssl ftp.nixcraft.net.in
Sample output:
Connected to ftp.nixcraft.net.in.
220-NOTICE TO USERS
220-
220-Use of this system constitutes consent to security monitoring and testing.
220-All activity is logged with your host name and IP address.
220
Name (ftp.nixcraft.net.in:sayali): vivek
234 Proceed with negotiation.
[SSL Cipher DES-CBC3-SHA]
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
lftp is a file transfer program that allows sophisticated ftp, ftp-ssl, http and other connections to other hosts. Use lftp as follows (it is available under all UNIX / BSD / Linux distributions)
$ lftp -u vivek -e 'set ftp:ssl-force true' ftp.nixcraft.net.in
Posted by at No comments:
Subscribe to: Comments (Atom)