Setting up FTP on linux with SSL

in #technology7 years ago (edited)


So you need to get files from your computer to your server, securely and easy. FTP is the solution in this case, but it's really important to setup SSL on it too! FTP without SSL is a bad setup, since passwords and files are sent in cleartext.

What we'll need

First of all we need OpenSSL and an FTP server. I like vsftpd because it's lightweight and easy to use.
To install vsftpd type:
apt-get install vsftpd, this should start installing the vsftpd package. If it asks you if you want to install it, type y and press enter.

Initial FTP Setup

Now, that vsftpd is installed, we can configure it. The configuration file is under /etc/vsftpd.conf.
Add/Change these lines in your configuration:

  • anonymous_enable=NO disable anonymous access, in FTP anonymous is a user without a password, so definitely disable that
  • local_enable=YES this will allow local users to login to the FTP server.
  • write_enable=YES this will allow users to modify/upload files to the server, without this the server is basically read-only
  • chroot_local_users=YES this will restrict all users to their home directory, this is a good option, since even if our password gets stolen an attacker can't access the whole filesystem

Now save & close this file.

Creating a new user

This is good practice, since if the FTP user's password gets compromised, our main account stays untouched. It's also worth to put a different password on your FTP user to prevent attackers from logging in with the same password to every service.
So to create a new user type:
adduser secureftp, where secureftp is the name of our new user.
You'll be presented with prompts, like name, address, country code. You can fill them out, but you can just press enter on them and ignore it, this is up to you.

Directory restriction

This is good, since we can restrict the FTP user to only one directory.
Let root take over the new ftp account:
chown root:root /home/secureftp, this will prevent secureftp from reading/writing to/from it's own home directory.
Next create a new directory in the ftp user's home folder:
mkdir /home/secureftp/ftp, this will create a new directory.
Give the ftp user full access to the ftp directory:
chown secureftp:secureftp /home/secureftp/ftp
So now the ftp client will only see the ftp directory!

Adding the SSL

Now that's all good and secure so far, but what about SSL.
First we need to generate the SSL keys for our FTP Server:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem
This will ask similar questions as the adduser command did.
Important: You need the leave the password field empty, this is a self signed key, and it doesn't need a password, your key is still secure without a password, make sure you don't give your vsftpd.pem file to anyone.

Back to the config file

Now we need to tell vsftpd to use our new keys.
Open /etc/vsftpd.conf and add/change the following lines:

  • ssl_enable=YES this will tell the server, that we can use SSL
  • rsa_private_key_file=/etc/ssl/private/vsftpd.pem this will tell the server where to locate the private key
  • rsa_cert_file=/etc/ssl/private/vsftpd.pem this will tell the server where to locate the public key.

Now SSL is added, but:

  1. Clients can still use the unsecure FTP
  2. SSL connections are able to use weak ciphers and protocols

Force SSL connections:

  • allow_anon_ssl=NO, prevent anonymous users from connecting via SSL
  • force_local_data_ssl=YES, force authenticated users to send and receive data via SSL
  • force_local_logins_ssl=YES, force clients to send passwords via SSL
  • require_ssl_reuse=NO, setting this to YES can break some FTP clients according to the manpage of vsftpd
  • ssl_ciphers=HIGH, this prevents the usage of weak or vulnerable ciphers

Setup TLSv1:

  • ssl_tlsv1=YES, enable the TLSv1 protocol
  • ssl_sslv3=NO, disable the SSLv3 protocol
  • ssl_sslv2=NO, disable the SSLv2 protocol

Now we have a fully configured FTP server with SSL enabled, we need to restart for the changes to take effect:
service vsftpd restart

Configuring FileZilla

We have a server, but we need a client that can upload and download files from the server too.
Open filezilla and follow the steps:

  1. Click on File > Site Manager... or press CTRL + S
  2. In the bottom left corner click New site
  3. A new site will appear on the left side, enter the name of your site and press enter
  4. On the right panel input you IP Adress or Domain Name to the Host field
  5. Input your port, by default 21 to the Port field
  6. For the protocol select FTP - File Transfer Protocol
  7. For encryption select Require explicit FTP over TLS
  8. For the logon type select Ask for password
  9. For the user field type secureftp (this is our ftp user on the server)
  10. Click OK

Now our client is ready to go.
If you want to connected to your server, open Site Manager again, selected the site you've just added and press connect. You'll be prompted for the user's password, just type it in and click OK

Summary

Ok, so now we have a fully working file transfer solution, that is secure and easy to use. The only negative to it, is that only clients capable of SSL and TLS can connect now to our server. So a .bat file can't, because it only supports regular FTP connections.
Now go and upload some files to your server.

Sources

vsftpd's Man Page

#linux #ftp #ssl #vsftpd
7 years ago in #technology by
$0.00
    2 votes
    Reply 0
    Sort:  
  • Trending