How To vsftpd with SSL/TLS on Linux

How To vsftpd with SSL/TLS

FTP, or file transfer protocol, was a popular way to transfer files between local and remote computers in the past. The protocol is inherently insecure, so its usage has fallen out of favor. If you still want to use FTP instead of a more secure alternative like SFTP, which uses the SSH protocol to implement file transfers, you can secure it somewhat by configuring FTP to use SSL.

In this guide, we will configure vsftpd to use SSL certificates on Ubuntu.

Install vsftpd

The vsftpd server is available in Ubuntu’s default repositories. You can install it by typing:

sudo apt-get install vsftpd

We now have vsftpd on our server, but we still must configure it.

Configure Basic vsftpd Functionality

The default configuration file is at /etc/vsftpd.conf. Open it with root privileges:

sudo nano /etc/vsftpd.conf

Disable the ability for users to log in anonymously by finding the anonymous_enable parameter and changing it to read “NO”:

anonymous_enable=NO

Next, we need to enable user logins that use the local authentication files, since we disabled anonymous access. Uncomment this line:

local_enable=YES

To enable users to make modifications to the filesystem, we will uncomment the write_enable parameter as well:

write_enable=YES

Additionally, uncomment the chroot_local_user option to restrict users to their own home directories:

chroot_local_user=YES

Save and close the file.

Create FTP User

Because of the way vsftpd secures its chroot jails, the chroot must not be owned by the user and must not be writeable. Because of this, it is best to implement a user specifically for use with FTP.

Create the user like this:

sudo adduser ftpuser

Assign a password and feel free to press “ENTER” through the other prompts. Now, give root ownership of the ftpuser’s home directory:

sudo chown root:root /home/ftpuser

We need to create a separate directory within this home directory where files can be uploaded. Then, we need to give this directory over to our FTP user:

sudo mkdir /home/ftpuser/files
sudo chown ftpuser:ftpuser /home/ftpuser/files

Now, we should be able to log in (insecurely) as the ftpuser and upload files to the files directory.

Configure SSL with vsftpd

We need to create some SSL certificates to use with vsftpd. We can do this with the following command:

sudo openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem

This will create a certificate that will last a year. It will be placed in the /etc/ssl/private/ directory, which we can reference in our configuration file.

Add the SSL Details to the vsftpd Configuration

Open the vsftpd configuration file again with root privileges:

sudo nano /etc/vsftpd.conf

Towards the bottom of the file, you should find a line that matches the SSL certificate we just created:

rsa_cert_file=/etc/ssl/private/vsftpd.pem

We will add the additional SSL info below this.

When we created the certificate, we included both the key file and the certificate in one file, so we can also point our private key line to that:

rsa_private_key_file=/etc/ssl/private/vsftpd.pem

After that, we will add the following lines to force SSL. This will restrict clients that can’t deal with TLS, but that is what we want.

ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES

After this we configure the server to use TLS, which is actually a successor to SSL, and preferred:

ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO

Finally, we will require add some additional options to flesh out our configuration file:

require_ssl_reuse=NO
ssl_ciphers=HIGH

Save and close the file.

Now, we need to restart our server for our changes to take effect:

sudo service vsftpd restart

This setup improves the security of FTP, but it still suffers from insecurity when establishing a connection. If at all possible, it is better to switch to SFTP for these kinds of operations. However, if you do decide to go with FTP, you should make sure to use TLS/SSL whenever possible.

Installing and Configuring VSFTPD FTP Server For RedHat Enterprise Linux, CentOS and Fedora

Vsftpd is a popular FTP server for Unix/Linux systems. For thoes unaware of the vsftpd ftp server, note that this is not just another ftp server, but a mature product that has been around for over 12 years in the Unix world. While Vsftpd it is found as an installation option on many Linux distributions, it is not often Linux system administrators are seeking for installation and configuration instructions for it, which is the reason we decide to cover it on Firewall.cx.

This article focuses on the installation and setup of the Vsftpd service on Linux Redhat Enterprise, Fedora and CentOS, however it is applicable to almost all other Linux distributions.  We’ll also take a look at a number of great tips which include setting quotas, restricting access to anonymous users, disabling uploads, setting a dedicated partition for the FTP service, configuring the system’s IPTable firewall and much more.

VSFTPD FEATURES

Following is a list of vsftpd’s features which confirms this small FTP package is capable of delivering a lot more than most FTP servers out there:

• Virtual IP configurations
• Virtual users
• Standalone or inetd operation
• Powerful per-user configurability
• Bandwidth throttling
• Per-source-IP configurability
• Per-source-IP limits
• IPv6
• Encryption support through SSL integration
• and much more….!

INSTALLING THE VSFTPD LINUX SERVER

To initiate the installation of the vsftpd package, simply open your CLI prompt and use the yum command (you need root privileges) as shown below:

# yum install vsftpd

Yum will automatically locate, download and install the latest vsftpd version.

CONFIGURE VSFTPD SERVER

To open the configuration file, type:

# vi /etc/vsftpd/vsftpd.conf

Turn off standard ftpd xferlog log format and turn on verbose vsftpd log format by making the following changes in the vsftpd.conf file:

xferlog_std_format=NO
log_ftp_protocol=YES

Note: the default vsftpd log file is /var/log/vsftpd.log.

Above two directives will enable logging of all FTP transactions.

To lock down users to their home directories:

chroot_local_user=YES

You can create warning banners for all FTP users, by defining the path:

banner_file=/etc/vsftpd/issue

Now you can create the /etc/vsftpd/issue file with a message compliant with the local site policy or a legal disclaimer:

“NOTICE TO USERS – Use of this system constitutes consent to security monitoring and testing. All activity is logged with your host name and IP address”.

TURN ON VFSTPD SERVICE

Turn on vsftpd on boot:

# systemctl enable vsftpd@.service

Start the service:

# systemctl start vsftpd@vsftpd.service

You can verify the service is running and listening on the correct port using the following command:

# netstat -tulpn | grep :21

Here’s the expected output:

tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN      LISTEN 9734/vsftpd

CONFIGURE IPTABLES TO PROTECT THE FTP SERVER

In case IPTables are configured on the system, it will be necessary to edit the iptables file and open the ports used by FTP to ensure the service’s operation.

To open file /etc/sysconfig/iptables, enter:

# vi /etc/sysconfig/iptables

Add the following lines, ensuring that they appear before the final LOG and DROP lines for the RH-Firewall-1-INPUT:

-A RH-Firewall-1-INPUT -m state –state NEW -p tcp –dport 21 -j ACCEPT

Next, open file /etc/sysconfig/iptables-config, and enter:

# vi /etc/sysconfig/iptables-config

Ensure that the space-separated list of modules contains the FTP connection-tracking module:

IPTABLES_MODULES=”ip_conntrack_ftp”

Save and close the file and finally restart the firewall using the following commands:

# systemctl restart iptables.service
# systemctl restart ip6tables.service

 

TIP: VIEW FTP LOG FILE

Type the following command:

# tail -f /var/log/vsftpd.log

TIP: RESTRICTING ACCESS TO ANONYMOUS USER ONLY

Edit the vsftpd configuration file /etc/vsftpd/vsftpd.conf and add the following:

local_enable=NO

TIP: TO DISABLE FTP UPLOADS

Edit the vsftpd configuration file /etc/vsftpd/vsftpd.conf and add the following:

write_enable=NO

TIP: TO ENABLE DISK QUOTA

Disk quota must be enabled to prevent users from filling a disk used by FTP upload services. Edit the vsftpd configuration file. Add or correct the following configuration options to represents a directory which vsftpd will try to change into after an anonymous login:

anon_root=/ftp/ftp/pub

The ftp users are the same users as those on the hosting machine.

You could have a separate group for ftp users, to help keep their privileges down (for example ‘anonftpusers’). Knowing that, your script should do:

useradd -d /www/htdocs/hosted/bob -g anonftpusers -s /sbin/nologin bob

echo bobspassword | passwd –stdin bob

echo bob >> /etc/vsftpd/user_list

Be extremely careful with your scripts, as they will have to be run as root.

However, for this to work you will have to have the following options enabled in /etc/vsftpd/vsftpd.conf:

userlist_enable=YES
userlist_deny=NO

SECURITY TIP: PLACE THE FTP DIRECTORY ON ITS OWN PARTITION

Separation of the operating system files from FTP users files may result into a better and secure system. Restricting the growth of certain file systems is possible using various techniques. For example, use /ftp partition to store all ftp home directories and mount ftp with nosuid, nodev and noexec options. A sample /etc/fstab entry:

/dev/sda5  /ftp          ext3    defaults,nosuid,nodev,noexec,usrquota 1 2

 

EXAMPLE FILE FOR VSFTPD.CONF

Following is an example for vsftpd.conf. It allows the users listed in the user_list file to log in, no anonymous users, and quite tight restrictions on what users can do:

# Allow anonymous FTP?

anonymous_enable=NO

#

# Allow local users to log in?

local_enable=YES

#

# Allow any form of FTP write command.

write_enable=YES

#

# To make files uploaded by your users writable by only

# themselves, but readable by everyone and if, through some

# misconfiguration, an anonymous user manages to upload a file, # the file will have no read, write or execute permission. Just to be # safe.

local_umask=0000

file_open_mode=0644

anon_umask=0777

#

# Allow the anonymous FTP user to upload files?

anon_upload_enable=NO

#

# Activate directory messages – messages given to remote users when they

# go into a certain directory.

dirmessage_enable=NO

#

# Activate logging of uploads/downloads?

xferlog_enable=YES

#

# Make sure PORT transfer connections originate from port 20 (ftp-data)?

connect_from_port_20=YES

#

# Log file in standard ftpd xferlog format?

xferlog_std_format=NO

#

# User for vsftpd to run as?

nopriv_user=vsftpd

#

# Login banner string:

ftpd_banner= NOTICE TO USERS – Use of this system constitutes consent to security monitoring and testing. All activity is logged with your host name and IP address.

#

# chroot local users (only allow users to see their directory)?

chroot_local_user=YES

#

# PAM service name?

pam_service_name=vsftpd

#

# Enable user_list (see next option)?

userlist_enable=YES

#

# Should the user_list file specify users to deny(=YES) or to allow(=NO)

userlist_deny=NO

#

# Standalone (not run through xinetd) listen mode?

listen=YES

#

#

tcp_wrappers=NO

#

# Log all ftp actions (not just transfers)?

log_ftp_protocol=YES

# Initially YES for trouble shooting, later change to NO

#

# Show file ownership as ftp:ftp instead of real users?

hide_ids=YES

#

# Allow ftp users to change permissions of files?

chmod_enable=NO

#

# Use local time?

use_localtime=YES

#

# List of raw FTP commands, which are allowed (some commands may be a security hazard):

cmds_allowed=ABOR,QUIT,LIST,PASV,RETR,CWD,STOR,TYPE,PWD,SIZE,NLST,PORT,SYST,PRET,MDTM,DEL,MKD,RMD

With this config, uploaded files are not readable or executable by anyone, so the server is acting as a ‘dropbox‘. Change thefile_open_modeoption to change that.

Lastly, it is also advised to have a look at ‘man vsftpd.conf‘ for a full list and description of all options