How can I configure VSFTPD to support SSL encrypted connections?
In this article we will be discussing how to configure vsftpd to work with SSL encryption. If you do not have vsftpd installed yet you may wish to visit one of these articles before proceeding.
Ready? Awesome, let’s get started.
- Prepare a place for the SSL key to live:
- For this example we’ll use a self-signed SSL:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/vsftpd.key -out /etc/ssl/certs/vsftpd.crtNote:If you have purchased an SSL you can put the key in /etc/ssl/private/vsftpd.key and the certificate in /etc/ssl/certs/vsftpd.crt.
- Next, configure vsftpd to make use of that certificate.
- Add the below configurations at the bottom of /etc/vsftpd/vstpd.conf.
- To exit type “:wq” and that will save the file and quit the program.
Now let’s go through those settings and see what they do.
- This option enables our SSL support for vsftpd.
- Prevent anonymous SSL/TLS encrypted login, in essence, the guest user.
- We’re going to force SSL/TLS encryption of both your username/password and your data to keep it safe.
Use the stronger, better, encryption offered by TLS 1.1 and 1.2.
- TLS 1.0 is getting a little more insecure than we would like, so we are going to disable it. Please note that some older FTP clients are not compatible with newer TLS versions and may require this option to be set to “YES”.
- To keep the FTP connections safe against the BEAST and POODLE vulnerabilities we are going to disable SSLv2 and SSLv3.
- Continuing our security improvements we are going to add some additional protection against Man In The Middle (MITM) attacks by enabling the following. This may not be compatible with some older FTP clients. If you experience connection loss try setting this option to “NO”.
- This will require the server to use stronger cipher suites.
- Lastly, our crt and key file.
The Final Step
- Now that we have all of that added to the configuration file we should be able to restart vsftpd and start uploading.
systemctl restart vsftpd
- If you are working with CentOS 6 or a system that doesn’t support systemd you should be able to restart vsftpd with the below.
service restart vsftpd
If you have errors similar to one of the below two errors check out this article.
500 OOPS: vsftpd: refusing to run with writable root inside chroot()
GnuTLS error -15: An unexpected TLS packet was received.
SSL encryption is one of the leading forms of protecting your data in transit to your server. Now you can rest easy that you have taken yet another step in providing a secure resource to yourself and your users.