How To Configure VSFTPD With SSL? Linux

This document discusses on how to configure vsftpd to work with SSL encryption.

Requirement:

  1. SSL certificate
  2. VSFTPD Server

If you do not know how to install a VSFTPD server, please click on the link How to Install VSFTPD

Please follow the below steps

  1. Prepare a place for the SSL key to live:

mkdir /etc/ssl/private

  1. For this example, we are using a configure vsftpd self-signed SSL

openssl req –x509 –nodes –days 365 –newkey rsa:2048 –keyout
/etc/ssl/private/vsftpd.key –out /etc/ssl/certs/vsftpd.crt

Note: if you have purchased a SSL, you can put the key in the /etc/ssl/private/vsftpd.key and the certificate in /etc/ssl/certs/vsftpd.crt

  1. Configure vsftpd server to use this certificate

vim /etc/vsftpd/vsftpd.conf
You can use any editor you prefer instead of vim

  1. Add the below configurations at the bottom of the config file available at /etc/vsftpd/vsftpd.conf

ssl_enable=YES
(This option enables SSL support for vsftpd)

allow_anon_ssl=NO
(Prevent anonymous SSL/TLS encrypted login)

force_local_data_ssl=YES
force_local_logins_ssl=YES

(To force SSL/TLS encryption of both your username/password and your data to keep it safe.)

ssl_tlsv1_1=YES
ssl_tlsv1_2=YES

(Use the stronger, better, encryption offered by TLS 1.1 and 1.2.)

ssl_tlsv1=NO
(TLS 1.0 is getting a little more insecure than we would like, so we are going to disable it. Some of the older ftp clients may not be compatible with newer version of TLS and may require this option to be set as “YES”)

ssl_sslv2=NO
ssl_sslv3=NO

(SSLv2 and SSLv3 is set as disable to protect for BEAST and POODLE vulnerabilities)

(Continuing our security improvements we are going to add some additional protection against Man In The Middle (MITM) attacks by enabling the following. Older FTP client may be incompatible. If you see a connection loss set this option to “NO”)

require_ssl_reuse=YES
(This will require the server to use stronger cipher suites.)

ssl_ciphers=HIGH
(Lastly, our crt and key file.)

rsa_cert_file=/etc/ssl/certs/vsftpd.crt
rsa_private_key_file=/etc/ssl/private/vsftpd.key

  1. Save and exit from the editor
  2. Now that we have added to the configuration file, we should restart the vsftpd server

Systemctl restart vsftpd
or
service restart vsftpd
SSL encryption is one of the leading forms of protecting data in transit to your server.

At Velan, our server support engineers can help you setup your SSL based ftp server using vsftpd. For details, please visit https://www.velaninfo.com/mservices/managed-it-services

Credentials

Quick Connect With Us