How to secure your FTP server using FTPS and VSFTPD on Linux Cli

This is a detailed guide on how to secure your FTP server using FTPS and VSFTPD on Linux Based Operating Systems.

1.Generate your certificate

1.1 Generate private RSA key

You can change the encryption by replacing -aes256 to say -aes128 for example. The private key is used to generate the certificate.

openssl genrsa -aes256 -out SSL.key

1.2 Generate Certificate Signing Request or CSR

openssl req -new -key SSL.key -out certificate.csr

IMPORTANT: At this point you may want to send the CSR to a Certificate Authority who will create a certificate for you. If this is the case you can skip the rest of step 1 and move to step 2.

1.3 Remove the private key password from the private key

cp SSL.key SSL.key.orig
openssl rsa -in SSL.key.orig -out ssl.key

Please see the difference between the two files below – you also notice that the files are named differently – one is SSL.key and the other is ssl.key (which we use in the final step to create the certificate). VSFTPD will not be able to use the certificate as it would not have the passphrase, so this needs to be removed.

root@GNS3-Server:~# cat SSL.key
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,E35C0C8969A325B4AF35E737933BD2B6

root@GNS3-Server:~# cat ssl.key
-----BEGIN RSA PRIVATE KEY-----

1.4 Generate Certificate

openssl x509 -req -days 365 -in certificate.csr -signkey ssl.key -out mycertificate.crt

1.5 Copy the private key file and certificate to /etc/pki/tls/certs/

You may need to create these directories /tls/certs

cp ssl.key /etc/pki/tls/certs/
cp mycertificate.crt /etc/pki/tls/certs

2. Configure VSFTP to use your certificate

2.1 Edit /etc/vsftpd

nano  /etc/vsftpd

I have added the full file as an example.

root@GNS3-Server:~# cat /etc/vsftpd.conf
listen=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
nopriv_user=vsftpd
virtual_use_local_privs=YES
guest_enable=YES
user_sub_token=$USER
local_root=/var/www/$USER
chroot_local_user=YES
hide_ids=YES
guest_username=vsftpd
ssl_enable=YES

allow_anon_ssl=YES

ssl_tlsv1=YES

ssl_sslv2=NO

ssl_sslv3=NO

rsa_cert_file=/etc/pki/tls/certs/mycertificate.crt

rsa_private_key_file=/etc/pki/tls/certs/ssl.key

ssl_ciphers=HIGH

require_ssl_reuse=NO


2.2 Restart VSFTPD

service vsftpd restart

3. Test

You should get a certificate error if the certificate is not signed by a certificate authority.

If you are new to the world of Linux, an avid Linux enthusiast or a student why not try our 0.99p per month Linux VPS.

Simply click on the screen shot below to find out more or navigate to https://piggybank.cloud

Thank you for reading and please feel free to leave any feedback.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s