configure ftp server with encryption

Here is how to configure ftp server and force all connections to use encryption.

FTP software to be used here is vfstpd.

Steps

  1. install vsftpd
    sudo apt-get install vsftpd
  2. generate an ssl certifcated
    sudo openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd/vsftpd.pem
  3. configure vsftpd to use ssl certificate.
    Here we have serveral choices, use ftp over ssh (SFTP), use explicit FTP over SSL (FTPES) or use implicit FTP over SSL (FTPS).
    Preferred configuration is in our case FTPES because is uses normal FTP port. We will make sure to ask for both login and password to be encrypted as well.
    Edit vstpd configuration as follow (sudo vi /etc/vsftpd.conf):

    listen=YES
    anonymous_enable=NO
    write_enable=YES
    ssl_enable=YES
    rsa_cert_file=/etc/ssl/private/vsftpd.pem
    rsa_private_key_file=/etc/ssl/private/vsftpd.pem
    force_local_data_ssl=YES
    force_local_logins_ssl=YES
    allow_anon_ssl=NO
  4. restart deamon
    sudo /etc/init.d/vsftpd restart

That’s it!

With regular ftp client like filezilla, log in without specifying any encryption => login will fail with message asking for encryption.

In that case, change encryption to “Require explicit FTP over TLS”.
When trying to connect with filezilla, I got following error message:

Command:    AUTH TLS
Response:    234 Proceed with negotiation.
Status:    Initializing TLS…
Error:    GnuTLS error -12: A TLS fatal alert has been received.
Error:    Could not connect to server

Solution to this is to add following entry in vsftp.conf and restart it:

ssl_ciphers=HIGH

Note

To configure vsftpd for SFTP connection, set following entries in vsftpd.conf:

ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=NO
force_local_logins_ssl=NO
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
rsa_cert_file=/etc/vsftpd/vsftpd.pem

sources

Post a Comment

Your email is never published nor shared. You're allow to say what you want...