This is a detailed guide on how to secure your FTP server using FTPS and VSFTPD on Linux Based Operating Systems.
1.Generate your certificate
1.1 Generate private RSA key
You can change the encryption by replacing -aes256 to say -aes128 for example. The private key is used to generate the certificate.
openssl genrsa -aes256 -out SSL.key
1.2 Generate Certificate Signing Request or CSR
openssl req -new -key SSL.key -out certificate.csr
IMPORTANT: At this point you may want to send the CSR to a Certificate Authority who will create a certificate for you. If this is the case you can skip the rest of step 1 and move to step 2.
1.3 Remove the private key password from the private key
cp SSL.key SSL.key.orig openssl rsa -in SSL.key.orig -out ssl.key
Please see the difference between the two files below – you also notice that the files are named differently – one is SSL.key and the other is ssl.key (which we use in the final step to create the certificate). VSFTPD will not be able to use the certificate as it would not have the passphrase, so this needs to be removed.
root@GNS3-Server:~# cat SSL.key -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: AES-256-CBC,E35C0C8969A325B4AF35E737933BD2B6 root@GNS3-Server:~# cat ssl.key -----BEGIN RSA PRIVATE KEY-----
1.4 Generate Certificate
openssl x509 -req -days 365 -in certificate.csr -signkey ssl.key -out mycertificate.crt
1.5 Copy the private key file and certificate to /etc/pki/tls/certs/
You may need to create these directories /tls/certs
cp ssl.key /etc/pki/tls/certs/ cp mycertificate.crt /etc/pki/tls/certs
2. Configure VSFTP to use your certificate
2.1 Edit /etc/vsftpd
I have added the full file as an example.
root@GNS3-Server:~# cat /etc/vsftpd.conf listen=YES anonymous_enable=NO local_enable=YES write_enable=YES local_umask=022 nopriv_user=vsftpd virtual_use_local_privs=YES guest_enable=YES user_sub_token=$USER local_root=/var/www/$USER chroot_local_user=YES hide_ids=YES guest_username=vsftpd ssl_enable=YES allow_anon_ssl=YES ssl_tlsv1=YES ssl_sslv2=NO ssl_sslv3=NO rsa_cert_file=/etc/pki/tls/certs/mycertificate.crt rsa_private_key_file=/etc/pki/tls/certs/ssl.key ssl_ciphers=HIGH require_ssl_reuse=NO
2.2 Restart VSFTPD
service vsftpd restart
You should get a certificate error if the certificate is not signed by a certificate authority.
If you are new to the world of Linux, an avid Linux enthusiast or a student why not try our 0.99p per month Linux VPS.
Simply click on the screen shot below to find out more or navigate to https://piggybank.cloud
Thank you for reading and please feel free to leave any feedback.