A typical FTP session, will send login information unencrypted. It is a fairly simple matter to configure vsftpd to use SSL/TLS and encrypt connections. You can either create a self-signed certificate for this purpose, or use an existing third-party issued certificate.
Generate a self-signed certificate
Firstly, we generate the private key (in this case, 2048 bits):
openssl genrsa -out /etc/pki/tls/private/www.domain.com.key 2048
Make a directory for the CSRs:
mkdir /etc/pki/tls/csrs
Next, we use the private key to generate a certificate signing request (CSR):
openssl req -new -key /etc/pki/tls/private/www.domain.com.key -out /etc/pki/tls/csrs/www.domain.com.csr -sha1
You will be asked to provide information about your organization (e.g. Country, State, Name, etc). Keep in mind that the location information should pertain to your organization not your server.
Finally, we can generate a self-signed X.509 certificate, valid for 1 year:
openssl x509 -req -days 365 -in www.domain.com.csr -signkey www.domain.com.key -out www.domain.com.pem
Alternatively, this can be done in one step:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/pki/tls/private/www.domain.com.key -out /etc/pki/tls/certs/www.domain.com.pem
Once you have created your private key and certificate, don’t forget to set the correct permissions (see below).
Prepare a certificate from a third-party
For vsftpd to be able to use your certificate, you must combine the private key and certificate. You may also append other relevant certificates in a chain.
If you have your certificate stored in /etc/pki/tls/certs/www.domain.com.crt
And a second certificate to chain at /etc/pki/tls/certs/sub.class1.server.startcom.pem
You will do the following to chain them together:
cat /etc/pki/tls/certs/www.domain.com.crt > /etc/pki/tls/certs/www.domain.com.pem cat /etc/pki/tls/certs/sub.class1.server.startcom.pem >> /etc/pki/tls/certs/www.domain.com.pem
You can add additional certificates to the chain by repeating the previous line, and substituting the appropriate certificate. For example, to include the StartCom certificate:
cat /etc/pki/tls/certs/startcom.pem >> /etc/pki/tls/certs/www.domain.com.pem
Note that we are appending the certificates, not overwriting the contents of the file. Typically, you will have to include the certificate bundle that you receive from your CA.
Setting Permissions
Once you have your certificate you should set the file ownership to root, and make it readable only by root:
chown root:root www.domain.com.pem chmod 600 www.domain.com.pem
This is especially important if you use an unencrypted certificate – only root should have access to the file!
vsFTPd configuration
Open the vsftpd configuration file (/etc/vsftpd/vsftpd.conf
) in your preferred editor
Add or modify the following settings:
ssl_enable=YES allow_anon_ssl=NO force_local_data_ssl=NO force_local_logins_ssl=NO ssl_tlsv1=YES ssl_sslv2=NO ssl_sslv3=NO rsa_cert_file=/etc/pki/tls/certs/www.domain.com.pem rsa_private_key_file=/etc/pki/tls/private/www.domain.com.key
This will point vsftpd to your certificate and private key, set the protocol to TLS, and allow non-encrypted logins if the client does not support (or opts not to use) encrypted logins.
Setting up FileZilla to use FTP over SSL/TLS
FTPS, that is FTP over SSL/TLS (not the same as SFTP), can be configured either implicitly (FTPS) or explicitly (FTPES). For both, you must prepend the protocol to the hostname. The explicit version connects switches to an encrypted mode only once the correct command (AUTH TLS) is issued, while the implicit mode uses an encrypted connection from the start. Implicit SSL often uses a port other than 21 (990).
To use explicit FTP, you would provide the hostname as follows: FTPES://domain.com
On the first connection, FileZilla will inform you that the certificate is unknown, and ask if you wish to trust the certificate and proceed. You can set FileZilla to remember that you have trusted the certificate in future.
One final note, an SSL certificate is issued for a specific ‘common name’ (i.e. fully qualified domain name) however, in terms of its ability to encrypt data, it will work on any domain (as long as the matching private key is provided). On a server hosting multiple domains, it may be permissible to use a single certificate to encrypt traffic for all domains over FTP – at very least, it does work. (FileZilla will show that the certificate was issued for a specific domain, but it does not appear to raise any additional warnings if the domains do not match, and certainly allows the connection if you decide to trust the certificate).