Setup vsftpd 2.0.5 with TLS in CentOS 5.1

Feb 19

wingloonLinux 13 Comments

Do you know what is a File Transfer Protocol (FTP)? FTP (RFC959) is a network protocol used to transfer data files from one computer to another through a network. The risk of using FTP is notable by using plaintext username and password. This is very insecure. Your can be easily sniffed.

This post describes how to install and setup a secured FTP server using vsftpd 2.0.5 with TLS in CentOS 5.1 the easy way.

Pre-requisite Check
Run the command below to query for vsftpd rpm: -

rpm -qa vsftpd

If vsftpd is not installed, you can use yum to install it using the command below: -

yum install vsftpd

Initial Configuration
The configuration directory of vsftpd is located in /etc/vsftpd path. It is advisable to backup the good known configuration files for easier quick restoration. Run the command below: -

cp /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf.original

Control User Access
Change the following parameter below in your /etc/vsftpd/vsftpd.conf file to disable anonymous users access: -

anonymous_enable=NO

Change the following parameter below in your /etc/vsftpd/vsftpd.conf file to lock users in their home directory: -

chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list
chroot_local_user=YES

Run the following command below to create /etc/vsftpd/chroot_list file: -

touch /etc/vsftpd/chroot_list
chmod 600 /etc/vsftpd/chroot_list

Enable TLS Encryption
Run the following command below to check an installation of vsftpd for SSL support: -

ldd /usr/sbin/vsftpd | grep ssl

You will get the following result below if your vsftpd is SSL supported: -

libssl.so.6 => /lib64/libssl.so.6 (0x00002aaaaacc6000)

To use TLS you will need to generate a key by using the openssl command below: -

openssl req -x509 -nodes -days 3650 -newkey rsa:1024 -keyout /etc/vsftpd/vsftpd.pem -out /etc/vsftpd/vsftpd.pem

The above command prompts you for series of questions for creating your certificate with a life of 10 years (-days 3650): -

Country Name (2 letter code) [GB]:MY
State or Province Name (full name) [Berkshire]:WP
Locality Name (eg, city) [Newbury]:KL
Organization Name (eg, company) [My Company Ltd]:Company
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:localhost
Email Address []:ftpmaster@localhost

Run the following command below to change the permission of the /etc/vsftpd/vsftpd.pem file: -

chmod 600 /etc/vsftpd/vsftpd.pem

Add this to your /etc/vsftpd/vsftpd.conf file: -

ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=NO
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
rsa_cert_file=/etc/vsftpd/vsftpd.pem

You need to restart vsftpd to take effect using the command below: -

service vsftpd restart

You may use FileZilla as the FTP client that supports TLS encryption connection. Be sure to select “FTPES – FTP over explicit TLS/SSL” under the “Servertype” in the FileZilla Site Manager.

If you found these helpful, please contribute to help:

Source: vsftpd

13 Comments (+add yours?)

  1. danny
    Feb 19, 2008 @ 23:59:27

    Useful howto bro. Thanks

  2. simon
    Feb 20, 2008 @ 22:08:12

    Great how to and info on the FTP. Will try it out soon.

  3. Jax
    Feb 21, 2008 @ 12:14:20

    great!,

    Will try this setup on 1 of the junk PC, see if it work :D

  4. Jax
    Feb 22, 2008 @ 13:10:49

    Hi WL,

    if you could share some on Network File Server with permission will be good.

  5. wingloon
    Feb 26, 2008 @ 00:01:57

    Jax, I will share one soon…

  6. plink0o
    May 07, 2009 @ 17:13:24

    ok, good post.
    could someone post a full vsftpd.conf file?
    i need to configure virtual users + chroot + tls (on both login and data tranfer).

    i read man and some doc but i’m not able to have it working..

    cya!

  7. Asim
    Feb 18, 2010 @ 20:54:01

    not working the error comes
    Waiting to retry…
    Status: Connecting to my.domain.ip.adress:21…
    Status: Connection established, initializing TLS…
    Error: Connection timed out
    Error: Could not connect to server

  8. George
    May 21, 2010 @ 03:27:28

    I get the same connection timeout as Asim…

  9. wingloon
    May 26, 2010 @ 12:48:42

    plink0o, below is the full vsftpd.conf file content: -

    anonymous_enable=NO
    local_enable=YES
    write_enable=YES
    local_umask=022
    dirmessage_enable=YES
    xferlog_enable=YES
    connect_from_port_20=YES
    xferlog_std_format=YES
    chroot_list_enable=YES
    chroot_list_file=/etc/vsftpd/chroot_list
    chroot_local_user=YES
    listen=YES
    pam_service_name=vsftpd
    userlist_enable=YES
    tcp_wrappers=YES
    ssl_enable=YES
    allow_anon_ssl=NO
    force_local_data_ssl=NO
    force_local_logins_ssl=YES
    ssl_tlsv1=YES
    ssl_sslv2=NO
    ssl_sslv3=NO
    rsa_cert_file=/etc/vsftpd/vsftpd.pem

    Asim & George, did you setup the FileZilla FTP Client correct using the Site Manager? Thanks.

  10. Stan
    Nov 05, 2010 @ 23:29:48

    I already select “FTPES – FTP over explicit TLS/SSL”, but what are the user and password that use to logon?

    thank you

  11. wingloon
    Nov 06, 2010 @ 05:30:07

    Stan, you need to add a user in CentOS which I didn’t covered in this post.

  12. apit
    Nov 08, 2010 @ 15:31:59

    bro wingloon,

    nice tutorial…

    By default, ftp user using account in /home directory ..is it? because after completed my vsftpd configuration , all user in /home directory can used http://ftp...

    one more thing..how to force all ftp user to transfer all data to 1 folder only..by default all user can access their /home/user folder is it?

    tq

  13. wingloon
    Nov 12, 2010 @ 15:18:51

    apit, hopefully this new post will help u –> http://goo.gl/10Xw4

Leave a Reply