How To Install and Configure vsftpd 2.2.2 with TLS on CentOS 6.6

The risk of using FTP is notable by using plaintext username and password and this is very insecure. Your login and password can be easily sniffed. This post describes how to install and configure a secured FTP server using vsftpd 2.2.2 with TLS in CentOS 6.6 the easy way.

Pre-requisite Check
Run the command below to query for vsftpd rpm: –

rpm -qa vsftpd

If vsftpd is not installed, you can use yum to install it using the command below: –

yum install vsftpd

Initial Configuration
The configuration directory of vsftpd is located in /etc/vsftpd path. It is advisable to backup the good known configuration files for easier quick restoration. Run the command below: –

cp -a /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf.original

Control User Access
Change the following parameter below in your /etc/vsftpd/vsftpd.conf file to disable anonymous users access: –

anonymous_enable=NO

Change the following parameter below in your /etc/vsftpd/vsftpd.conf file to lock users in their home directory: –

chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list
chroot_local_user=YES

Run the following command below to create /etc/vsftpd/chroot_list file: –

touch /etc/vsftpd/chroot_list
chmod 600 /etc/vsftpd/chroot_list

Enable TLS Encryption
Run the following command below to check an installation of vsftpd for SSL support: –

ldd /usr/sbin/vsftpd | grep ssl

You will get the following result below if your vsftpd is SSL supported: –

libssl.so.10 => /usr/lib/libssl.so.10 (0x00456000)

To use TLS you will need to generate a key by using the openssl command below: –

openssl req -x509 -nodes -days 1825 -newkey rsa:2048 -keyout /etc/vsftpd/vsftpd.pem -out /etc/vsftpd/vsftpd.pem

The above command prompts you for series of questions for creating your certificate with a life of 5 years (-days 1825): –

Country Name (2 letter code) [XX]:MY
State or Province Name (full name) []:WP
Locality Name (eg, city) [Default City]:KL
Organization Name (eg, company) [Default Company Ltd]:Company
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:localhost
Email Address []:ftpmaster@localhost

Run the following command below to change the permission of the /etc/vsftpd/vsftpd.pem file: –

chmod 600 /etc/vsftpd/vsftpd.pem

Add below to your /etc/vsftpd/vsftpd.conf file: –

ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
rsa_cert_file=/etc/vsftpd/vsftpd.pem
rsa_private_key_file=/etc/vsftpd/vsftpd.pem
require_ssl_reuse=NO
ssl_ciphers=HIGH

If your FTP server is behind NAT , add below to your /etc/vsftpd/vsftpd.conf file: –

pasv_enable=YES
pasv_min_port=14100
pasv_max_port=14150
port_enable=YES
pasv_address=10.108.49.84
pasv_addr_resolve=NO

You need to restart vsftpd to take effect using the command below: –

service vsftpd restart

You may use FileZilla FTP client and select Use explicit FTP over TLS if available or Require explicit FTP over TLS under the Encryption in the FileZilla Site Manager to have both FTP login and FTP data transfer encrypted. Thank you and have fun.