How to secure FTP Server with SSL/TLS in Rocky Linux

John Gomez
8 min readDec 30, 2021

--

In this article, we will demonstrate how to configure a Secure FTP server (vsftpd) using SSL/TLS encryption. Traditional FTP services are not very secure and vulnerable because the credentials are transmitted in clear text, which is prone to crackdowns and many types of attacks like brute force. The majority of applications these days come with a security feature that can be used to set up a secure FTP server. Consider encrypting data between the Server and Client with FTPS (FTP Secure) in conjunction with SSL/TLS. SFTP (SSH File Transfer Protocol) is another way of securing data transmission. SFTP was developed as an extension of SSH, and it can also be used with other security protocols.

This tutorial will teach you how to setup an encrypted FTP server using SSL/TLS on Rocky Linux 8.5. You can use the same guide on RHEL, CentOS, Fedora, Ubuntu, Debian, and Ubuntu with a few minor modifications.

Prerequisites :

Operating System       :    Rocky Linux / RHEL /CentOS /Fedora
package : vsftpd.x86_64
User account : root user or user account with sudo privileges
Recommended to run all the administrative commands as with sudo privilege instead of root.

Difficulties in setting up sudo users? Click here to find the steps.

My Lab Setup :

My lab setup consists of two machines. The server runs on Rocky Linux 8.4, while the client runs on Ubuntu 18.04 LTS.

FTP Server:Operating System    :   Rocky Linux release 8.4 (Green Obsidian)
Hostname : ftp01.linuxteck
IP Address : 192.168.1.100
FTP Client:Operating System : Ubuntu 18.04.5 LTS
Hostname : john-H81M-WW
IP Address : 192.168.1.200
SSH client : An active ftp client like " Terminal for Linux/Mac and Filezilla for Gui"

In order to setup an FTP server, you need to have a command-line/Terminal console. You will need SSH access to the remote server where the FTP server will be installed in order to follow this tutorial. In case you are having trouble connecting to a remote server over SSH, here is a guide on connecting to a remote server using “10 basic and useful ssh client commands in Linux.”

Note:

FTP servers typically offer two types of access levels: authenticated and anonymous. Authenticated access requires a username and password to access files and directories. Using Anonymous (the second method), we can download files without restrictions. Files can be downloaded directly using the default user “FTP” or “Anonymous”;

My previous articles clearly explain how to configure an anonymous and authenticated FTP server (vsftpd) using the default port number. In case you need a refresher on how to configure the system based on your needs. Please refer to the following link for step-by-step instructions.

How to set up Anonymous FTP in Rocky Linux

How to set up FTP server in Rocky Linux

The objective of this lab exercise is to learn how to configure a Secure FTP server that works with SSL/TLS.

This tutorial assumes that you already have a running FTP server on Rocky Linux. If not, follow the instructions in our previous article on the subject “How to set up FTP server in Rocky Linux 8.4”.

To do so, you can follow steps 1, 2, 3, and 4 from the above link.

Once you have completed the steps in the above link to configure the FTP server. Here are the remaining steps for activating SSL/TLS:

Step 1: Generate the SSL/TLS Certificate

Note:

As part of encrypting the FTP transmission, an SSL certificate will be needed and the same must be enabled on the FTP server. This can either be a self-signed certificate or one issued by an authorized authority. In our case, we’ll use a self-signed certificate. In addition, we need to ensure that openssl is installed on the server where the certificate will be created. Use the following command to install openssl:

$ sudo dnf install openssl

First, it is necessary to create a directory for storing the SSL/TLS certificate and the private key under “/etc/ssl/vsftpd”.

$ sudo mkdir /etc/ssl/vsftpd

We can then generate the VSFTPD certificate and its key using the following command.

$ sudo openssl req -x509 -nodes -keyout /etc/ssl/vsftpd/vsftpd-selfsigned.pem -out /etc/ssl/vsftpd/vsftpd-selfsigned.pem -days 365 -newkey rsa:2048

Note:

The following are descriptions of each parameter used in the above command.

generating-self-signed-certificates

Note:

The certificate and the private key are stored in the same place as “/etc/ssl/vsftpd”.

As soon as you execute the above command, it will prompt you to answer these questions:

Country Name (2 letter code) [XX]: IN
State or Province Name (full name) []: Kerala
Locality Name (eg, city) [Default City]: Trivandrum
Organization Name (eg, company) [Default Company Ltd]: LinuxTeck.com
Organizational Unit Name (eg, section) []: Linux
Common Name (eg, your name or your server’s hostname) []: linuxteck
Email Address []: admin@linuxteck.com

Note:

Answer the prompts correctly. You need to enter the domain name associated with your server as well as your server’s public IP address in the request for the Common Name.

Step 2: Configuring VSFTPD To Use SSL/TLS

Note:

In my previous article I mentioned that the vsftpd.conf configuration file contains a variety of instructions and parameters. To enable SSL, the following SSL entries must be added to the configuration file. Open the configuration file in your favorite editor. I’m using the “vi” editor here. The entries can be added at the end of the file.

Step 2.1

$ sudo vi /etc/vsftpd/vsftpd.conf

# SSL configuration (TLS v1.2)
ssl_enable=YES
ssl_tlsv1_2=YES
ssl_sslv2=NO
ssl_sslv3=NO

Note:

As this parameter indicates, SSL has been enabled, but we’re also restricting VSFTPD to using TLS by enabling SSL_TLSv1, since this is much more secure than SSL. Moreover, Wikipedia also mentions that SSL is now deprecated and TLS is the replacement.

Step 2.2

Note:

As a next step, we need to specify where the SSL Certificate and Private Key are located.

rsa_cert_file=/etc/ssl/vsftpd/vsftpd-selfsigned.pem
rsa_private_key_file=/etc/ssl/vsftpd/vsftpd-selfsigned.pem

Step 2.3

Note:

As soon as an SSL connection has been configured, it is highly recommended to disable anonymous access using SSL, as well as set the SSL ciphers value to HIGH for encrypted SSL connections, as this will more effectively secure FTP servers, as well as disable reuse SSL for data transfers. Thus, you will need to add the following entries to force all non-anonymous users over SSL. In order to meet your requirements, you can modify or add additional instructions to the file.

# Prevent anonymous users from using SSL
allow_anon_ssl=NO

# Force all non-anonymous logins to use SSL for data transfer
force_local_data_ssl=YES

# Force all non-anonymous logins to use SSL to send passwords
force_local_logins_ssl=YES

# Select the SSL ciphers VSFTPD will permit for encrypted SSL connections with the ssl_ciphers option.
ssl_ciphers=HIGH

# Turn off SSL reuse
require_ssl_reuse=NO

Step 2.4

Note:

As a next step, we must enable passive mode. According to my previous article, I hope you have already activated this port in the configuration file, however in case you haven’t, you need to add the following entries in order to set the minimum and maximum port range. As part of the setup, you will also be prompted to enable SSL debug, which records all openSSL connection diagnostics to the VSFTPD log file.

#Passive FTP ports can be allocated a minimum and maximum range for data connections.
pasv_min_port=40000
pasv_max_port=40001
#Setting up SSL debug
debug_ssl=YES

That’s it. You can now save and restart the vsftpd service.

$ sudo systemctl restart vsftpd

Step 3: Enable Firewall Services

Note:

The last step is to add a firewall rule to allow TLS connections via port 990. Also, in the firewall, you need to open passive ports 40000–40001. I believe based on the steps in my previous article that you have already enabled the passive port in your firewall, but in case you have not, you should add the following entries.

If you have difficulties configuring firewalls, click here to learn the steps for how to configure firewall-cmd commands in Linux.

$ sudo firewall-cmd — permanent — add-port=990/tcp

$ sudo firewall-cmd — permanent — add-port=40000–40001/tcp

$ sudo firewall-cmd — reload

Step 4: Use FileZilla to test the FTP connection with SSL/TLS

Note:

In order to use SSL/TLS connections, we need an FTP client that supports them by default. FileZilla is a widely-used client application for FTP, SFTP, and FTPS. If FileZilla isn’t already installed on your system, use the following command to do so. To install FileZilla, run the appropriate commands according to your distribution. For my testing environment, I prefer Ubuntu.

$ sudo apt-get install filezilla

Note:

After installing FileZilla, you will need to open it, enter the IP address of your FTP server, enter ‘linuxteck’ as the username and password, and then click on the quick connect button. You’ll be prompted to allow the application to use an unknown, self-signed certificate the first time you connect to an FTP server that supports SSL/TLS. Just trust the certificate and click OK.

In the following screenshot, you can see that the server is connected successfully after verifying that all configuration elements are fine.

Note:

Additionally, you can use the site manager to directly store server login information in Filezilla. When using an SSL/TLS connection, here are some important things to consider: Use information that’s relevant to your server.

Host: 192.168.1.100
Protocol: FTP — File Transfer Protocol
Encryption: Use explicit FTP over TLS if available
Logon Type: Ask for password #recommended
User: username

Note:

That’s it! We have successfully configured a Secure FTP server using SSL/TLS on Rocky Linux 8.4.

Conclusion:

Thank you for taking the time to read! We’ve successfully configured a Secure FTP server using SSL/TLS on Rocky Linux 8.4. We hope this article has helped you understand how it works. Drop me your feedback/comments. Feel free to share this article with others if you like it.

Thank you!

For more articles click here : https://www.linuxteck.com/

--

--

John Gomez

John Gomez is a Professional Blogger and Linux consultant. You can find his work at https://www.linuxteck.com