This article pertains specifically to vsftpd on CentOS. Except for the installation instructions it should be adaptable to other distributions as well.
Traditional FTP is rather insecure. When you login, your username and password are transmitted in clear text, raising the possibility of your credentials beeing 'sniffed' by a malicious person. Fortunately there's an easy answer to this. You can quite easily configure your vsftpd server to use OpenSSL encryption, so that usernames & password, and even data files, are encrypted during transfer. It takes just a few simple steps:
Contents |
Install vsftpd
vsftpd is the default FTP server supplied with CentOS. It should be installed by default (?) If it isn't you may install it by one of these methods:
Using yum (if you've installed yum):
[root@vps] yum install vsftpd
Using rpm:
[root@vps] rpm -Uvh http://centos.mirror.vpslink.com/centos-4/4.3/os/i386/CentOS/RPMS/vsftpd-2.0.1-5.EL4.3.i386.rpm
If you install via rpm there may be dependencies to satisfy (other packages to install). (?)
Generate a Certificate
You use OpenSSL to generate a certificate for vsftpd. The certificate is store on your server, in a location of your choice. Here I choose to put it in the /etc/vsftpd directory. As well, you specify a 'lifetime' for the certificate; here's it set for a year ("-days 365").
Note that the backslashes only signify line breaks. You should be able to copy/paste & run it as it is, or remove the backslashes and the line breaks.
[root@vps] openssl req -x509 -nodes -days 365 -newkey rsa:1024 \ -keyout /etc/vsftpd/vsftpd.pem \ -out /etc/vsftpd/vsftpd.pem
You will be prompted with a series of question, which you answer as they appear. When done the certificate will be installed in the /etc/vsftpd directory.
Configure vsftpd
To configure vsftpd you edit the file /etc/vsftpd/vsftpd.conf and add the following lines:
ssl_enable=YES allow_anon_ssl=NO force_local_data_ssl=NO force_local_logins_ssl=NO ssl_tlsv1=YES ssl_sslv2=NO ssl_sslv3=NO rsa_cert_file=/etc/vsftpd/vsftpd.pem
Restart vsftpd for these settings to take effect:
[root@vps] /etc/rc.d/init.d/vsftpd restart
If you set "force_local_logins_ssl=YES" then your clients will be required to use an FTP client that supports AUTH TLS/SSL in order to connect. If you leave it at "NO" then people can connect securely or insecurely.
Connect with a Secure Client
There are several FTP programs available that support AUTH TLS / SSL / SFTP. I use CoreFTP (http://www.coreftp.com). There's an unrestricted free version available, as well as a paid 'pro' version with some extra features. With CoreFTP you can select to use AUTH TLS, AUTH SSL, or FTP over SSH. You can choose to encrypt just your login, or directory and file transfers as well. In my experience all these options work fine when connecting to a VPSLink server running vsftpd & SSH.
Another free client is WinSCP. It is also available as a plug-in for FAR Manager, as well as a stand-alone client.
Excuse, but in my humble opinion, WinSCP does not work with ssl, and vsftpd does not work with sftp.
Other Distributions
If you're using a Linux distribution other than CentOS you can still use vsftpd. How you install it will depend on your distro -- for package installers, check for a vsftpd package. If there isn't a package available you can always install from source. Check the vsftpd website at http://vsftpd.beasts.org/.
You must ensure that your vsftp is compiled with support for libssl. To check an installation of vsftpd for SSL support do:
[root@vps] ldd /usr/sbin/vsftpd | grep libssl libssl.so.4 => /lib/libssl.so.4 (0x4001e000)
If you don't see output similar to this from the 'ldd' command then your vsftpd doesn't support SSL. You'll need to recompile it -- again, check the vsftpd website for documentation.
