How to install vsftpd FTP server with SSL / TLS on CentOS 8

How to install vsftpd FTP server with SSL / TLS on CentOS 8

FTP is a widely used protocol for transferring files between servers and clients. There are many open source FTP servers, including FTPD, VSFTPD, PROFTPD and pureftpd. Among them, VSFTPD is a secure, fast, and most widely used protocol. It is also known as a “very secure file transfer protocol daemon”. It also supports SSL, IPv6, explicit and implicit FTPS.

In this tutorial, we will show you how to install VSFTPD on a CentOS 8 server and secure it with SSL / TLS.

prerequisites

  • Server 8 running CentOS.
  • A root password is configured on your server.

Install VSFTPD

By default, VSFTPD is available in the CentOS 8 default repository. You can install it by running:

dnf install vsftpd -y

After the installation is complete, start the VSFTPD service and use the following command to start it after the system reboots:

systemctl start vsftpd systemctl enable vsftpd

At this point, your VSFTPD server is installed and running. You can now proceed to the next step.

Create VSFTPD user

Next, you will need to create a new user for VSFTPD. Therefore, you can use this user to access the FTP server.

Run the following command to create a new user named vyom as shown below:

adduser vyom

Next, set a password for the user variable using the following command:

passwd vyom

When you are done, you can proceed to the next step.

Configure VSFTPD

Next, open the VSFTPD default configuration file located in the / etc / vsftpd directory as shown below:

nano /etc/vsftpd/vsftpd.conf

Change the following lines:

anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
listen=NO
listen_ipv6=YES
pam_service_name=vsftpd
userlist_enable=NO

Save and close the file when you are finished. Then, restart the VSFTPD service and verify the status of the service using the following command:

systemctl restart vsftpd systemctl status vsftpd

You should see the following output:

? vsftpd.service - Vsftpd ftp daemon
   Loaded: loaded (/usr/lib/systemd/system/vsftpd.service; disabled; vendor preset: disabled)
   Active: active (running) since Fri 2020-02-21 00:43:57 EST; 6s ago
  Process: 2698 ExecStart=/usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf (code=exited, status=0/SUCCESS)
 Main PID: 2699 (vsftpd)
    Tasks: 1 (limit: 6102)
   Memory: 1020.0K
   CGroup: /system.slice/vsftpd.service
           ??2699 /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf

Feb 21 00:43:57 centos8 systemd[1]: Stopped Vsftpd ftp daemon.
Feb 21 00:43:57 centos8 systemd[1]: Starting Vsftpd ftp daemon...
Feb 21 00:43:57 centos8 systemd[1]: Started Vsftpd ftp daemon.

At this point, your VSFTPD server is configured. Now you can access all VSFTPD through SELinux and firewall.

Configure firewall and SELInux

SELinux is enabled by default in CentOS 8. Therefore, you need to configure SELinux for VSFTPD.

You can configure SELinux to allow FTP access using the following command:

setsebool -P allow_ftpd_full_access=1

Next, you will need to allow the FTPd service through firewalld. You can allow it using:

firewall-cmd --zone=public --permanent --add-service=ftp

Next, reload the firewalld service to apply firewall configuration changes:

firewall-cmd --reload

At this point, your firewall and SELinux are configured to allow incoming FTP connections from remote systems. You can now proceed to test the FTP connection.

Connect to VSFTPD server

The VSFTPD server is now installed and configured. Now it’s time to connect to the FTP server from the client system.

To do this, go to the client system and run the following command to connect to the FTP server:

ftp 172.20.10.3

You will be asked for your FTP user and password, as shown below:

Connected to 172.20.10.3.
220 (vsFTPd 3.0.3)
Name (172.20.10.3:root): vyom
331 Please specify the password.
Password:
230 Login successful.

After the connection is successfully established, you will see the following output:

Remote system type is UNIX.
Using binary mode to transfer files.
ftp> 

Now, type exit and press Enter to exit the FTP session.

Configure VSFTPD with TLS support

For security reasons, it is best to use SSL / TLS to encrypt FTP transfers. To do this, you will need to generate an SSL certificate and configure the VSFTPD server to use it.

First, you need to install the OpenSSL package on your system. You can use the following command to install:

dnf install openssl -y

After installation, create a new directory to store the SSL certificate:

mkdir /etc/ssl/private

Next, use the following command to generate a self-signed certificate:

openssl req -newkey rsa:2048 -nodes -keyout /etc/ssl/private/vsftpd.key -x509 -days 365 -out /etc/ssl/private/vsftpd.crt

Provide all required information as follows:

Generating a RSA private key
...+++++
...........+++++
writing new private key to '/etc/ssl/private/vsftpd.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:GUJ
Locality Name (eg, city) [Default City]:JUN
Organization Name (eg, company) [Default Company Ltd]:IT
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:ftpserver
Email Address []:[email protected]

After generating the SSL certificate, you will need to configure VSFTPD to use this certificate.

Open the VSFTPD default configuration file as follows:

nano /etc/vsftpd/vsftpd.conf

Add the following line at the end of the file:

#Path of the SSL certificate
rsa_cert_file=/etc/ssl/private/vsftpd.crt
rsa_private_key_file=/etc/ssl/private/vsftpd.key
#Enable the SSL
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
#TSL is more secure than SSL so enable ssl_tlsv1_2.
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=NO
ssl_ciphers=HIGH
#Enable SSL debugging to store all VSFTPD log.
debug_ssl=YES

Save and close the file when you are finished. Then, restart the VSFTPD service to apply the changes:

systemctl restart vsftpd

At this point, your VSFTPD server is configured to use an SSL certificate. You can now proceed to the next step.

Verify VSFTPD TLS connection

The VSFTPD server is now protected with SSL / TLS support. Next, try to connect to the FTP server from the command line as follows:

ftp 172.20.10.3

You should see errors in the following output:

Connected to 172.20.10.3.
220 (vsFTPd 3.0.2)
Name (172.20.10.3:root): vyom
530 Non-anonymous sessions must use encryption.
Login failed.
421 Service not available, remote server has closed connection
ftp> 

You cannot connect to the VSFTP server from a command line client. Because it does not support SSL / TLS support.

So you will need to download and test the VSFTPD connection using an FTP client that supports TLS connections.

To do this, go to the client system and install the FileZilla client package.

After installing FileZilla, open the FileZilla software as follows:

Next, open Site Manager as follows:

Webmaster

Click on New website Button to add a new FTP connection as shown below:

Add FTP server details

Provide your FTP server IP, select FTP protocol, select “Use explicit FTP over TLS”, select Ask password, provide your FTP server username, and click connection Button. You will be asked to provide the password of the FTP user as follows:

enter password

Provide your FTP password and click it is good Button. You will be asked to verify the certificate used for SSL / TLS connection as follows:

Accept SSL Certificate

Click on it is good Button to verify the certificate. After the connection is successfully established, you will see the following screen:

Successfully connected to the FTP server

in conclusion

In the above guide, we have installed the VSFTPD server on CentOS 8. We also configured the VSFTPD server to use SSL / TLS certificates. Your FTP server is now secure. If you have any questions, feel free to ask me.

Sidebar