How to install vsftpd FTP server with SSL / TLS on CentOS 8
FTP is a widely used protocol for transferring files between servers and clients. There are many open source FTP servers, including FTPD, VSFTPD, PROFTPD and pureftpd. Among them, VSFTPD is a secure, fast, and most widely used protocol. It is also known as a “very secure file transfer protocol daemon”. It also supports SSL, IPv6, explicit and implicit FTPS.
In this tutorial, we will show you how to install VSFTPD on a CentOS 8 server and secure it with SSL / TLS.
- Server 8 running CentOS.
- A root password is configured on your server.
By default, VSFTPD is available in the CentOS 8 default repository. You can install it by running:
dnf install vsftpd -y
After the installation is complete, start the VSFTPD service and use the following command to start it after the system reboots:
systemctl start vsftpd systemctl enable vsftpd
At this point, your VSFTPD server is installed and running. You can now proceed to the next step.
Create VSFTPD user
Next, you will need to create a new user for VSFTPD. Therefore, you can use this user to access the FTP server.
Run the following command to create a new user named vyom as shown below:
Next, set a password for the user variable using the following command:
When you are done, you can proceed to the next step.
Next, open the VSFTPD default configuration file located in the / etc / vsftpd directory as shown below:
Change the following lines:
anonymous_enable=NO local_enable=YES write_enable=YES local_umask=022 dirmessage_enable=YES xferlog_enable=YES connect_from_port_20=YES xferlog_std_format=YES listen=NO listen_ipv6=YES pam_service_name=vsftpd userlist_enable=NO
Save and close the file when you are finished. Then, restart the VSFTPD service and verify the status of the service using the following command:
systemctl restart vsftpd systemctl status vsftpd
You should see the following output:
? vsftpd.service - Vsftpd ftp daemon Loaded: loaded (/usr/lib/systemd/system/vsftpd.service; disabled; vendor preset: disabled) Active: active (running) since Fri 2020-02-21 00:43:57 EST; 6s ago Process: 2698 ExecStart=/usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf (code=exited, status=0/SUCCESS) Main PID: 2699 (vsftpd) Tasks: 1 (limit: 6102) Memory: 1020.0K CGroup: /system.slice/vsftpd.service ??2699 /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf Feb 21 00:43:57 centos8 systemd: Stopped Vsftpd ftp daemon. Feb 21 00:43:57 centos8 systemd: Starting Vsftpd ftp daemon... Feb 21 00:43:57 centos8 systemd: Started Vsftpd ftp daemon.
At this point, your VSFTPD server is configured. Now you can access all VSFTPD through SELinux and firewall.
Configure firewall and SELInux
SELinux is enabled by default in CentOS 8. Therefore, you need to configure SELinux for VSFTPD.
You can configure SELinux to allow FTP access using the following command:
setsebool -P allow_ftpd_full_access=1
Next, you will need to allow the FTPd service through firewalld. You can allow it using:
firewall-cmd --zone=public --permanent --add-service=ftp
Next, reload the firewalld service to apply firewall configuration changes:
At this point, your firewall and SELinux are configured to allow incoming FTP connections from remote systems. You can now proceed to test the FTP connection.
Connect to VSFTPD server
The VSFTPD server is now installed and configured. Now it’s time to connect to the FTP server from the client system.
To do this, go to the client system and run the following command to connect to the FTP server:
You will be asked for your FTP user and password, as shown below:
Connected to 172.20.10.3. 220 (vsFTPd 3.0.3) Name (172.20.10.3:root): vyom 331 Please specify the password. Password: 230 Login successful.
After the connection is successfully established, you will see the following output:
Remote system type is UNIX. Using binary mode to transfer files. ftp>
Now, type exit and press Enter to exit the FTP session.
Configure VSFTPD with TLS support
For security reasons, it is best to use SSL / TLS to encrypt FTP transfers. To do this, you will need to generate an SSL certificate and configure the VSFTPD server to use it.
First, you need to install the OpenSSL package on your system. You can use the following command to install:
dnf install openssl -y
After installation, create a new directory to store the SSL certificate:
Next, use the following command to generate a self-signed certificate:
openssl req -newkey rsa:2048 -nodes -keyout /etc/ssl/private/vsftpd.key -x509 -days 365 -out /etc/ssl/private/vsftpd.crt
Provide all required information as follows:
Generating a RSA private key ...+++++ ...........+++++ writing new private key to '/etc/ssl/private/vsftpd.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:IN State or Province Name (full name) :GUJ Locality Name (eg, city) [Default City]:JUN Organization Name (eg, company) [Default Company Ltd]:IT Organizational Unit Name (eg, section) :IT Common Name (eg, your name or your server's hostname) :ftpserver Email Address :[email protected]
After generating the SSL certificate, you will need to configure VSFTPD to use this certificate.
Open the VSFTPD default configuration file as follows:
Add the following line at the end of the file:
#Path of the SSL certificate rsa_cert_file=/etc/ssl/private/vsftpd.crt rsa_private_key_file=/etc/ssl/private/vsftpd.key #Enable the SSL ssl_enable=YES allow_anon_ssl=NO force_local_data_ssl=YES force_local_logins_ssl=YES #TSL is more secure than SSL so enable ssl_tlsv1_2. ssl_tlsv1=YES ssl_sslv2=NO ssl_sslv3=NO require_ssl_reuse=NO ssl_ciphers=HIGH #Enable SSL debugging to store all VSFTPD log. debug_ssl=YES
Save and close the file when you are finished. Then, restart the VSFTPD service to apply the changes:
systemctl restart vsftpd
At this point, your VSFTPD server is configured to use an SSL certificate. You can now proceed to the next step.
Verify VSFTPD TLS connection
The VSFTPD server is now protected with SSL / TLS support. Next, try to connect to the FTP server from the command line as follows:
You should see errors in the following output:
Connected to 172.20.10.3. 220 (vsFTPd 3.0.2) Name (172.20.10.3:root): vyom 530 Non-anonymous sessions must use encryption. Login failed. 421 Service not available, remote server has closed connection ftp>
You cannot connect to the VSFTP server from a command line client. Because it does not support SSL / TLS support.
So you will need to download and test the VSFTPD connection using an FTP client that supports TLS connections.
To do this, go to the client system and install the FileZilla client package.
After installing FileZilla, open the FileZilla software as follows:
Next, open Site Manager as follows:
Click on New website Button to add a new FTP connection as shown below:
Provide your FTP server IP, select FTP protocol, select “Use explicit FTP over TLS”, select Ask password, provide your FTP server username, and click connection Button. You will be asked to provide the password of the FTP user as follows:
Provide your FTP password and click it is good Button. You will be asked to verify the certificate used for SSL / TLS connection as follows:
Click on it is good Button to verify the certificate. After the connection is successfully established, you will see the following screen:
In the above guide, we have installed the VSFTPD server on CentOS 8. We also configured the VSFTPD server to use SSL / TLS certificates. Your FTP server is now secure. If you have any questions, feel free to ask me.