This article will guide you through the installation and configuration steps of FTPS on your CentOS / RHEL / Fedora / Amazon Linux.
The procedure mentioned in this tutorial is tested on:
What is FTPS?
FTPS is also known as FTP Secure or FTP-SSL. What FTPS does is add the Transport Layer Security (TLS) and the Secure Sockets Layer (SSL) to the normal FTP on the same port 21. It is easy to confuse FTPS on port 21 with SFTP which is actually SSH on port 22.
Traditional FTP is rather insecure. When you login, your username and password are transmitted in clear text, raising the possibility of your credentials being ‘sniffed’ by a malicious person. You can quite easily configure your vsftpd server to use OpenSSL encryption, so that usernames & password, and even data files, are encrypted during transfer.
TLS / SSL provide end to end authentication and communications privacy over the Internet using cryptography protocol, with the aim that the process of communication on the internet can not be intercepted by another person.
(a) First of all check for vsftpd is compiled with SSL to enable the TLS/SSL security controls.
# ldd /usr/sbin/vsftpd | grep ssl Sample Output: libssl.so.6 => /lib/libssl.so.6 (0x001bf000)
(b) Install openssl package using “yum” command.
# yum install openssl
(II) Installing VsFTPD
(a) Install vsftpd package using “yum” command.
# yum install vsftpd
(III) Configuring VsFTPD
(a) First of all create SSL Certificate, in this tutorial we will using X.509, which is a Public Key Infrastructure (PKI) standard.
Type the following “openssl” command to create self-signed certificate (you can also use certificate issued by 3rd party CA):
# cd /etc/vsftpd/ # /usr/bin/openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout vsftpd.pem -out vsftpd.pem Sample Output: Generating a 1024 bit RSA private key .......++++++ ........................................++++++ writing new private key to '/etc/vsftpd/vsftpd.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]: US State or Province Name (full name) [Berkshire]: Texas Locality Name (eg, city) [Newbury]: Dallas Organization Name (eg, company) [My Company Ltd]: Example LTD. Organizational Unit Name (eg, section) : IT Common Name (eg, your name or your server's hostname) : ftp.example.com Email Address : email@example.com
(b) Edit the vsftpd configuration file, and enter the following vsftpd ssl config option:
# vi vsftpd.conf # Turn on SSL ssl_enable=YES # Allow anonymous users to use secured SSL connections allow_anon_ssl=YES # All non-anonymous logins are forced to use a secure SSL connection in order to send and # receive data on data connections. force_local_data_ssl=YES # All non-anonymous logins are forced to use a SSL connection in order to send the password. force_local_logins_ssl=YES # Permit TLS v1 protocol connections. TLS v1 connections are preferred ssl_tlsv1=YES # Permit SSL v2 protocol connections. TLS v1 connections are preferred ssl_sslv2=YES # permit SSL v3 protocol connections. TLS v1 connections are preferred ssl_sslv3=YES # This option specifies the location of the RSA certificate to use for SSL encrypted connections. rsa_cert_file=/etc/vsftpd/vsftpd.pem
(IV) Enabling VsFTPD
(a) Turn On Vsftpd Service
# chkconfig vsftpd on
(b) Start the service
# service vsftpd start
(V) Verifying VsFTPD
(a) Check the vsftpd process is running using the process status “ps“command:
# ps -ef | grep -v grep | grep -i vsftpd Sample Output: root 9892 1 0 Mar08 ? 00:00:00 /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf
(b) Check for port used by vsftpd process using the “netstat” or “lsof” command:
# netstat -planet | grep -i ':21' Sample Output: tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 0 22027 9892/vsftpd