Linux Tutorials - Herong's Tutorial Examples - v5.45, by Herong Yang
Support FTP Over TLS on CentOS
This section provides a tutorial example on how to turn SSL/TLS support in vsftpd server on CentOS systems. A private-public key pair and a self-signed certificate is generated with the OpenSSL tool.
If you allow users to upload and download files remotely over public networks, you need to enable SSL (Secure Socket Layer) on vsftpd to support FTP over TLS (Transport Layer Security). This will encrypt information exchanged between FTP client programs and the vsftpd server, included user's password and upload/download files.
Here is what I did to enable SSL support for vsftpd on my CentOS computer.
1. Make sure "openssl" is available:
herong$ sudo dnf info openssl Available Packages Name : openssl Epoch : 1 Version : 1.1.1c Release : 15.el8 Architecture : x86_64 Size : 697 k Source : openssl-1.1.1c-15.el8.src.rpm Repository : BaseOS Summary : Utilities from the general purpose cryptography library with TLS : implementation URL : http://www.openssl.org/ License : OpenSSL Description : The OpenSSL toolkit provides support for secure communications between : machines. OpenSSL includes a certificate management tool and shared : libraries which provide various cryptographic algorithms and : protocols. herong$ sudo dnf install openssl Upgraded: openssl-1:1.1.1c-15.el8.x86_64 openssl-libs-1:1.1.1c-15.el8.x86_64
2. Generate a private-public key pair and a self-signed certificate for the vsftpd server:
herong$ cd /etc/vsftpd herong$ sudo mkdir ssl herong$ cd ssl herong$ sudo openssl req -x509 -nodes -newkey rsa:2048 \ -keyout vsftpd-private.pem -out vsftpd-cert.pem Generating a RSA private key ............+++++ ..+++++ writing new private key to 'vsftpd-private.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:US State or Province Name (full name) []:NY Locality Name (eg, city) [Default City]:NY Organization Name (eg, company) [Default Company Ltd]:HY Organizational Unit Name (eg, section) []:IT Common Name (eg, your name or your server's hostname) []:hy.centos Email Address []: herong$ sudo ls -l total 8 -rw-r--r-- 1 root root 1294 Ju1 11 13:50 vsftpd-cert.pem -rw------- 1 root root 1704 Ju1 11 13:49 vsftpd-private.pem
3. Update vsftpd configuration to turn on SSL:
herong$ cd /etc/vsftpd herong$ sudo vi vsftpd.conf ... ssl_enable=YES rsa_cert_file=/etc/vsftpd/ssl/vsftpd-cert.pem rsa_private_key_file=/etc/vsftpd/ssl/vsftpd-private.pem allow_anon_ssl=NO force_local_data_ssl=YES force_local_logins_ssl=YES ssl_sslv2=NO ssl_sslv3=NO ssl_tlsv1=NO ssl_tlsv1_1=NO ssl_tlsv1_2=YES require_ssl_reuse=NO ssl_ciphers=HIGH
4. Restart vsftpd server.
herong$ sudo systemctl restart vsftpd
5. Test FTP over TLS with FileZilla client:
Define a new site with the following: Protocal: FTP - File Transfer Protocol Host: 192.168.1.3 Port: Encryption: Require explicit FTP over TLS ... Click "Connect" and enter user/password Click ok when you see a warning on server's certificate, because it is signed by my-self, not by a certificate authority. You see a successful connection in the log: Status: Connecting to 192.168.1.10:21... Status: Connection established, waiting for welcome message... Status: Initializing TLS... Status: Verifying certificate... Status: TLS connection established. Status: Logged in Status: Retrieving directory listing... Status: Directory listing of "/" successful
Nice! My FTP connections are secured now.
Table of Contents
Cockpit - Web Portal for Administrator
SELinux - Security-Enhanced Linux
SSH Protocol and ssh/scp Commands
Software Package Manager on CentOS - DNF and YUM
►vsftpd - Very Secure FTP Daemon
Setup FTP Sub-Directory for Local Users
Test FTP Access Locally on CentOS
Test FTP Access Remotely on CentOS
►Support FTP Over TLS on CentOS
Disable SSH Access for FTP Users