FTP is a standardized network protocol and probably the quickest as well as easiest option available when a large chunk of data is to be transferred, from one host to another, over a TCP-based network. FTP defines a client-server architecture which uses two separate ‘well-known’ ports, for data (port no. 20, used for data transfer) and control (port no. 21, used for authentication) connections, in order to establish connectivity between the server and the client.
When it comes to Linux operating system, the most popular package used to setup a FTP server is ‘VSFTPD’ i.e. ‘Very Secure FTP Daemon’. It offers very basic features such as ‘Anonymous enable/disable’, ‘Local enable/disable’ and ‘Chroot jail for the users’. But, when looked from the security perspective, ‘vsftpd’ has very less features to offer. Whenever the file transfer is initiated, all the data - including user credentials and passwords, gets transferred in an unencrypted format, as a plain text, which is considered to be very risky and undesirable on any public network.
As a security measure, we have two options, that offer secure file transfer capabilities, which are - SFTP and FTPS. SFTP uses SSH connection to run file transfers over a secure channel, while FTPS uses cryptographic protocols such as SSL (Secure Socket Layer) and TLS (Transport Layer Security). This article elaborates on the SFTP part in order to setup a secure FTP server using SSL certificates.
Installation of required packages
On Red hat Linux- based systems, you can run:
sudo apt-get install vsftpd sudo apt-get install openssl
yum install vsftpd yum install openssl
Generating the SSL certificate and RSA key file
In this step, we will create a SSL Certificate file (rsa_cert_file) and RSA key file (rsa_private_key_file), that will be used by vsftpd for the data encryption purpose. It is very important to set the paths of both these files, as those must be mentioned in the vsftpd configuration file (Red Hat -/etc/vsftpd/vsftpd.conf and Debian - /etc/vsftpd.conf) in ‘rsa_cert_file’ and ‘rsa_private_key_file’ variables. By default (in RHEL), ‘rsa_cert_file’ will point to ‘/usr/share/ssl/certs/vsftpd.pem’.
For our convenience, we will put the certificate and the key in the same file, and store that file as ‘/etc/vsftpd/vsftpd.pem’.
Once above command is executed, you will be asked to provide some basic information. The output would be very much similar to:
openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/vsftpd/vsftpd.pem -out /etc/vsftpd/vsftpd.pem
Generating a 1024 bit RSA private key ............................................................................++++++ ........++++++ writing new private key to '/etc/vsftpd/vsftpd.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:IN State or Province Name (full name) :Maharashtra Locality Name (eg, city) [Default City]:Pune Organization Name (eg, company) [Default Company Ltd]:MyTestOrganizationLtd Organizational Unit Name (eg, section) :Information Technology Common Name (eg, your name or your server's hostname) :My Test FTP Server Email Address :firstname.lastname@example.org
The vsftpd configuration part
After generating the SSL certificate, we need to instruct vsftpd to use that SSL certificate to carry out encryption process. Just like many services, vsftpd has it’s own configuration file – vsftpd.conf, which is located as ‘/etc/vsftpd/vsftpd.conf’ for Red Hat based systems and ‘/etc/vsftpd.conf’ in Debian based systems.
Now, let us edit the configuration file as per our requirement. You might need to find out the lines, or add them if they do not pre-exist.
Step 1 : Turn on SSL
Step 2 : Mention the Certificate and key file location
ssl_enable=YES # Turn ON SSL allow_anon_ssl=NO force_local_data_ssl=YES # Use encryption for data force_local_logins_ssl=YES # Use encryption for authentication
Step 3 : Enable TLS
TLS is considered to be more secure than SSL and we would definitely like to use TLS whenever required.
Step 4 : Other basic configurations
ssl_tlsv1=YES ssl_sslv2=YES ssl_sslv3=YES
To allow all the local users added to the system to use FTP service, edit following line:
To prevent anonymous logins, edit the following line:
To accept FTP write commands, edit the following line:
With this setting, only a local user can access the FTP server and can issue write commands. But, if you want to preserve the individuality between the users and their contents you can setup a ‘chroot jail’ for the users, so that users are bound to work in their home directories and are not permitted to access any files outside them.
To enable logging of the transfers carried out, edit the following lines:
xferlog_enable=YES xferlog_std_format=YES xferlog_file=/var/log/xferlog
Add vsftpd service to startupWith all the configurations done, you will have to restart the service so that the changes incorporated can take effect.
service vsftpd restart
By default, after a fresh installation of any package, the service associated with that package is disabled on every runlevel. This indicates that, you will have to manually restart the service after the operating system switches from one runlevel to another. In simple words, after every reboot/system startup, you will have to start the service manually.
You can verify this by issuing the ‘chkconfig’ command as follows:
chkconfig --list vsftpd
To overcome this and to configure the service to start automatically, you can use:
$ chkconfig --list vsftpd vsftpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
chkconfig vsftpd on
$ chkconfig --list vsftpd vsftpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
Adding FTP usersNow, your FTP server is ready to use and you can add users who can access it. Adding the FTP users is very similar to adding users in the operating system, using ‘useradd’ command. With this, every user will get a separate home directory and with the ‘chroot jail’ activated, users will be forced to work within their home directories.
To add a user ‘mandar’, simply run:
To set the password for ‘mandar’, use ‘passwd’ command as follows:
You will have to mention the new password and confirm it once.
Now the user ‘mandar’ will be able to use the FTPS Services using any FTP Client that support SSL/TLS, such as FileZilla. In order to access FTPS server through browsers, you may require to install some addons like ‘fireFTP’.
Changing password for user mandar. New password: Retype new password: passwd: all authentication tokens updated successfully.
With these configurations, any user, being a local user, will also have access to the FTPS server, where it can access other users’ files/directories, change configurations, add/remove files and so on, which is highly undesirable.
As a remedy, you can limit access to any user to the FTPS server, but allow him to use FTPS services at the same time, by changing his shell to ‘/sbin/nologin’. Further, you can set a password policy for the users (/etc/pam.d/system-auth) to make them select a strong password and change regularly (chage command).
Publisher : Open Source for You (Linux For You) Magazine - An Electronics For You Group Publication, February 2015.