Thursday, 11 June 2015

How To : Set up a FTPS (FTP over SSL) Server on Linux

    FTP is a standardized network protocol and probably the quickest as well as easiest option available when a large chunk of data is to be transferred, from one host to another, over a TCP-based network. FTP defines a client-server architecture which uses two separate ‘well-known’ ports, for data (port no. 20, used for data transfer) and control (port no. 21, used for authentication) connections, in order to establish connectivity between the server and the client.

    When it comes to Linux operating system, the most popular package used to setup a FTP server is ‘VSFTPD’ i.e. ‘Very Secure FTP Daemon’. It offers very basic features such as ‘Anonymous enable/disable’, ‘Local enable/disable’ and ‘Chroot jail for the users’. But, when looked from the security perspective, ‘vsftpd’ has very less features to offer. Whenever the file transfer is initiated, all the data - including user credentials and passwords, gets transferred in an unencrypted format, as a plain text, which is considered to be very risky and undesirable on any public network.

    As a security measure, we have two options, that offer secure file transfer capabilities, which are - SFTP and FTPS. SFTP uses SSH connection to run file transfers over a secure channel, while FTPS uses cryptographic protocols such as SSL (Secure Socket Layer) and TLS (Transport Layer Security). This article elaborates on the SFTP part in order to setup a secure FTP server using SSL certificates.

Installation of required packages

  • openssl
  • vsftpd
To install above packages in Debian-based systems, you can run:

sudo apt-get install vsftpd
sudo apt-get install openssl
On Red hat Linux- based systems, you can run:

yum install vsftpd
yum install openssl

Generating the SSL certificate and RSA key file

    In this step, we will create a SSL Certificate file (rsa_cert_file) and RSA key file (rsa_private_key_file), that will be used by vsftpd for the data encryption purpose. It is very important to set the paths of both these files, as those must be mentioned in the vsftpd configuration file (Red Hat -/etc/vsftpd/vsftpd.conf and Debian - /etc/vsftpd.conf) in ‘rsa_cert_file’ and ‘rsa_private_key_file’ variables. By default (in RHEL), ‘rsa_cert_file’ will point to ‘/usr/share/ssl/certs/vsftpd.pem’. 

    For our convenience, we will put the certificate and the key in the same file, and store that file as ‘/etc/vsftpd/vsftpd.pem’.

openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/vsftpd/vsftpd.pem -out /etc/vsftpd/vsftpd.pem
Once above command is executed, you will be asked to provide some basic information. The output would be very much similar to:

Generating a 1024 bit RSA private key
writing new private key to '/etc/vsftpd/vsftpd.pem'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:Maharashtra
Locality Name (eg, city) [Default City]:Pune
Organization Name (eg, company) [Default Company Ltd]:MyTestOrganizationLtd
Organizational Unit Name (eg, section) []:Information Technology
Common Name (eg, your name or your server's hostname) []:My Test FTP Server
Email Address []

The vsftpd configuration part

    After generating the SSL certificate, we need to instruct vsftpd to use that SSL certificate to carry out encryption process. Just like many services, vsftpd has it’s own configuration file – vsftpd.conf, which is located as ‘/etc/vsftpd/vsftpd.conf’ for Red Hat based systems and ‘/etc/vsftpd.conf’ in Debian based systems.

    Now, let us edit the configuration file as per our requirement. You might need to find out the lines, or add them if they do not pre-exist.

Step 1 : Turn on SSL

ssl_enable=YES		# Turn ON SSL
force_local_data_ssl=YES	# Use encryption for data
force_local_logins_ssl=YES	# Use encryption for authentication
Step 2 : Mention the Certificate and key file location

Step 3 : Enable TLS

TLS is considered to be more secure than SSL and we would definitely like to use TLS whenever required.

Step 4 : Other basic configurations

To allow all the local users added to the system to use FTP service, edit following line:

To prevent anonymous logins, edit the following line:

To accept FTP write commands, edit the following line:

With this setting, only a local user can access the FTP server and can issue write commands. But, if you want to preserve the individuality between the users and their contents you can setup a ‘chroot jail’ for the users, so that users are bound to work in their home directories and are not permitted to access any files outside them.

To enable logging of the transfers carried out, edit the following lines:


Add vsftpd service to startup

With all the configurations done, you will have to restart the service so that the changes incorporated can take effect.

service vsftpd restart
By default, after a fresh installation of any package, the service associated with that package is disabled on every runlevel. This indicates that, you will have to manually restart the service after the operating system switches from one runlevel to another. In simple words, after every reboot/system startup, you will have to start the service manually. 

You can verify this by issuing the ‘chkconfig’ command as follows:

chkconfig --list vsftpd

$ chkconfig --list vsftpd
vsftpd          0:off   1:off   2:off   3:off   4:off   5:off   6:off
To overcome this and to configure the service to start automatically, you can use:

chkconfig vsftpd on


$ chkconfig --list vsftpd
vsftpd          0:off   1:off   2:on    3:on    4:on    5:on    6:off

Adding FTP users

Now, your FTP server is ready to use and you can add users who can access it. Adding the FTP users is very similar to adding users in the operating system, using ‘useradd’ command. With this, every user will get a separate home directory and with the ‘chroot jail’ activated, users will be forced to work within their home directories.

To add a user ‘mandar’, simply run:

useradd mandar
To set the password for ‘mandar’, use ‘passwd’ command as follows:

passwd mandar
You will have to mention the new password and confirm it once.

Changing password for user mandar.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
    Now the user ‘mandar’ will be able to use the FTPS Services using any FTP Client that support SSL/TLS, such as FileZilla. In order to access FTPS server through browsers, you may require to install some addons like ‘fireFTP’.


    With these configurations, any user, being a local user, will also have access to the FTPS server, where it can access other users’ files/directories, change configurations, add/remove files and so on, which is highly undesirable.

    As a remedy, you can limit access to any user to the FTPS server, but allow him to use FTPS services at the same time, by changing his shell to ‘/sbin/nologin’. Further, you can set a password policy for the users (/etc/pam.d/system-auth) to make them select a strong password and change regularly (chage command).

Publisher : Open Source for You (Linux For You) Magazine - An Electronics For You Group Publication, February 2015.


  1. Please carify why one should use this approach if one could also use SFTP with much less configuration effort.

    1. Because it's hard to get any features into SFTP server. Many feature-rich FTP servers supports FTPS, but you need completely different program for SFTP and it would lack features like virtual users and chroot.

    2. Because SFTP is completely different protocol. Most feature-rich FTP servers supports FTPS, but NONE supports SFTP. For SFTP, you need completely different server, which usually lacks support for virtual users, chroot and similar stuff because it's supposed to be used for trusted users.

    3. at some old system such as mainframe, it only can implement FTPS service , but not SFTP service