Before you proceed with the steps to configure VSFTPD with SSL/ TLS encrypted connection, ensure that you have installed the VSFTP on your Linux machine.
For your reference, you can follow these articles –
1. We will generate a self-signed certificate using OpenSSL.
First, create a directory to store the public key and private key.
mkdir -p /etc/vsftpd/ssl
2. Run the command given below to generate the certificate.
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/vsftpd/ssl/vsftpd.pem -out /etc/vsftpd/ssl/vsftpd.pem
Once you execute this command, it will ask for the country name, state name, city name, organization, unit name, and the common name that must match your server's IP Address.
You can also use the domain name pointing to your server IP Address. The certificate will use the RSA key agreement protocol with a key length of 2048 bits; the certificate will be valid for 365 days.
3. Let us open the configuration file of VSFTPD for the certificate installation.
4. Add the line given below to the VSFTPD config file to set the certificate and key file path.
5. Add this line to enable the SSL
6. Block the anonymous user from accessing the FTP using SSL/TLS
7. Specify when to use SSL/ TLS. It includes data transfer and logging in using the credentials
8. Block the anonymous user from accessing the FTP using SSL/ TLS
9. Let us specify the version to use for the encryption.
TLS is more secure than SSL, and we will block the older versions
10. Add the required SSL reuse and SSL ciphers to improve security, allowing additional protection against Man-in-the-Middle (MITM) attacks.
However, it may not be compatible with older FTP clients
11. Finally, restart the VSFTPD.
systemctl restart vsftpd
12. After establishing the SSL/ TLS connection, you will get this message in your FTP client.
Status: Connection established, waiting for welcome message...
Status: Initializing TLS...
Status: Verifying certificate...
Status: TLS connection established.