How to Configure VSFTPD with SSL/ TLS Encrypted Connection?

Before you proceed with the steps to configure VSFTPD with SSL/ TLS encrypted connection, ensure that you have installed the VSFTP on your Linux machine.

For your reference, you can follow these articles – 

1. We will generate a self-signed certificate using OpenSSL.
First, create a directory to store the public key and private key.

mkdir -p /etc/vsftpd/ssl

2. Run the command given below to generate the certificate. 

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/vsftpd/ssl/vsftpd.pem -out /etc/vsftpd/ssl/vsftpd.pem

Once you execute this command, it will ask for the country name, state name, city name, organization, unit name, and the common name that must match your server's IP Address.
You can also use the domain name pointing to your server IP Address. The certificate will use the RSA key agreement protocol with a key length of 2048 bits; the certificate will be valid for 365 days.

3. Let us open the configuration file of VSFTPD for the certificate installation. 

vim /etc/vsftpd.conf

4. Add the line given below to the VSFTPD config file to set the certificate and key file path.

rsa_cert_file=/etc/vsftpd/ssl/vsftpd.pem
rsa_private_key_file=/etc/vsftpd/ssl/vsftpd.pem

5. Add this line to enable the SSL 

ssl_enable=YES

6. Block the anonymous user from accessing the FTP using SSL/TLS

allow_anon_ssl=NO

7. Specify when to use SSL/ TLS. It includes data transfer and logging in using the credentials

ssl_enable=YES

8. Block the anonymous user from accessing the FTP using SSL/ TLS

force_local_data_ssl=YES
force_local_logins_ssl=YES

9. Let us specify the version to use for the encryption.
TLS is more secure than SSL, and we will block the older versions

ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO

10. Add the required SSL reuse and SSL ciphers to improve security, allowing additional protection against Man-in-the-Middle (MITM) attacks.
However, it may not be compatible with older FTP clients

require_ssl_reuse=YES
ssl_ciphers=HIGH

11. Finally, restart the VSFTPD.

systemctl restart vsftpd

12. After establishing the SSL/ TLS connection, you will get this message in your FTP client. 

Status: Connection established, waiting for welcome message...

Status: Initializing TLS...

Status: Verifying certificate...

Status: TLS connection established.



Was this answer helpful?

« Back

chat