Monday, 9 September 2013

Centos 6/RHEL install and configure VSFTPD with SSL/TLS using OpenSSL

Where security is concerned, the Very Secure FTP Daemon is a pretty tight application but there may come a time when you need more security for your data transfers. 

You may have considered the need for SFTP, being concerned about the risk of packet sniffing, malicious activity or the use of clear text credentials, so we take a look at encrypting all traffic in a secure connection to VSFTP with SSL/TLS.

You should be using a static IP address and have VSFTP and OpenSSL installed. Clients attempting to use the FTP service will connect via SFTP and accept the server certificate.

VSFTP will use OpenSSL encryption so that user credentials and data files remain encrypted during transfer.
First, log in as root and move to the VSFTPD install directory.

# cd /etc/vsftpd/

# Create a server certificate that will last for 365 days by typing the following

# openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/vsftpd/vsftpd.pem -out /etc/vsftpd/vsftpd.pem
A series of questions will follow to which you should respond with the values needed for your setup.

When the certificate has been created, change the file permissions so that it remains accessible to the root user only.
# chmod 600 vsftpd.pem
Now make reference to the certificate in the VSFTP configuration.
 
# vi /etc/vsftpd/vsftpd.conf

We are going to Enable SSL, reference the certificate and activate TLS due to its improved security as opposed to using SSL V2 and SSL V3.

Scroll down to the bottom of this file and add the following

ssl_enable=YES
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
rsa_cert_file=/etc/vsftpd/vsftpd.pem
Save and close the file and restart the VSFTP service.

# service vsftpd restart
The standard FTP service is inherently insecure as it uses plain
text usernames, passwords, and unencrypted data transfer. Using OpenSSL encryption provides a secure connection to VSFTP.

In the above example we requested a 1024-bit RSA private key that remains valid for a period of 356 days.

So a years worth of encryption in a few simple steps.