VSFTP over SSL configuration

VSFTP over SSL configuration

Install vsftp and modify the configuration file

     # yum install vsftpd

     # mv vsftpd.conf vsftpd.conf.original

     # vi vsftpd.conf

Copy and paste these lines inside the configuration file /etc/vsftpd/vsftpd.conf

anonymous_enable=NO

local_enable=YES

write_enable=YES

chroot_local_user=YES

chmod_enable=NO

local_umask=022

dirmessage_enable=YES

xferlog_enable=YES

connect_from_port_20=YES

xferlog_std_format=YES

listen=NO

listen_ipv6=YES

pam_service_name=vsftpd

userlist_enable=YES

tcp_wrappers=YES

allow_writeable_chroot=YES

Restart the service and check the status

  # systemctl restart vsftpd

  # systemctl enable vsftpd

  # systemctl status vsftpd

You should see something like this

vsftpd.service - Vsftpd ftp daemon

   Loaded: loaded (/usr/lib/systemd/system/vsftpd.service; enabled; vendor preset: disabled)

   Active: active (running) since Mon 2018-12-17 21:38:39 EST; 14h ago

  Process: 46223 ExecStart=/usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf (code=exited, status=0/SUCCESS)

 Main PID: 46224 (vsftpd)

   CGroup: /system.slice/vsftpd.service

           └─46224 /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf

 

Dec 17 21:38:39 server-test systemd[1]: Starting Vsftpd ftp daemon...

Dec 17 21:38:39 servet-test systemd[1]: Started Vsftpd ftp daemon.

Add a user for the domain in question.

Example hostway

Create the group ftpusers

    # addgroup ftpusers

Create your user for the domain account

    # useradd -d "/var/www/domains/{client} -s /sbin/nologin -g ftpusers {client}

 

Example:

 

    # useradd -d "/var/www/domains/hostway" -s /sbin/nologin -g ftpusers hostway

Setup a password

    # passwd hostway

Let’s configure SSL/TLS over VsFTPD

Create the following directory

# mkdir -p /etc/ssl/private/

# openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem

Edit the file /etc/vsftpd/vsftpd.conf and append the following lines

####### SSL/TLS

rsa_cert_file=/etc/ssl/private/vsftpd.pem

rsa_private_key_file=/etc/ssl/private/vsftpd.pem

ssl_enable=YES

allow_anon_ssl=NO

force_local_data_ssl=YES

force_local_logins_ssl=YES

ssl_tlsv1=NO

ssl_tlsv1_2=YES

ssl_tlsv1_1=YES

ssl_sslv2=NO

ssl_sslv3=NO

require_ssl_reuse=NO

ssl_ciphers=HIGH

Restart the service and check the status

  # systemctl restart vsftpd

  # systemctl status vsftpd

Let’s enable VsFTPD in passive mode

Edit the file /etc/vsftpd/vsftpd.conf and append the following lines

##### passive mode

pasv_enable=Yes

pasv_min_port=35400

pasv_max_port=39900

Restart the service

systemctl restart vsftpd

Enable the ports in firewalld and your CISCO

Firewalld

# firewall-cmd --zone=public --add-port=40500-50500/tcp --permanent

# systemctl restart  firewalld

 

Check that the port were added to firewalld

# firewall-cmd --list-all

 

You should see something like this

public (active)

  target: default

  icmp-block-inversion: no

  interfaces: eth0

  sources:

  services: dhcpv6-client ssh

  ports: 161/tcp 161/udp 1167/udp 1167/tcp 21/tcp 22/tcp 80/tcp 443/tcp 3306/tcp 2812/tcp 40500-50500/tcp

NOTE: If you have a firewall in front of your server, do not forget the range 40500-50500/tcp as well

Permissions

# chown -R {client}:ftpusers /var/www/domains/{client}

 

Example:

 

chown -R hostway:ftpusers /var/www/domains/hostway