VSFTP over SSL configuration
Install vsftp and modify the configuration file
# yum install vsftpd
# mv vsftpd.conf vsftpd.conf.original
# vi vsftpd.conf
Copy and paste these lines inside the configuration file /etc/vsftpd/vsftpd.conf
anonymous_enable=NO
local_enable=YES
write_enable=YES
chroot_local_user=YES
chmod_enable=NO
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
listen=NO
listen_ipv6=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
allow_writeable_chroot=YES
Restart the service and check the status
# systemctl restart vsftpd
# systemctl enable vsftpd
# systemctl status vsftpd
You should see something like this
● vsftpd.service - Vsftpd ftp daemon
Loaded: loaded (/usr/lib/systemd/system/vsftpd.service; enabled; vendor preset: disabled)
Active: active (running) since Mon 2018-12-17 21:38:39 EST; 14h ago
Process: 46223 ExecStart=/usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf (code=exited, status=0/SUCCESS)
Main PID: 46224 (vsftpd)
CGroup: /system.slice/vsftpd.service
└─46224 /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf
Dec 17 21:38:39 server-test systemd[1]: Starting Vsftpd ftp daemon...
Dec 17 21:38:39 servet-test systemd[1]: Started Vsftpd ftp daemon.
Add a user for the domain in question.
Example hostway
Create the group ftpusers
# addgroup ftpusers
Create your user for the domain account
# useradd -d "/var/www/domains/{client} -s /sbin/nologin -g ftpusers {client}
Example:
# useradd -d "/var/www/domains/hostway" -s /sbin/nologin -g ftpusers hostway
Setup a password
# passwd hostway
Let’s configure SSL/TLS over VsFTPD
Create the following directory
# mkdir -p /etc/ssl/private/
# openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem
Edit the file /etc/vsftpd/vsftpd.conf and append the following lines
####### SSL/TLS
rsa_cert_file=/etc/ssl/private/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=NO
ssl_tlsv1_2=YES
ssl_tlsv1_1=YES
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=NO
ssl_ciphers=HIGH
Restart the service and check the status
# systemctl restart vsftpd
# systemctl status vsftpd
Let’s enable VsFTPD in passive mode
Edit the file /etc/vsftpd/vsftpd.conf and append the following lines
##### passive mode
pasv_enable=Yes
pasv_min_port=35400
pasv_max_port=39900
Restart the service
systemctl restart vsftpd
Enable the ports in firewalld and your CISCO
Firewalld
# firewall-cmd --zone=public --add-port=40500-50500/tcp --permanent
# systemctl restart firewalld
Check that the port were added to firewalld
# firewall-cmd --list-all
You should see something like this
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: dhcpv6-client ssh
ports: 161/tcp 161/udp 1167/udp 1167/tcp 21/tcp 22/tcp 80/tcp 443/tcp 3306/tcp 2812/tcp 40500-50500/tcp
NOTE: If you have a firewall in front of your server, do not forget the range 40500-50500/tcp as well
Permissions
# chown -R {client}:ftpusers /var/www/domains/{client}
Example:
chown -R hostway:ftpusers /var/www/domains/hostway