Configuring VSFTP with TLS Security

Sarath Pillai's picture

Before configuring ftp with tls encrytption lets understand some basics about how ftp works.

FTP- File Transffer Protocol.

Its a protocol used to transffer files from one machine to another over TCP. this protocol normally works on a client server model, where a client connects to the ftp server with a user name and password, and fetches the data required.

ftp server can also be configured in such a way that anonymous user can also login and fetch data from the server.

Note: FTP runs only on TCP not on UDP.

there are two ports that ftp uses they are port no 21, and port no 20.

PORT 21: this port is used for the commands that ftp uses.

PORT 20: this port is used for the data transffer.

Now there are two modes in which ftp can work. they are active mode and passive mode.

ACTIVE MODE FTP: In Active FTP the client connects to the servers command port 21 from any random port selected which is normally greater than 1023. And then the client opens one more port Which is normally N+1(where N is the first port selected by the client while connecting to the server.) and informs the server about this port through the command PORT N+1.

Now the server will make a connection to the port specified by the client from port 20(which is data port of the server).



PASSIVE MODE FTP: In passive kind of communication,the client connects to the remote ftp server to the port 21, and whenever it requires the data transffer, the source port for the data transffer is always a randomly selected high port on the client, with a similar high port on the server.

here in passive mode the attempt to data transffer is initiated by the client. this is much better for clients behind the firewall.

By default most of the ftp connection are made in passive mode today.

There is one critical issue with ftp is that it does not have any encryption mechanism on its own. so all the data,and commands passed over the connection is clear text. which is a major security flaw in ftp.there are two workarounds for this problem one is using SFTP(FTP over ssh) another is the very famous TLS enccryption used in http. (FTPS) ftp protocol with tls.

Read: SSL(Secure Socket Layer)/TLS(Transport Layer Security)

Now lets go through this step by step guide towards configuring VSFTPD(The linux package for ftp server), with tls encrytpion.

STEP1: Check whether ftp is installed on the machine, if not then install vsftpd package by the following method.

STEP 2:Generating a certificate and self signing it

let me explain the options used in the above method.

Openssl:  openssl is a open source way of implimenting ssl/tls cryptography in linux. this tool can be used to generate,private,public keys, certificates, sign certificates etc.

X509 is a standard used for signing certificate.

Nodes option will not encrypt the private key generated.

Days optionn will specify the no of days that this certificate is valid

newkey, asks to generate a new key with rsa algorithm, and must be 1024 bit long.

key out will specify the filename of the private key

and finally we need the output certificate in /etc/vsftpd/vsftpd.pem

Note: Am not going in detail with encryption,certificates,ssl,tls etc in this post, as they are large topic in themself, will cover those in another dedicated post for them.

Now lets understand some of the options required for vsftpd to work with tls.

STEP 3: Configuring vsftpd.conf for tls enabling.

go to the file /etc/vsftpd/vsftpd.conf and add the following options inside that file.

Now lets restart the vsftpd service, and thats have enabled TLS with ftp.

To test connect to the server using, winscp of some other client.

as shown in the above figure,select ftp with tls explicit encryption for this to work in winscp.


Rate this article: 
Average: 3.8 (20 votes)

Add new comment

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.