How To Configure VSFTPD With TLS/SSL On RHEL/CentOS 6.x and How To Connect Secure VSFTPD(TLS/SSL) in Heterogeneous Environments Using Client Programs. (Part..A)

Traditional FTP is rather insecure. When you login, your username and password are transmitted in clear text, raising the possibility of your credentials being 'sniffed' by a malicious person. Fortunately there's an easy answer to this. You can quite easily configure your vsftpd server to use OpenSSL encryption, so that usernames & password, and even data files, are encrypted during transfer. It takes just a few simple steps: 
Vsftpd is already available under CentOS/RHEL  default repositories. We assume that CentOS/RHEL users have enabled default repositories in his system. Now execute following command. 
Note:- This post works with Security-Enhanced Linux (SELinux) is enabled  
Installing and Configuring the Vsftpd in RHEL/CentOS 6.x 
Step1:-  Install VsFTPd 
# yum install vsftpd 
Step2:-  Configure Basic VsFTPd Settings 
Now Edit Vsftpd configuration file /etc/vsftpd/vsftpd.conf in CentOS/RHEL and do the some basic settings like below. If you are configuring FTP for private users then we strictly advice to disable anonymous login. 
Before editing any configuration file please maintain a backupIts good practice 
cp -a /etc/vsftpd/vsftpd.conf_bkp /etc/vsftpd/vsftpd.conf 
1. Allow anonymous FTP? Set this value to NO to disable anonymous login. default value is YES 
  • anonymous_enable=NO  
2. Uncomment below line to allow local system users to log in via ftp 
  • local_enable=YES 
3. Uncomment below line to enable any form of FTP write command like, creating or uploading files and directory. 
  • write_enable=YES 
3. Uncomment below line to enable local system users to permit  their home directory only. 
  • chroot_local_user=YES 
Note : - While using chroot_local_user=YES  you must set user default shell as /sbin/nologin Otherwise ftp users can gain the access to ssh login 
Now start the vsftpd service  
service vsftpd start 
To check the vsftpd service running or not 
service vsftpd status 
To check the vsftpd service running port 
netstat -nptelu | grep vsftpd 
Step3:-  First load the following module to make sure passive ftp connections are not rejected and also allow the port 
Open the following file /etc/sysconfig/iptables-config and change IPTABLES_MODULES=" " to IPTABLES_MODULES="ip_conntrack_ftp"  
Make sure ftp port is allowed in iptables. 
iptables -L --line-number -n  
Now restart the iptables and vsftpd service  
service iptables restart && service vsftpd restart  
Step4:- Create user and check the login 
useradd -s /sbin/nologin test 
passwd test 
Now use FileZilla client software to check. Because it will give exact issue if any problem 
I think SELinux will prevent while switching to the home directory. the error like below 
Image 

Now you have to allow the polices in selinux. 
setsebool -P ftp_home_dir 1 
setsebool -P allow_ftpd_full_access 1 
Till now we are done with basic vsftpd installation and configuration. Now we are going to configure TLS/SSL. 
Configuring the TLS/SSL  
Step5:-  Make sure openssl package is installed on machine. Here we are securing vsftpd by using self signed certificates 
Please follow the below steps for generating self signed certificates 
#openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/vsftpd/vsftpdkey.pem -out /etc/vsftpd/vsftpd.pem 
In "Common Name (eg, your name or your server's hostname)" part give proper domain name otherwise use wildcards Ex: *.google.com, *.xyz.com 
Then change the permissions to these certificate files 
chmod 400 /etc/vsftpd/vsftpd.pem 
chmod 400 /etc/vsftpd/vsftpdkey.pem 
Step6:- Securing the ftp can be done by two ways. 
1) Implicit SSL of vsftp (Port 990) 
2) Explicit TLS of vsftp (Port 21) 
1) Implicit SSL of vsftp (Port 990) 
In this method client must use SSL to connect using the port number 990. 
Follow the below configuration details. 

Open vsftpd file /etc/vsftpd/vsftpd.conf  add below lines in end of this file 

#ssl/tsl enable 
rsa_cert_file=/etc/vsftpd/vsftpd.pem 
rsa_private_key_file=/etc/vsftpd/vsftpdkey.pem 
ssl_enable=YES 
allow_anon_ssl=NO 
force_local_data_ssl=YES 
force_local_logins_ssl=YES 
ssl_tlsv1=YES 
ssl_sslv2=NO 
ssl_sslv3=NO 
require_ssl_reuse=NO 
ssl_ciphers=HIGH 
 #Implicit SSL Configuration 
implicit_ssl=YES 
listen_port=990 

Pasive ftp enable (These ports are up to you ) 
pasv_min_port=2100 
pasv_max_port=2200 

# Ftp Loging 
xferlog_file=/var/log/vsftpd.log 
xferlog_enable=YES 
dirmessage_enable=YES 
xferlog_std_format=NO 
data_connection_timeout=600 
dual_log_enable=YES 
log_ftp_protocol=YES 
debug_ssl=YES 
Save and Exit the file 
#service vsftpd restart 
To check the vsftpd service running port 
netstat -nptelu | grep vsftpd 

Note:- Allow the ports 2100 to 2200 in iptables (These ports are up to you ) 

2Explicit TLS of vsftp (Port 21) 
In this method client can send the connection using default port only( Port 21). 
Follow the below configuration details. 
Open vsftpd file /etc/vsftpd/vsftpd.conf  add below lines in end of this file 
#ssl/tsl enable 
rsa_cert_file=/etc/vsftpd/vsftpd.pem 
rsa_private_key_file=/etc/vsftpd/vsftpdkey.pem 
ssl_enable=YES 
allow_anon_ssl=NO 
force_local_data_ssl=YES 
force_local_logins_ssl=YES 
ssl_tlsv1=YES 
ssl_sslv2=NO 
ssl_sslv3=NO 
require_ssl_reuse=NO 
ssl_ciphers=HIGH 

#Explicit TLS Configuration 
#implicit_ssl=YES 
#listen_port=990 

Pasive ftp enable(These ports are up to you ) 
pasv_min_port=2100 
pasv_max_port=2200 

# Ftp Loging 
xferlog_file=/var/log/vsftpd.log 
xferlog_enable=YES 
dirmessage_enable=YES 
xferlog_std_format=NO 
data_connection_timeout=600 
dual_log_enable=YES 
log_ftp_protocol=YES 
debug_ssl=YES 
Save and Exit the file 
#service vsftpd restart 
To check the vsftpd service running port 
netstat -nptelu | grep vsftpd 
Note:- Allow the ports 2100 to 2200 in iptables ( These ports are up to you ) 

0 comments:

Post a Comment