Configure VSFTPD with an SSL

How can I configure VSFTPD to support SSL encrypted connections?

In this article we will be discussing how to configure vsftpd to work with SSL encryption. If you do not have vsftpd installed yet you may wish to visit one of these articles before proceeding.

How to install VSFTPD on CentOS 7

How to install VSFTPD on CentOS 6

How to install VSFTPD on Fedora 23

How to install VSFTPD on Ubuntu 15.04

How to Install VSFTPD on Ubuntu 16.04

Ready? Awesome, let’s get started.

1. Prepare a place for the SSL key to live:
   mkdir /etc/ssl/private
2. For this example we’ll use a self-signed SSL:
   openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/vsftpd.key -out /etc/ssl/certs/vsftpd.crt
   Note:

   If you have purchased an SSL you can put the key in /etc/ssl/private/vsftpd.key and the certificate in /etc/ssl/certs/vsftpd.crt.
3. Next, configure vsftpd to make use of that certificate.
   vim /etc/vsftpd/vsftpd.conf
4. Add the below configurations at the bottom of /etc/vsftpd/vstpd.conf.
   ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1_1=YES
ssl_tlsv1_2=YES
ssl_tlsv1=NO
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=YES
ssl_ciphers=HIGH
rsa_cert_file=/etc/ssl/certs/vsftpd.crt
rsa_private_key_file=/etc/ssl/private/vsftpd.key
5. To exit type “:wq” and that will save the file and quit the program.

SSL Settings

Now let’s go through those settings and see what they do.

• This option enables our SSL support for vsftpd.
  ssl_enable=yes
• Prevent anonymous SSL/TLS encrypted login, in essence, the guest user.
  allow_anon_ssl=NO
• We’re going to force SSL/TLS encryption of both your username/password and your data to keep it safe.
  force_local_data_ssl=YES
force_local_logins_ssl=YES
  Use the stronger, better, encryption offered by TLS 1.1 and 1.2.
  ssl_tlsv1_1=YES
ssl_tlsv1_2=YES
• TLS 1.0 is getting a little more insecure than we would like, so we are going to disable it. Please note that some older FTP clients are not compatible with newer TLS versions and may require this option to be set to “YES”.
  ssl_tlsv1=NO
• To keep the FTP connections safe against the BEAST and POODLE vulnerabilities we are going to disable SSLv2 and SSLv3.
  ssl_sslv2=NO
ssl_sslv3=NO
• Continuing our security improvements we are going to add some additional protection against Man In The Middle (MITM) attacks by enabling the following. This may not be compatible with some older FTP clients. If you experience connection loss try setting this option to “NO”.
  require_ssl_reuse=YES
• This will require the server to use stronger cipher suites.
  ssl_ciphers=HIGH
• Lastly, our crt and key file.
  rsa_cert_file=/etc/ssl/certs/vsftpd.crt
rsa_private_key_file=/etc/ssl/private/vsftpd.key

The Final Step

1. Now that we have all of that added to the configuration file we should be able to restart vsftpd and start uploading.
   systemctl restart vsftpd
2. If you are working with CentOS 6 or a system that doesn’t support systemd you should be able to restart vsftpd with the below.
   service restart vsftpd

Troubleshooting:

If you have errors similar to one of the below two errors check out this article.
500 OOPS: vsftpd: refusing to run with writable root inside chroot()

GnuTLS error -15: An unexpected TLS packet was received.

SSL encryption is one of the leading forms of protecting your data in transit to your server. Now you can rest easy that you have taken yet another step in providing a secure resource to yourself and your users.