This post shows students and new users how to configure VSFTPD to use SSL/TLS certificates on Ubuntu 17.04 | 17.10. We recently showed you how to install and use VSFTPD, however, the connection to the server wasn’t secure.
Someone with the right tool could intercept data between the server and client read it. With SSL/TLS, even if the data is intercepted, it may they may still be unable to read the content, and that’s because of the extra security.
If you read our tutorial last week on installing VSFTPD on Ubuntu and you want to enable SSL/TLS, continue with the steps below. It should be quick and easy, however, you must already have a working VSFTPD server running on Ubuntu before continuing below.
Before continuing below, please make sure you’ve read our previous tutorial and have installed and configured VSFTPD to function on Ubuntu. The tutorial below should be the first thing you read before going any further.
After applying the above post, continue below to add SSL/TLS to the server.
Step 1: Create a Self-signed SSL/TLS certificate
To protect the VSFTPD server and transfer data over SSL/TLS, you must obtain a SSL/TLS certificate. You can get a trusted certificate from a certificate authority or create a self-signed one.
The self-signed certificate may only be used internally. You can use it externally, but your customers won’t feel safe when connecting to your servers using self-signed certificates.
To create a self-signed certificate valid for one year, run the commands below.
sudo bash cd /etc/ssl/private openssl req -x509 -nodes -newkey rsa:2048 -keyout vsftpdServerkey.pem -out vsftpdCertificate.pem -days 365
After running the commands above, you should be prompted to incorporate other details into the certificate. Use the Guide below to answer the questions.
writing new private key to 'vsftpdServerkey.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:New York Locality Name (eg, city) []:Brooklyn Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Lab Organizational Unit Name (eg, section) []:Lab Common Name (e.g. server FQDN or YOUR name) []:vsftpdserver.com Email Address []:
After that, a new server private key (vsftpdServer.key) and server certificates (vsftpdCertificate) should be created and stored in the /etc/ssl/private directory.
Step 2: Configuring VSFTPD to use SSL/TLS
Now that you’ve generated the server private key and certificate, go and configure VSFTPD to use the SSL/TLS certificate you generated. To do that, run the commands below to open VSFTPD default configuration page.
sudo nano /etc/vsftpd.conf
Then make the highlighted changes below so that the server can could communicate over SSL/TLS.
# This option specifies the location of the RSA certificate to use for SSL
# encrypted connections.
rsa_cert_file=/etc/ssl/private/vsftpdCertificate.pem
rsa_private_key_file=/etc/ssl/private/vsftpdServerkey.pem
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
Save your changes and restart the server.
Step 3: Restart VSFTPD Server
After adding the highlighted lines to the file, save it. Then run the commands below to restart VSFTPD server.
sudo systemctl restart vsftpd
Now grab your favorite FTP client (FileZilla) and connect using the settings below.
Accept the certificate as trusted and you should able to logon.
You should now be transferring files securely via SSL/TLS.
Enjoy!
You may also like the post below: