How to build a secure FTP service on Linux using vsftpd?

How to build a secure FTP service on Linux using vsftpd?

FTP (file transfer protocol) is one of the widely used services on the Internet. It is mainly used to transmit files from one host to another. FTP itself was not designed as a security protocol. Because of this, typical FTP services are vulnerable to common attacks such as man-in-the-middle attacks and brute-force attacks.

Many secure applications can be used to build secure FTP services. For example, FTPS uses SSL/TLS certificates to encrypt end-to-end data. Based on Client Requirements, FTPS can be configured to support encrypted and/or unencrypted connections. SFTP (SSH file transfer protocol) is another method to ensure the security of data during transmission. SFTP is developed as an extension of SSH and can be used in combination with other security protocols.

This tutorial focuses on building and protecting FTP services with SSL/TLS enabled vsftpd.

First, let's take a look at the background: a typical FTP server listens on TCP port 20 to monitor data and listen on TCP ports to monitor commands (also called control ports ). Connection establishment and command parameter interaction are completed through port 21. FTP connection supports two methods: Active Mode and passive mode. In active mode, the server establishes a connection from Port 20 (data) to the client. In passive mode, the server specifies a random data port for each client session and notifies the client of this port. Then, the client establishes a connection to the random port of the server.

According to RFC 1635, FTP supports public access through special USER anonymous without any password, or access through user ftp or password ftp. In addition to this type of public outdoor, vsftpd also supports logon by local Linux users. Linux users can connect to the server by using FTP, and provide logon information to access their home directory, that is,/home/user.

Install vsftpd on Linux

If you want to install vsftpd on Ubuntu, Debian, or Linux Mint, you can use the apt-get command. The vsftpd service is automatically started as soon as the system is started.

$ sudo apt-get install vsftpd

If you want to install vsftpd on CentOS, Fedora, or RHEL, you can use yum to complete the installation easily. After the service is started, it is added to the system startup Item.

# yum install vsftpd# service vsftpd start# chkconfig vsftpd on

The most basic FTP service using vsftpd is now ready for use. We only need to direct the browser to URL ftp: // [ServerName/IP], or use FTP client software such as FileZilla and the username anonymous without a password, or you can access the ftp service by using the username ftp and password FTP.

After vsftpd is installed, the System user ftp, together with the main directory/var/ftp, has been added to the system. As long as an anonymous FTP connection is established, the/var/ftp directory is always used by default for sessions. Therefore, we can use this directory as the main directory for FTP public users. Any file/directory under/var/ftp can be accessed through ftp: // [ServerName/IP.

The location of the vsftpd configuration file appears in the following two places:

• Ubuntu, Debian, or Linux Mint:/etc/vsftpd. conf • CentOS, Fedora, or RHEL:/etc/vsftpd. conf

In the rest of this tutorial, use the vsftpd. conf file at the corresponding location on your Linux system.

Adjust FTP users

To disable public access, you must explicitly disable anonymous in vsftpd. conf. Comment out this line, because vsftpd runs with the default value. You also need to restart vsftpd.

anonymous_enable=NO# service vsfptd restart

Therefore, mandatory authentication is required. Only existing Linux users can use their logon information for connection.

To enable/disable a local user, modify the vsftpd. conf file. If you disable a local user, make sure that the USER anonymous has been granted access permissions.

local_enable=YES/NO# service vsfptd restart

If you want to use a specific user to connect to the system, you only need to change the URL to ftp: // username @ [ServerName/IP]. You can use this method to access the corresponding user's home directory through FTP.

Restrict users to their respective home directories

When you use FTP to access a remote server, you can browse the entire system as long as the file/directory is readable. We do not recommend that you do this because any user can read and download system files in/etc,/var,/usr, and other locations through an FTP session.

To restrict local users to access their home directories only during FTP sessions, modify the following parameters.

chroot_local_user=YES# service vsftpd restart

Now, the local user can only access its home directory and cannot access any other files or directories in the system.

Enable SSL/TLS Encryption

FTP was originally a plaintext protocol, which means that everyone can easily peat the files transmitted between the client and the remote FTP server. To encrypt the FTP communication content, you can enable SSL/TLS in vsftpd.

The first step is to create an SSL/TLS Certificate and private key, as shown below. It stores the created Certificate/private key in the target. pem file.

On Debian/Ubuntu:

$ sudo openssl req -x509 -days 365 -newkey rsa:2048 –nodes -keyout /etc/vsftpd.pem -out /etc/vsftpd.pem

On CentOS/Fedora/RHEL:

$ sudo openssl req -x509 -days 365 -newkey rsa:2048 –nodes -keyout /etc/vsftpd/vsftpd.pem -out /etc/vsftpd/vsftpd.pem

Then, add the following parameters to the vsftpd. conf configuration file.

# Enable TLS/SSLssl_enable = YES # force the client to use affinity = YESssl_tlsv1 = YESssl_sslv2 = NOssl_sslv3 = affinity = NOssl_ciphers = HIGH # specify the SSL Certificate/private key (Debian /Ubuntu) # Replace CentOS/Fedora/RHEL with/etc/vsftpd. pemrsa_cert_file =/etc/vsftpd. pemrsa_private_key_file =/etc/vsftpd. pem # define the port range pasv_max_port = 65535pasv_min_port = 64000 for connections in passive mode

Restart vsftpd.

# service vsftpd restart

Control connections and bandwidth

Vsftpd provides several methods to control connections and user bandwidth. We will use several methods to adjust our FTP server.

# Set the bandwidth allocated for each anonymous session to approximately 30 KB/s # anon_max_rate = 30000 # Each local user is granted a bandwidth of approximately 30 KB/s # local_max_rate = 30000 # client session terminated after 300 seconds of idle # idle_session_timeout = 300 # maximum number of connections for each source IP address, this helps prevent Denial of Service (DoS) and distributed denial of service (DDoS) attacks # max_per_ip = 50

Modify Firewall

Finally, if you run the iptables firewall on the system (such as CentOS), make sure to adjust the firewall rules to allow FTP traffic to pass. The following rules should help you get started.

# iptables -I INPUT -p tcp --dport 20 -j ACCEPT# iptables -I INPUT -p tcp --dport 21 -j ACCEPT# iptables -I INPUT -p tcp --dport 64000:65535 -j ACCEPT

The first two rules allow traffic to pass through the FTP data/control port. The last rule allows connections in passive mode. The port range is defined in vsftpd. conf.

Enable Logging

In case you encounter any problems during the FTP service construction process in this tutorial, you can enable the log function. Therefore, you only need to modify the following parameter in vsftpd. conf:

xferlog_enable=YESxferlog_std_format=NOxferlog_file=/var/log/vsftpd.loglog_ftp_protocol=YESdebug_ssl=YES# service vsftpd restart

Connect to the FTP server with FileZilla

Currently, several FTP client software support SSL/TLS, especially FileZilla. To connect to a website that supports SSL/TLS through FileZilla, use the following settings for the FTP host.

After you connect to an FTP server that supports SSL/TLS for the first time, you will see the certificate for this website. Only trust the certificate and log on.

Troubleshoot sftpd

1. if you encounter the following error when connecting to the FTP server, it may be because your firewall blocks FTP traffic. To do this, make sure that you have opened the necessary FTP port on the firewall, as described above.

ftp: connect: No route to host

2. If you encounter the following error when you connect to an FTP server running on CentOS/RHEL that uses chroot to change the root directory, disable SELinux.

500 OOPS: cannot change directory:/home/dev

Login failed.

Although disabling SELinux is a quick solution, it may be insecure in the production environment. Therefore, enabling the following Boolean expression in SELinux can solve this problem.

$ sudo setsebool -P ftp_home_dir on

3. if you encounter the following error when accessing an FTP server that supports SSL/TLS through FileZilla, make sure to add "ssl_ciphers = HIGH" in vsftpd. conf ". FileZilla does not support the default password (DES-CBC3-SHA ).

Trace: GnuTLS alert 40: Handshake failedError: GnuTLS error -12: A TLS fatal alert has been received."SSL_accept failed: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher"

All in all, using vsftpd to build an FTP server is not difficult. The default installation for USER anonymous should be able to support small common FTP services. Vsftpd also has many parameters that can be adjusted (see the http://linux.die.net/man/5/vsftpd.conf) to make it look widely used.

I hope this article is helpful.

Address: http://xmodulo.com/2014/06/secure-ftp-service-vsftpd-linux.html