Secure use of FTP services in Linux FTPs (vsftpd over TSL)

Source: Internet
Author: User
Tags anonymous install openssl openssl

FTP is currently the most commonly used to upload and download the file of the Protocol, because its communications content is not encrypted to consider its security and generated the SCP and SFPT agreements. We can also use FTPs (FTP over Ssl/tls) to upload and download files more securely. Here is a description of how to implement FTPS services based on VSFTPD.

1) Configure FTPs

Install OpenSSL

The code is as follows Copy Code

# yum Install OpenSSL

Using OpenSSL to generate server certificates

The code is as follows Copy Code
# OpenSSL Req-x509-nodes-newkey Rsa:2048-keyout/etc/pki/tls/certs/vsftpd.pem-out/etc/pki/tls/certs/vsftpd.pem

Install VSFTPD

The code is as follows Copy Code
# yum Install Vsftpd-y
# vi/etc/vsftpd/vsftpd.conf

Vsftpd.conf content is as follows

The code is as follows Copy Code

#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit and make the FTP daemon more usable.
# Please have a vsftpd.conf.5 for all compiled in defaults.
#
# READ This:this Example file is ' not ' an exhaustive list of vsftpd options.
# Please read the VSFTPD.CONF.5 manual page to get a full idea of vsftpd ' s
# capabilities.
#
# Allow anonymous FTP? (beware-allowed by default if your comment this.)
Anonymous_enable=no
#
# Uncomment this to allow the local users to log in.
Local_enable=yes
#
# Uncomment this to enable the any form of the FTP write command.
Write_enable=yes
#
# Default Umask for Local users are 077. You are wish to the change this to 022,
# If your users expect that (022 are used by most other ftpd ' s)
local_umask=002

#
# Uncomment this to allow the anonymous FTP user to upload files. This is only
# has an effect if the above global write-enable is activated. Also, you'll
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable =yes
#
# Uncomment this if your want the anonymous FTP user to is able to create
# New directories.
#anon_mkdir_write_enable =yes
#
# Activate Directory messages-messages given to remote users when they
# go into a certain directory.
Dirmessage_enable=yes
#
# The target log file can be Vsftpd_log_file or xferlog_file.
# This depends on setting Xferlog_std_format parameter
Xferlog_enable=yes
#
# Make sure port transfer connections originate from port (ftp-data).
Connect_from_port_20=yes
#
# If You are want, can arrange for uploaded anonymous files to is owned by
# a different user. note! Using ' root ' for uploaded the files are not
# recommended!
#chown_uploads =yes
#chown_username =whoever
#
# The name of log file when Xferlog_enable=yes and Xferlog_std_format=yes
# warning-changing This filename affects/etc/logrotate.d/vsftpd.log
Xferlog_file=/var/log/xferlog
#
# switches between logging into Vsftpd_log_file and xferlog_file files.
#xferlog_file =/var/log/vsftpd.log
Xferlog_std_format=yes
#
# You'll change the default value for timing out a idle session.
idle_session_timeout=1200
#
# You could change the default value of timing out a data connection.
data_connection_timeout=600
#
# It is recommended ' Define on your system a unique user which the
# FTP server can use as a totally isolated and unprivileged user.
#nopriv_user =ftpsecure
#
# Enable This and the server would recognise asynchronous Abor requests. Not
# Recommended for security (the ' Code is non-trivial '). Not enabling it,
# However, may confuse older FTP clients.
#async_abor_enable =yes
#
# By default the server'll pretend to allow ASCII mode but in fact ignore
# the request. Turn on the "below options to have" server actually do ASCII
# mangling on files as in ASCII mode.
# beware that on some FTP servers, ASCII support allows a denial of service
# Attack (DoS) via the command "Size/big/file" in ASCII mode. Vsftpd
# predicted this attack and has always been safe, reporting the size of the
# RAW file.
# ASCII mangling is a horrible feature of the protocol.
Ascii_upload_enable=yes
Ascii_download_enable=yes
#
# Your may fully customise the login banner string:
Ftpd_banner=welcome to blah FTP service.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# Useful for combatting certain DoS attacks.
#deny_email_enable =yes
# (default follows)
#banned_email_file =/etc/vsftpd/banned_emails
#
# You may specify a explicit list of local users to Chroot () to their home
# directory. If Chroot_local_user is YES, then this list becomes a list of
# users to not Chroot ().
#chroot_local_user =yes
#chroot_list_enable =yes
# (default follows)
#chroot_list_file =/etc/vsftpd/chroot_list
#
# You may activate the "-r" option to the builtin LS. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# The presence of the "-r" option, so there are a strong case for enabling it.
Ls_recurse_enable=yes
#
# when ' Listen ' directive is enabled, VSFTPD runs in standalone mode and
# listens on IPV4 sockets. This directive cannot is used in conjunction
# with the Listen_ipv6 directive.
Listen=no
#
# This directive enables listening on IPV6 sockets. To listen on IPV4 and IPV6
# sockets, you must run two copies of Vsftpd whith, two files.
# Make sure, this one of the listen options is commented!!
Listen_ipv6=yes

# Enable SSL
Ssl_enable=yes
Rsa_cert_file=/etc/pki/tls/certs/vsftpd.pem
Allow_anon_ssl=no
Force_local_data_ssl=no
Force_local_logins_ssl=no
Ssl_sslv2=no
Ssl_sslv3=no
Ssl_tlsv1=yes

# Enable Passive mode on NAT
Pasv_promiscuous=yes
pasv_min_port=65000
pasv_max_port=65001
Pasv_addr_resolve=yes

Pam_service_name=vsftpd
Userlist_enable=yes
Tcp_wrappers=yes
Use_localtime=yes

Start vsftpd and set to boot automatically

The code is as follows Copy Code

# service VSFTPD Start
# Chkconfig VSFTPD on

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.