Very Secure FTP (vsftpd) Configuration

 

It’s now a pretty well-understood fact the FTP as we used to know it is a long gone dinosaur, and should never be used. Its one big fault is that it is inherently extremely insecure – the client passes usernames and passwords in plain text. Anyone with a network sniffer can easily appropriate this information. There are many alternatives though, for when the FTP protocol needs to be used, and vsFTP – the catchily named “Very Secure FTP” – is a commonly used tool.

Software installation

Two installations are required: vsFTPd and OpenSSL. Install each according to the pertinent instructions.

OpenSSL configuration

In order for vsFTPd to operate securely, a certificate needs to be generated and signed by a Certificate Authority (CA). There are several possible formats for this certificate, but vsFTPd requires it to be in plain text (known as %u201CPEM%u201D) format. The process for creating a certificate are described below. Create a RSA private key, with Triple-DES encryption and PEM formatting, no passphrase:

# openssl genrsa -out server.key 1024

View details of key with:

# openssl rsa -in server.key -noout -text

If the version of OpenSSL requires a passphrase to be used, it can be removed from the key like so:

# cp server.key server.key.orig 
# openssl rsa -in server.key.orig -out server.key 

Create a Certificate Signing Request (CSR) with the server RSA private key. When prompted, enter the FQDN of the server where the certificate will reside when prompted for the “CommonName”. Do not set a passphrase. The FTP server will need to start up automatically via the INET daemon and will not do so if a passphrase is required.

# openssl req -new -key server.key -out server.csr

The CSR output file is also PEM formatted. Check the details of the CSR with:

# openssl req -noout -text -in server.csr

Send the certificate to be signed by a Certificate Authority (CA). To view and check the details of the new certificate:

# openssl x509 -noout -text -in server.crt

Once received, the signed certificate, its key, and any intermediate certificates are appended to the vsFTPd.pem certificate file, in the default location for the vsFTPd certificate:

# cat server.crt server.key intermediate.cer >> /usr/share/local/ssl/certs/vsftpd.pem

vsFTPd configuration

The vsFTPd configuration file is generally located at /etc/vsftpd.conf. To first test its execution and configuration, it is simplest to run it in stand alone mode. This indicates that it has been started manually and is not under the control of the INET daemon. Edit the /etc/vsftpd.conf file and ensure the following parameters are set. The “Public IP address” is the internet address through which the external client connects to the VOCA firewall. Add to /etc/vsftpd.conf:

listen=YES
background=YES
ssl_enable=YES
log_ftp_protocol=YES
listen_port=990
pasv_enable=YES
pasv_min_port=15000
pasv_max_port=15005
pasv_address=
write_enable=YES

Firewall Configuration

The firewall will need to be configured enable access to the vsFTPd server from the client host on certain ports.

989: ftp-data
990: ftp
15000-15005: data traffic

Testing

Execute binary:

# /usr/sbin/vsftpd

(The “background” parameter in the configuration file will force the daemon to run in the background). No passphrase should be prompted. If one is prompted for, then perform the following steps to remove it from the key.

# cp server.key server.key.orig
# openssl rsa -in server.key.orig -out server.key

Then enter old passphrase when prompted. Rebuild the certificate by concatenating the server key, issued certificate and intermediate key to the certificate file. Ensure the user can connect using an SSL-supporting FTP client.

Setup

Once testing is completed, the vsFTPd daemon should be encapsulated by INET. Kill the process. Next, the configuration file needs to be changed to turn off daemon listening and backgrounding: Edit /etc/vsftpd.conf:

listen=no
background=no

Under Solaris 10, complete the following steps to encapsulate with the INET daemon:

  • Add the following entry to /etc/services:
  • vsftpd 990/tcp
    
  • Create a temporary file with a valid inetd.conf entry, /tmp/inetd.vsftpd
  • vsftpd stream tcp nowait root /usr/sbin/vsftpd vsftpd
    
  • Enter the following commands:
  • # inetconv -I /tmp/inet.vsftpd
    # inetadm -e svc:/network/vsftpd/tcp:default
    
  • Confirm the configuration:
  • # inetadm -l svc:/network/vsftpd/tcp:default
    

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>