Vsftpd is known to be one of the most secure FTP servers available today. In this article, we will configure our Vsftpd server to work under SSL since FTP does not offer any type of encryption natively.
As usual, we start by installing the necessary software:
We configure vsftpd as follows:
vsftpd_log_file=/var/log/vsftpd.log
local_enable=YES
use_localtime=YES
anonymous_enable=NO
async_abor_enable=YES
chmod_enable=NO
ftpd_banner=Alfaexploit File Transfer Protocol
connect_from_port_20=YES
virtual_use_local_privs=YES
user_config_dir=/etc/vsftpd/users
download_enable=NO
dirlist_enable=NO
write_enable=NO
listen_port=21
max_clients=25
max_login_fails=2
chroot_local_user=YES
guest_enable=YES
pam_service_name=vsftpd
guest_username=nobody
hide_ids=YES
listen=YES
pasv_enable=YES
#userlist_enable=NO
#userlist_deny=NO
dirmessage_enable=YES
xferlog_enable=YES
# ssl
require_ssl_reuse=NO
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=NO
force_local_logins_ssl=NO
#force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=YES
ssl_sslv3=YES
rsa_cert_file=/etc/vsftpd/vsftpd.pem
rsa_private_key_file=/etc/vsftpd/vsftpd.pem
# passive port range
pasv_min_port=60000
pasv_max_port=60500
Despite using an external file as a user database, it is necessary to have a home dir:
mkdir /home/user001
chown -R user001:user001 /home/user001
We configure the parameters of the user in question:
dirlist_enable=YES
download_enable=YES
local_root=/home/user001
write_enable=YES
anon_world_readable_only=NO
local_umask=027 # 640 for files , 750 for dirs
#file_open_mode=0640
guest_username=user001
allow_writeable_chroot=YES
We tell vsftp how to authenticate users:
auth required /lib64/security/pam_userdb.so db=/etc/vsftpd/vsftpd_users
account required /lib64/security/pam_userdb.so db=/etc/vsftpd/vsftpd_users
We add the user and the user’s password:
user001
PASS
We generate the file in BerkleyDB format:
We generate the certificate:
openssl genrsa -out ftpserver.key 2048
openssl req -new -key ftpserver.key -out ftpserver.csr
openssl x509 -req -days 3650 -in ftpserver.csr -signkey ftpserver.key -out ftpserver.crt
cat ftpserver.key » ftpserver.pem
cat ftpserver.crt » ftpserver.pem
chmod 400 ftpserver.*
mv ftpserver.pem vsftpd.pem
We restart the service:
The following error is caused due to a bug in vsftp, which manifests when the remote directory has more than 32 files and vsftpd is running with a 64-bit kernel 3.5.0:
500 OOPS: priv_sock_get_cmd
We will have to disable the sandbox():
seccomp_sandbox=NO
If we want to check SSL, we can install lftp:
net-ftp/lftp -gnutls ssl openssl
set ftp:ssl-force true; --> Forzamos que el login sea cifrado
set ssl:verify-certificate false; --> No hace falta que el certificado sea de confianza
debug 9
user USER PASS