While using FTP is still popular to share data or to transfer files over the network, you must be aware that you are using a very unsecure network protocol that has no protection built into it out-of-the-box. This means that, during network transfer, your data is fully exposed to potential attackers. This is not what you want for transferring sensitive data, such as login credentials, at all. To avoid these potential risks, we will show you in this recipe how to use and set up two alternatives for securing FTP using FTPS (FTP over SSL or FTP/SSL) or SFTPS (SSH-enabled FTP).
To complete this recipe, you will require a minimal installation of the CentOS 7 operating system with root privileges and a console-based text editor of your choice. You should already have installed and configured a basic vsftpd server (see Chapter 12, Providing Web Services for how to do it). Also, for setting up SFTP, we will need to create some self-signed certificates; if you want to know the details behind it, please read the Generating self-signed certificates recipe in this chapter.
You have to choose beforehand if you want to use SFTP or FTPS. These two methods cannot be applied together, so you have to decide which option to choose first. If you switch between those methods, you need to restore the default configuration file state of vsftpd.conf
or sshd_config
first.
To secure your vsftpd server with SSL-FTPS perform the following steps:
root
and go to the standard certificate location:cd /etc/pki/tls/certs
ftp-server
configuration (remember that the Common name
value should reflect the domain name of your FTP server):make ftp-server.pem
chmod 400 /etc/pki/tls/certs/ftp-server.pem
vsftpd.conf
file.cp /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf.BAK
vsftpd
configuration:echo "rsa_cert_file=/etc/pki/tls/certs/ftp-server.pem ssl_enable=YES force_local_data_ssl=YES force_local_logins_ssl=YES pasv_min_port=40000 pasv_max_port=40100" >> /etc/vsftpd/vsftpd.conf
vi /etc/firewalld/services/ftps.xml
<?xml version="1.0" encoding="utf-8"?> <service> <description>enable FTPS ports</description> <port protocol="tcp" port="40000-40100"/> <port protocol="tcp" port="21"/> <module name="nf_conntrack_ftp"/> </service>
ftps
service, and restart your vsftpd
server:firewall-cmd --reload; firewall-cmd --permanent --add-service=ftps; firewall-cmd --reload systemctl restart vsftpd
To secure your vsftpd server using SSL-SFTP perform the following steps:
groupadd sshftp
sshd
main config file, so please make a backup before making any changes:cp /etc/ssh/sshd_config /etc/ssh/sshd_config.BAK
sshd_config
file, go to the line containing the Subsystem
directive, disable it (which means putting a #
sign at the beginning of the line), and add the following line to read as shown:#Subsystem sftp /usr/libexec/openssh/sftp-server Subsystem sftp internal-sftp
Match Group sshftp ChrootDirectory /home ForceCommand internal-sftp
sshd
daemon.systemctl restart sshd
Here in this recipe, you have learned how to make your file sharing more secure by switching from the standard FTP protocol to using FTP over SSL, or FTP over SSH. Regardless of which option you prefer, SSL is used to encrypt the data during transmitting, which helps you keep your privacy. Which variant you choose is up to you, but remember that SFTP is a bit easier to set up as you do not have to configure additional ports or certificates in your firewall, because everything runs over SSH and this should be enabled by default on most systems.
So, what did we learn from this experience?
We began the recipe by configuring FTPS. We went into a special directory called /etc/pki/tls/certs
, where CentOS stores all its certificates. In it, there is a Makefile, which we used to create a .pem
file that contains the public/private key pair and a self-signed certificate that we needed for our FTP server's configuration. Afterwards, we used chmod to ensure that only the root user can read this file. Then, we appended six lines of code to our main vsftpd
configuration file (first, we made a backup of the original file); they are pretty self-explanatory: enable the SSL protocol, use the self-signed certificate, disallow any non-SSL communication, and use a static range of passive control ports. Also, we created a new firewall service that will open these passive control ports that are needed for FTPS.
Afterwards, we configured SFTP using a chroot jail. If setting up SFTP without it, every login user can view the root filesystem, which is very unsecure. Configuring SFTP is done completely in the main sshd
config file. After making a backup of the original file, we changed the FTP subsystem to internal-sftp
, which is a newer ftp server version, has better performance, and runs in the same process. Next, we added three lines to the vsftpd
configuration file; only users in the sshftp
group are using SFTP and are put into a chroot jail and can only view files up to their home
directory. ForceCommand
ignores all local settings by the users and enforces these rules here instead. To add new chrooted SFTP users, all you have to do is create a standard Linux user account and add them to the sshftp
user group.
If you want to test your enabled FTPS server, you need an FTP client that supports "FTP over TLS." You have to find and enable this option in your FTP client's settings. Under Linux, you can install the lftp
client to test if you can connect to our FTPS server. First, install the lftp
package (for example, yum install lftp
). Then, configure the client using TLS:
echo "set ftp:ssl-auth TLS set ftp:ssl-force true set ftp:ssl-protect-list yes set ftp:ssl-protect-data yes set ftp:ssl-protect-fxp yes set ssl:verify-certificate no" >~/.lftprc
Now, you can connect and test your FTPS server using the following:
lftp -u username <server name>
If you want to test your enabled SFTP server, you need the program called sftp
:
sftp john@<server name or ip address> -p 22