Install vsftpd

The vsftpd server is available in CentOS’s default repositories. We can install it by typing:

sudo yum install vsftpd

The vsftpd server is now installed on our VPS. We can configure some connections options in the next section.

Configure Basic Settings for vsftpd

The main configuration file for vsftpd on CentOS is kept in the /etc/vsftpd/ directory. It is calledvsftpd.conf.

Open this file in your editor with root privileges:

sudo nano /etc/vsftpd/vsftpd.conf

We need to adjust some basic parameters in this file to increase security and establish our connection options.

The first thing we will do is disable anonymous users. While this option may make sense for a large, public facing file dump (like public software repositories), for a personal FTP server, this is almost never a good idea.

anonymous_enable=NO

Since we are disabling anonymous users, we need to provide a way for our system to authenticate our users. We will allow local users, meaning that vsftpd will use our Linux system users and authentication to determine who can sign in.

To enable this, make sure that this option is set:

local_enable=YES

We will also allow them write access, so that they can upload material and modify content:

write_enable=YES

We also want to confine our users to their respective home directories. The option for that is:

chroot_local_user=YES

This is enough for a basic (non-SSL) FTP configuration. We will add the SSL functionality later.

Save and close the file.

Create an FTP User

We have selected to use local users and to confine them to their home directories with a chroot environment.

Create a new user with this command:

sudo adduser ftpuser

Assign a password to the new user by typing:

sudo passwd ftpuser

The version of vsftpd in CentOS 6.4 is older, so this portion of the setup is easier than some newer versions.

Configure SSL with vsftpd

The first step towards getting vsftpd to operate with SSL is to create our SSL certificate. We will actually be using TLS, which is a protocol that is a successor to SSL and more secure.

We will create a subdirectory within the SSL directory to store our files:

sudo mkdir /etc/ssl/private

To create the certificate and the key in a single file, we can use this command:

openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem

Fill out the questions that it asks. The most important being the “Common Name” of your server, which will be the IP address or domain name that you will use to connect.

Add the SSL Details to the vsftpd Configuration File

Now, we need to alter our configuration to point to the new keys and configure the secure connection.

Open the vsftpd configuration file as root again:

sudo nano /etc/vsftpd/vsftpd.conf

Scroll to the bottom of the file. We will add our SSL/TLS information here.

We need to specify the location of our certificate and key files. We actually combined both pieces of information into a single file, so we will point both options to the same file:

rsa_cert_file=/etc/ssl/private/vsftpd.pem

rsa_private_key_file=/etc/ssl/private/vsftpd.pem

Next, we need enable the use of these files and disable anonymous users. We should also force the use of SSL for both data transfer and login routines. This will make the security mandatory:

ssl_enable=YES

allow_anon_ssl=NO

force_local_data_ssl=YES

force_local_logins_ssl=YES

Next, we will restrict the type of connection to TLS, which is more secure than SSL. We will do this by explicitly allowing TLS and denying the use of SSL:

ssl_tlsv1=YES

ssl_sslv2=NO

ssl_sslv3=NO

We’ll add a few more configuration options before finishing:

require_ssl_reuse=NO

ssl_ciphers=HIGH

Save and close the file.

We need to restart vsftpd to enable our changes:

sudo /etc/init.d/vsftpd restart

We will also configure it to start automatically with every reboot:

sudo chkconfig vsftpd on

Leave a Reply

Your email address will not be published. Required fields are marked *