Google+ Badge

Thursday, December 18, 2014

How to Install and Configure (SFTP) vsftpd to Use SSL/TLS on an Ubuntu 14.04 VPS


FTP or file transfer protocol, was a popular way to transfer files between local and remote computers in the past. SFTP is called as “Secure FTP”, which generally use SSH File Transfer Protocol. FTP instead of a more secure alternative like SFTP, which uses the SSH protocol to implement file transfers, you can secure it somewhat by configuring FTP to use SSL.


You must login "Root" privilege or use "Sudo" before typing the command.

Setup VsFTP Server 

Step 1 » Update ubuntu repositories.

     root@digidom:~# apt-get update

Step 2 » Install VsFTPD package. The vsftpd server is available in Ubuntu's default repositories.

     root@digidom:~# apt-get install vsftpd

Step 3 » After installation, check the location where vsftpd files are listed.

     root@digidom:~# whereis vsftpd

Step 4 » Backup the Original vsftpd.conf to vsftpd.con.back

     root@digidom:~# cp /etc/vsftpd.conf /etc/vsftpd.conf.back

Step 5 » Configure Basic vsftpd Functionality. The default configuration file is at etc/vsftpd.conf.

     root@digidom:~# vi /etc/vsftpd.conf

Disable the users to log in anonymously by finding the anonymous_enable parameter and changing it to read "NO":

     anonymous_enable=NO

Next, we need to enable user logins that use the local authentication files, since we disabled anonymous access.

     local_enable=YES

To enable users to make modifications to the filesystem, we will uncomment the write_enable parameter as well:

     write_enable=YES

Additionally, uncomment the chroot_local_user option to restrict users to their own home directories:

     chroot_local_user=YES

Save and close the file.

Step 6 » To see the enabled options in vsftpd.conf file, use this command

     root@digidom:~# egrep -v '^#|^$' /etc/vsftpd.conf
          listen=YES
          anonymous_enable=NO
          local_enable=YES
          write_enable=YES
          local_umask=022
          dirmessage_enable=YES
          use_localtime=YES
          xferlog_enable=YES
          connect_from_port_20=YES
          chroot_local_user=YES
          secure_chroot_dir=/var/run/vsftpd/empty
          pam_service_name=vsftpd
          rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
          rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key

Step 7 » Restart vsftpd service using the below command.

     root@digidom:~# service vsftpd restart


Create an FTP User

Because of the way vsftpd secures its chroot jails, the chroot must not be owned by the user and must not be writeable. Because of this, it is best to implement a user specifically for use with FTP. 

Note : SFTP doesn't support /usr/sbin/nologin shells.

Step 8 » Create a User account and specify Home Directory location, I point to "/var/www/html/" and set the password.

     root@digidom:~# useradd -m -d /var/www/html/ -s /bin/bash mailftp
     root@digidom:~# passwd mailftp

Note : Do not delete this account using "userdel -rf mailftp". It will remove html directory, because this user (mailftp) home directory is /var/www/html/.

Step 9 » Now give root ownership of the "mailftp" home directory (/var/www/html/):

     root@digidom:~# chown root:root /var/www/html/
     root@digidom:~# ll -d /var/www/html/
          drwxr-xr-x  5 root root 4096 Dec 16 22:55 html/

Step 10 » We need to create a separate directory within this home directory, where files can be uploaded. Then, we need to give this directory over to our FTP user:

     root@digidom:~# mkdir /var/www/html/mailbox
     root@digidom:~# chown mailftp:mailftp /var/www/html/mailbox

     root@digidom:~# ll -d /var/www/html/mailbox
          drwxr-xr-x 2 mailftp mailftp 4096 Dec 17 00:46 /var/www/html/mailbox/

Step 11 » Now, we should be able to log in (insecurely) as the "mailftp" and upload files to the file directory using Terminal or FTP Client (Filezilla). Here I Used Terminal.

     root@digidom:~# ftp localhost
          Connected to localhost.
          220 (vsFTPd 3.0.2)
          Name (localhost:root): mailftp
          331 Please specify the password.
          Password: "Enter The Password Here"
          230 Login successful.
          Remote system type is UNIX.
          Using binary mode to transfer files.
          ftp> ls
          200 PORT command successful. Consider using PASV.
          150 Here comes the directory listing.
          drwxr-xr-x    2 1001     1001         4096 Dec 17 00:46 mailbox
          226 Directory send OK.
          ftp> mkdir test  => Here You have No Permission. Bcoz /html/ is Root owner.
          550 Create directory operation failed.
          ftp> cd mailbox
          250 Directory successfully changed.
          ftp> mkdir test  
          257 "/mailbox/test" created
          ftp>
          ftp> bye
          221 Goodbye.

Configure SSL with vsftpd (SFTP).

Step 12 » We need to create some SSL certificates to use with vsftpd. Check whether openssl is installed or not.

     root@digidom:~# openssl version
          OpenSSL 1.0.1f 6 Jan 2014


     root@digidom:~# openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout     /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem



Step 13 » See the vsftpd.pem certificate in the openssl directory.

     root@digidom:~# cd /etc/ssl/
     root@digidom:/etc/ssl# ll
          drwxr-xr-x  2 root root       20480 Dec 12 10:28 certs/
          -rw-r--r--  1 root root        10835 Apr  7  2014   openssl.cnf
          drwx--x--- 2 root ssl-cert   4096   Dec 17 01:12 private/

     root@digidom:/etc/ssl# ll private/
          -rw-r----- 1 root ssl-cert 1704 Dec 12 10:28 ssl-cert-snakeoil.key
          -rw-r--r-- 1 root root      2019 Dec 17 02:21 vsftpd.pem


Step 14 » Add the SSL Details to the vsftpd Configuration with root privilege.

     root@digidom:~# vi /etc/vsftpd.conf

Note : When we created the certificate, we included both the key file and the certificate in one file, so we can also point our private key line to that.

    rsa_cert_file=/etc/ssl/private/vsftpd.pem
    rsa_private_key_file=/etc/ssl/private/vsftpd.pem

We need to add the following lines to force SSL. This will restrict clients that can't deal with TLS, but that is what we want.

     ssl_enable=YES
     allow_anon_ssl=NO
     force_local_data_ssl=YES
     force_local_logins_ssl=YES

After this we configure the server to use TLS, which is actually a successor to SSL, and preferred:

     ssl_tlsv1=YES
     ssl_sslv2=NO
     ssl_sslv3=NO

Finally, we will require add some additional options to flesh out our configuration file:

     require_ssl_reuse=NO
     ssl_ciphers=HIGH

Save and close the file.

Step 14 » Now, we need to restart our server for our changes to take effect:

     root@digidom:/var/www/html# service vsftpd restart




How To Connect to the Server with FileZilla

Most modern FTP clients can be configured to use SSL and TLS encryption. Here I  used Filezilla.


Step 15 » Open the Filezilla ftp client and Go to File => Site Manager.


Step 16 » After that New window will be open Go to 
(1) NewSite => (2) Specify the Name => (3) Go to General Tab => (4,5,6,7,8) Add the following FTP details  => (9) OK => It will created in left panel.


Step 17 » After that you can open File => Site Manager => Select the New My Sites => Connect


Step 18 » When you connect first time, you will be asked to accept the TLS certificate: 

Just select "Always trust this host..."  =>  OK


Step 19 » By accepting the certificate, it will get connected and we can see the Document Root in the Right side panel. We can Upload and Download the Files.

I have uploaded index.php file for testing purpose.


Step 21 » Now check the uploaded file using web browser, to find out whether there is any permission issue.


Step 21 » You can also access through Terminal using SFTP command.

1st => Check the SSH connection is working fine, then you can access SFTP Using "ssh root@Server-IP-Address"


2nd => After successful ssh connection, you can use SFTP using this command 
 "SFTP mailftp@Server-IP-Address". After that it will ask for mailftp password.



You should now be connected with your server with TLS/SSL encryption.