FTP
or file transfer protocol, was a popular way to transfer files between local
and remote computers in the past. SFTP is called as “Secure FTP”, which
generally use SSH File Transfer Protocol. FTP instead of a more secure alternative
like SFTP, which uses the SSH protocol to implement file transfers, you can
secure it somewhat by configuring FTP to use SSL.
You must login "Root" privilege or use "Sudo" before typing the command.
Setup VsFTP Server
Step 1 » Update
ubuntu repositories.
root@digidom:~#
apt-get update
Step 2 » Install
VsFTPD package. The vsftpd server is available in Ubuntu's default repositories.
root@digidom:~# apt-get
install vsftpd
Step 3 » After
installation, check the location where vsftpd files are listed.
root@digidom:~# whereis
vsftpd
Step
4 » Backup
the Original vsftpd.conf to vsftpd.con.back
root@digidom:~# cp
/etc/vsftpd.conf /etc/vsftpd.conf.back
Step 5 » Configure
Basic vsftpd Functionality. The default configuration file is at
etc/vsftpd.conf.
root@digidom:~# vi /etc/vsftpd.conf
Disable the users to log in anonymously by finding the anonymous_enable parameter and
changing it to read "NO":
anonymous_enable=NO
Next, we need to
enable user logins that use the local authentication files, since we disabled
anonymous access.
local_enable=YES
To enable users to
make modifications to the filesystem, we will uncomment the write_enable
parameter as well:
write_enable=YES
Additionally,
uncomment the chroot_local_user option to restrict users to their own
home directories:
chroot_local_user=YES
Save and close the file.
Step 6 » To see the enabled options in vsftpd.conf file, use this command
root@digidom:~# egrep -v '^#|^$' /etc/vsftpd.conf
listen=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
chroot_local_user=YES
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
Step 7 » Restart vsftpd service
using the below command.
root@digidom:~# service vsftpd restart
Create an FTP User
Because of the way vsftpd secures its chroot jails, the chroot
must not be owned by the user and must not be writeable. Because of this, it is
best to implement a user specifically for use with FTP.
Note : SFTP doesn't support /usr/sbin/nologin shells.
Step 8 » Create a User
account and specify Home Directory location, I point to "/var/www/html/" and set the password.
root@digidom:~# useradd -m -d /var/www/html/ -s /bin/bash mailftp
root@digidom:~# passwd mailftp
Note : Do not delete this account using "userdel -rf mailftp". It will remove html directory, because this user (mailftp) home directory is
/var/www/html/.
Step 9 » Now give root ownership of
the "mailftp" home directory (/var/www/html/):
root@digidom:~# chown root:root /var/www/html/
root@digidom:~# ll -d /var/www/html/
drwxr-xr-x 5 root root 4096 Dec 16 22:55 html/
Step 10 » We need to create a
separate directory within this home directory, where files can be uploaded.
Then, we need to give this directory over to our FTP user:
root@digidom:~# mkdir /var/www/html/mailbox
root@digidom:~# chown mailftp:mailftp /var/www/html/mailbox
root@digidom:~# ll -d /var/www/html/mailbox
drwxr-xr-x 2 mailftp mailftp
4096 Dec 17 00:46 /var/www/html/mailbox/
Step
11 » Now, we should be able to log in (insecurely) as the "mailftp" and upload files
to the file directory using
Terminal or FTP Client (Filezilla). Here I Used Terminal.
root@digidom:~# ftp
localhost
Connected to localhost.
220 (vsFTPd 3.0.2)
Name (localhost:root): mailftp
331 Please specify the
password.
Password: "Enter The Password Here"
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer
files.
ftp> ls
200 PORT command successful.
Consider using PASV.
150 Here comes the directory
listing.
drwxr-xr-x 2 1001
1001 4096 Dec 17 00:46 mailbox
226 Directory send OK.
ftp> mkdir test => Here You have No Permission. Bcoz /html/ is Root
owner.
550 Create directory operation
failed.
ftp> cd mailbox
250 Directory successfully
changed.
ftp> mkdir test
257 "/mailbox/test"
created
ftp>
ftp> bye
221 Goodbye.
Configure SSL with vsftpd (SFTP).
Step 12 » We need to create some
SSL certificates to use with vsftpd. Check whether openssl is installed or not.
root@digidom:~# openssl version
OpenSSL 1.0.1f 6 Jan 2014
root@digidom:~# openssl req -x509 -nodes -days 365 -newkey rsa:1024
-keyout /etc/ssl/private/vsftpd.pem -out
/etc/ssl/private/vsftpd.pem
Step 13 » See the
vsftpd.pem certificate in the openssl directory.
root@digidom:~# cd /etc/ssl/
root@digidom:/etc/ssl# ll
drwxr-xr-x 2 root root 20480 Dec 12
10:28 certs/
-rw-r--r-- 1 root root 10835 Apr
7 2014 openssl.cnf
drwx--x--- 2 root ssl-cert 4096 Dec 17 01:12
private/
root@digidom:/etc/ssl# ll private/
-rw-r----- 1 root ssl-cert 1704 Dec 12 10:28
ssl-cert-snakeoil.key
-rw-r--r-- 1 root root 2019 Dec 17 02:21
vsftpd.pem
Step 14 » Add
the SSL Details to the vsftpd Configuration with root privilege.
root@digidom:~# vi
/etc/vsftpd.conf
Note : When we created the
certificate, we included both the key file and the certificate in one file, so
we can also point our private key line to that.
rsa_cert_file=/etc/ssl/private/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem
We need to add the following lines to force SSL.
This will restrict clients that can't deal with TLS, but that is what we want.
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
After this we configure the server to use TLS,
which is actually a successor to SSL, and preferred:
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
Finally, we will require add some additional
options to flesh out our configuration file:
require_ssl_reuse=NO
ssl_ciphers=HIGH
Save and close the file.
Step 14 » Now, we
need to restart our server for our changes to take effect:
root@digidom:/var/www/html#
service vsftpd restart
How To Connect to the Server with FileZilla
Most modern FTP clients can be configured to use
SSL and TLS encryption. Here I used Filezilla.
Step 15 » Open
the Filezilla ftp client and Go to File => Site Manager.
Step 16 » After that New
window will be open Go to
(1) NewSite => (2) Specify the
Name => (3) Go to General Tab => (4,5,6,7,8) Add
the following FTP details => (9) OK => It
will created in left panel.
Step 18 » When you connect first time, you will be asked to accept the TLS
certificate:
Just select "Always trust
this host..." =>
OK
Step 19 » By accepting the certificate, it will get connected and we can see the Document Root in the Right side panel. We can
Upload and Download the Files.
I have uploaded index.php file for testing purpose.
Step 21 » Now check the uploaded file using web browser, to find out whether there is any permission issue.
Step 21 » You can also
access through Terminal using SFTP command.
1st => Check
the SSH connection is working fine, then you can access SFTP Using "ssh
root@Server-IP-Address"
You should now be connected with your server with
TLS/SSL encryption.
No comments:
Post a Comment