Ubuntu 12.04 - Setting up FTP over SSL

Introduction

Sometimes you want to allow a third party access to your server to upload files, such as a website, but you do not want to provide them with SSH access, which would allow them to act as a user. However, plain old FTP transfers, although easy to set up, are not encrypted, which may be a worry for you. Here is how to set your Ubuntu 12.04 LTS server up to work with FTP over SSL, using Filezilla as your example client.

Steps

    Add a user to your ubuntu system with a corresponding home directory. We will grant them access to their home directory from FTP. (If you need to allow them to get to /var/www/YOUR-SITE then just place a symlink in their home directory to there).
    sudo useradd -d /home/$USERNAME -m $USERNAME
    sudo passwd $USERNAME
    Install vsftp:
    sudo apt-get update && sudo apt-get install vsftpd -y
    Copy the following into your vsftpd config file at /etc/vsftpd.conf
    listen=YES
    anonymous_enable=NO
    local_enable=YES
    write_enable=YES
    dirmessage_enable=YES
    use_localtime=YES
    xferlog_enable=YES
    connect_from_port_20=YES
    #chroot_local_user=YES
    secure_chroot_dir=/var/run/vsftpd/empty
    pam_service_name=vsftpd
    rsa_cert_file=/etc/ssl/private/vsftpd.pem
    
    # If you want ftp over ssl (recommended) you will need the following lines.
    rsa_cert_file=/etc/ssl/private/vsftpd.pem # You will probably want to use this loc (vsftpd needs to be able to read the loc)
    
    # This is required for filezilla to work
    ssl_ciphers=HIGH
    
    ssl_tlsv1=YES
    #ssl_sslv2=YES
    #ssl_sslv3=YES
    
    # This is required for filezilla to work
    require_ssl_reuse=No
    ssl_enable=Yes
    
    force_local_data_ssl=YES
    force_local_logins_ssl=YES
    
    # Make sure to run ufw allow 60000/tcp to open this port, everything will go over that
    pasv_min_port=60000
    pasv_max_port=60000

    • Filezilla requries ssl_ciphers=HIGH in vsftpd.conf
    • Setting both the minimum and the maximum port to the same number is mandatory for those of us who have a firewall set up. This will ensure that all ftp connections will go over the same port, instead of going over a range of ports and having a huge gap in your firewall. Setting just one or the other will not work.
    Now to set up a new RSA key:
    /usr/bin/openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/vsftpd.pem -out /etc/vsftpd.pem
    Note that you can change the 2048 to 4096 for a much stronger encrytion, although 2048 should be fine for quite a while. You can even add
    -days $YOUR-NUM-DAYS-HERE
    in order to have your key expire in that number of days.
    Restart your vsftpd service
    sudo service vsftpd restart
    Set up your firewall, allowing the following ports (I use ufw):
    21/tcp
    60000/tcp (or whatever port you specified in your min/max of your vsftpd.conf file)
    Make sure to now allow your SSH port to prevent SSH access using the same ftp username/password details. If you still need access to ssh yourself, you can just add your IP (which will grant you access to everything).
    Try to connect to your service in filezilla. Make sure you use the same username and password and set to use explicit FTP over TLS:

Resources/References

2 comments:

  1. finally figured out I was missing the pasv port stuff... now my ftp is finally working with ufw. thanks lots

    ReplyDelete
    Replies
    1. Glad I could be of some help :)
      By the way, if you are interested in more tutorials like this, be sure to keep an eye on http://blog.programster.org which all future updates are posted to.

      Delete