Setting Up A Secure FTP Site Under RHEL 5.3
 

I have recently setup a RHEL 5.3 server primarily to be used as an Apache web server. I also now have a requirement to have this server also service SFTP requests for uploading/downloading files.

1. By default RHEL 5.3 allows SFTP (over TCP port 22). However when searching for SFTP site setup I've come across the fact that RedHat recommends using vsftpd. So if I configure vsftpd, what happens to the default SFTP and the ability to remotely use something like PuTTY to SSH into the server? Really looking to see if SFTP or vsftpd is best. Also, is vsftpd as or more secure than FTP over SSH?

2. I've set aside a separate disk parition (to keep it away from the system partition to help lock down security) for the SFTP site. So I want to use that as the default SFTP root directory structure. How can this be achieved?

3. My requirements dictate 3 separate directories need to be used, each with their own associated SFTP user. The user can only read/write it's own directory structure and cannot navigate out of it. Also there will be a SFTP super user able to navigate through each of the 3 directory structures mentioned, but will not be able to navigate out of it's home directory. Can this be done, if so how?

There will be no SSL certificates in play at the moment. I'm more concerned about getting things setup and working correctly first. However there may be a requirement to use them later.

The site will be accessed over the Internet initially, hence the reason I'm looking to make it as secure as possible while getting it up and running quickly.

TIA.

In my opinion, using just SSH/SFTP is more secure. Running two services on two different ports only opens up another possible attack point. If SSH is already running, you've then already got SFTP running over that same port. If I HAD to run a dedicated FTP server, I'd choose vsftpd. Since vsftpd and SSH run on different ports, one doesn't effect the other. Also, SSH is considered by lots of folks to be pretty much the most secure remote access protocol, but you'll get LOTS of opinions on that, too.
Read the man page for sshd_config, and pay attention to the ChrootDirectory flag. Set that flag accordingly, so when users log in, it puts them in a 'jail, where ALL they can see is their own home directory, or whatever you've specified here. Chroot'ing is also possible with vsftpd.
Both SFTP/SSH and vsftpd support certificates.

I have decided to go with vsftpd and have the FTP site running as I would like. I now do need to add SSL into the mix (customer's request). I already have a wildcard cert on the server and was hoping to use this by putting the follow directives into the vsftpd.conf file:

dsa_cert_file=/usr/share/ssl/certs/<certificate_file>
dsa_private_key_file=/usr/share/ssl/certs/<certificate_key_file>

Is there anything else I'm missing regarding setup for SSL encryption? When running a FTPS connection using FileZilla I get the following:

Status: Connecting to <server_IP>:990...
Status: Connection attempt failed with "ECONNREFUSED - Connection refused by server".
Error: Could not connect to server
Status: Waiting to retry...

This test is being run with iptables off. Could it be because the server is not fully commissioned yet, the certificate is causing this error.

Not sure, since most of what I do I use SSH for. However, this how-to:
http://www.cyberciti.biz/tips/config...a-ssl-tls.html

may help. Also, be aware that you need to have an FTP client that is certificate-aware.