Hello,

I just installed VSFTPD with SSL and I was wondering how I can make this more secure? How do you setup VSFTPD ftps as implicit or explicit? I also wanted to setup each account to chroot users. From my assumption "chroot" only allows the user to view their home directory. This is all very new to me, but very exciting.

I've also seen people setup FTP with ssl (FTPS) and ssh (SFTP). What are some of your recommendations on this?

Thanks

scucci

is it possible to make vsftpd more secure? keke.

as for chrooting users, if you check in vsftpd's config file (usually in /etc/vsftpd.conf) you will see an option to enable chrooting of users, vsftpd has this built in.

you might also want to read the man page for the conf file (command: man vsftpd.conf) as it has some very nice extra options that can add a fair amount of security, including the option to explicitly allow some users to log in, or implicitly allow all users to log in.

it's a fair amount to read, and sometimes seems a bit of a dark art, but it's very thorough and well worth the time.

have fun

Thanks - It worked and its setup now.

One last question for you though. I created a self signed certificate for vsftpd so that it could use SSL and I'm using CORE FTP as my FTP agent. It only works when I put it under the connection type "AUTH SSL" and won't work when I have it selected as "FTPS (SSL Direct)". Can anyone shed some light on the differences?

thanks

although i have not used COREFTP, it sounds as though it supports ssh file transfers as well as ssl ftp.

ssl ftp uses ssl to encrypt a normal ftp connection, which prevents anyone snooping on your connection, but you are still using the ftp protocol.

you can, however, transfer files directly over ssh itself. you may wish to read the man page ("man scp" from the shell should do the trick). scp allows you to copy files over an ssh connection (this does not use the ftp protocol, it is analagous to opening an ssh connection, and cat'ing the file through. it's a lil more complex, but you get the idea).

the difference being, ssl ftp is using ftp (port 21, and a few others), it is an ftp protocol connection with some encryption added on. ssh transfers use the ssh server (port 22), and use a completely different protocol.

you can probably use "FTPS (SSL Direct)" mode if you set the port to 22 and enter your ssh account details, instead of the ftp details.

it's quite a nifty system, very usefull for copying files to and from a machine if you havent set up an ftp server yet, and of course, it's ssh encrypted.

apologies if i have rambled, i'm stuffed up with flu atm and floating on a pink fluffy cloud of medication...

Two different protocols / implementations. Both get you encryption on the wire -- assuming you're forcing users to use SSL, and not continuing to allow clear-text ftp sessions.

Also, since SSL was slapped on to ftp after the fact, you still have to live with the "cruft" associated with ftps. (Primarily firewall issues; iptables has a module to work around this.)

Well since I'm using FTPS in "explict" mode the data connection stays on the same inital port, but the data is later on encrypted. With implict mode you have to use port 990, but everything is encrypted from start to end. Both have the data and login's encrypted, so I'm not sure what the major differences are between them. From my point of view if I can keep the ports the same it might save a headache for both our clients and us. Is there a security hole in doing this though?

I'm not familiar with an ftps "explicit mode" like you're describing, but look here:
ftps / ftps-data are IANA-recognized service ports. So I'm not sure if you may be saving a headache or creating a headache by using (IMO) non-standard ports.

Thanks for that!! From what I've configured it only works using port 21 or "auth ssl". How would I configure VSFTPD to use port 990 for full (implicit) FTPS? What I did was configure a self signed certificate for VSFTPD while adding the following lines to /etc/vsftpd/vsftpd.conf.

ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=NO
force_local_logins_ssl=NO
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
rsa_cert_file=/etc/vsftpd/vsftpd.pem


explicit Security: In order to establish the SSL link, explicit security requires that the FTP client issue a specific command to the FTP server after establishing a connection. The default FTP server port is used. This formal method is documented in RFC 2228.

Implicit Security: Implicit security automatically begins with an SSL connection as soon as the FTP client connects to an FTP server. In implicit security, the FTP server defines a specific port for the client (990) to be used for secure connections.

From my reading of vsftpd.conf, it looks like you enable the directive implicit_ssl.

Interesting.....I just entered the directive implicit_ssl=YES and received this error when trying to restart the service. This might seem like a silly question, but does it matter where in the config I put the directive?


root@localhost ~]# nano /etc/vsftpd/vsftpd.conf
[root@localhost ~]# service vsftpd restart
Shutting down vsftpd: [FAILED]
Starting vsftpd for vsftpd: 500 OOPS: unrecognised variable in config file: implicit_ssl
[FAILED]

Perhaps check the vsftpd.conf(5) manpages for the version you have installed. It may be that the directive is not present in all versions (or that it's present under a different name).

By comparison, the Linux man page for same does not have that option http://linux.die.net/man/5/vsftpd.conf, although it does have several ssl related options.

Thank you everyone for your replies to this post, you've helped me out so much!!

I'm going to stop posting on this thread and start a new one regarding configuration of Implicit FTP on CentOS, I hope to see you there