How To Configure vsftpd to Use SSL/TLS on an Ubuntu VPS

<strong class=“highlight”>Warning: FTP is inherently insecure! Consider <a href=“https://www.digitalocean.com/community/articles/how-to-use-sftp-to-securely-transfer-files-with-a-remote-server”>using SFTP instead of FTP</a>.</strong>

FTP, or file transfer protocol, was a popular way to transfer files between local and remote computers in the past. The protocol is inherently insecure, so its usage has fallen out of favor.

If you still want to use FTP instead of a more secure alternative like SFTP, which uses the SSH protocol to implement file transfers, you can secure it somewhat by configuring FTP to use SSL.

In this guide, we will configure vsftpd to use SSL certificates on an Ubuntu 12.04 VPS.

The vsftpd server is available in Ubuntu’s default repositories. You can install it by typing:

sudo apt-get install vsftpd

We now have vsftpd on our server, but we still must configure it.

The default configuration file is at /etc/vsftpd.conf. Open it with root privileges:

sudo nano /etc/vsftpd.conf

Disable the ability for users to log in anonymously by finding the anonymous_enable parameter and changing it to read “NO”:

<pre> anonymous_enable=<span class=“highlight”>NO</span> </pre>

Next, we need to enable user logins that use the local authentication files, since we disabled anonymous access. Uncomment this line:

local_enable=YES

To enable users to make modifications to the filesystem, we will uncomment the write_enable parameter as well:

write_enable=YES

Additionally, uncomment the chroot_local_user option to restrict users to their own home directories:

chroot_local_user=YES

Save and close the file.

Because of the way vsftpd secures its chroot jails, the chroot must not be owned by the user and must not be writeable. Because of this, it is best to implement a user specifically for use with FTP.

Create the user like this:

sudo adduser ftpuser

Assign a password and feel free to press “ENTER” through the other prompts. Now, give root ownership of the ftpuser’s home directory:

sudo chown root:root /home/ftpuser

We need to create a separate directory within this home directory where files can be uploaded. Then, we need to give this directory over to our FTP user:

sudo mkdir /home/ftpuser/files
sudo chown ftpuser:ftpuser /home/ftpuser/files

Now, we should be able to log in (insecurely) as the ftpuser and upload files to the files directory.

We need to create some SSL certificates to use with vsftpd. We can do this with the following command:

sudo openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem

This will create a certificate that will last a year. It will be placed in the /etc/ssl/private/ directory, which we can reference in our configuration file.

sudo nano /etc/vsftpd.conf

rsa_cert_file=/etc/ssl/private/vsftpd.pem

rsa_private_key_file=/etc/ssl/private/vsftpd.pem

ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES

ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO

require_ssl_reuse=NO
ssl_ciphers=HIGH

sudo service vsftpd restart

Most modern FTP clients can be configured to use SSL and TLS encryption. We will be demonstrating how to connect using FileZilla due to its cross platform support.

In the configuration panel, you should see a button on the far left to open “Site Manager”. Click this:

Click on “New Site” in the bottom right corner of the window interface that appears:

Name the new configuration. Fill out the IP address. Under the “Encryption” drop down menu, select “Require explicit FTP over TLS”.

For “Logon Type”, select “Ask for password”. Fill in the ftp user you created in the “User” field:

Click “Connect” at the bottom of the interface. You will be asked for your user’s password:

You will then be asked to accept the TLS certificate:

You should now be connected with your server with TLS/SSL encryption.

This setup improves the security of FTP, but it still suffers from insecurity when establishing a connection. If at all possible, it is better to switch to SFTP for these kinds of operations. However, if you do decide to go with FTP, you should make sure to use TLS/SSL whenever possible.

<div class=“author”>By Justin Ellingwood</div>