While using FTP is still popular to share data or to transfer files over the network, you must be aware that you are using a very unsecure network protocol that has no protection built into it out-of-the-box. This means that, during network transfer, your data is fully exposed to potential attackers. This is not what you want for transferring sensitive data, such as login credentials, at all. To avoid these potential risks, we will show you in this process how to use and set up two alternatives for securing FTP using FTPS (FTP over SSL or FTP/SSL) or SFTPS (SSH-enabled FTP).
To Start With: What Do You Need?
To complete this process, you will require a minimal installation of the CentOS 7 operating system with root privileges and a console-based text editor of your choice. You should already have installed and configured a basic vsftpd server (for details check, Providing Web Services for how to do it). Also, for setting up SFTP, we will need to create some self-signed certificates; if you want to know the details behind it, please read the Generating self-signed certificates process.
The Process
You have to choose beforehand if you want to use SFTP or FTPS. These two methods cannot be applied together, so you have to decide which option to choose first. If you switch between those methods, you need to restore the default configuration file state of vsftpd.conf or sshd_config first.
Securing your vsftpd server with SSL–FTPS
To secure your vsftpd server with SSL-FTPS performs the following steps:
- Log in as root and go to the standard certificate location:
cd /etc/pki/tls/certs
- Now, let’s create a SSL key pair consisting of the certificate and its embedded public key, as well as the private key in one file for our ftp-server configuration (remember that the Common name value should reflect the domain name of your FTP server):
make ftp-server.pem
- Change to a more secure file access rule:
chmod 400 /etc/pki/tls/certs/ftp-server.pem
- Now, before working on it, first make a backup of the vsftpd.conf file.
cp /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf.BAK
- Now, enable SSL and add the key pair file that we just created to our vsftpd configuration:
echo "rsa_cert_file=/etc/pki/tls/certs/ftp-server.pem
ssl_enable=YES
force_local_data_ssl=YES
force_local_logins_ssl=YES
pasv_min_port=40000
pasv_max_port=40100" >> /etc/vsftpd/vsftpd.conf - Next, we need to add a new firewalld service file, so open the following:
vi /etc/firewalld/services/ftps.xml
- Put in the following content:
<?xml version="1.0" encoding="utf-8"?>
<service>
<description>enable FTPS ports</description>
<port protocol="tcp" port="40000-40100"/>
<port protocol="tcp" port="21"/>
<module name="nf_conntrack_ftp"/>
</service> - Finally, reload the firewall, add the ftps service, and restart your vsftpd server:
firewall-cmd --reload; firewall-cmd --permanent --add-service=ftps;
firewall-cmd --reload
systemctl restart vsftpd
Securing your vsftpd server using SSH – SFTP
To secure your vsftpd server using SSL-SFTP perform the following steps:
- First, create a group for all valid SFTP users:
groupadd sshftp
- We will work on the sshd main config file, so please make a backup before making any changes:
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.BAK
- Now, open the sshd_config file, go to the line containing the Subsystem directive, disable it (which means putting a # sign at the beginning of the line), and add the following line to read as shown:
#Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp - Next, add the following lines to the end of the file to enable SFTP:
Match Group sshftp
ChrootDirectory /home
ForceCommand internal-sftp - Finally, restart the sshd daemon.
systemctl restart sshd
How Does It Work?
Here in this process, you have learned how to make your file sharing more secure by switching from the standard FTP protocol to using FTP over SSL, or FTP over SSH. Regardless of which option you prefer, SSL is used to encrypt the data during transmitting, which helps you keep your privacy. Which variant you choose is up to you, but remember that SFTP is a bit easier to set up as you do not have to configure additional ports or certificates in your firewall, because everything runs over SSH and this should be enabled by default on most systems.
So, what did we learn from this experience?
We began the process by configuring FTPS. We went into a special directory called /etc/pki/tls/certs, where CentOS stores all its certificates. In it, there is a Makefile, which we used to create a .pem file that contains the public/private key pair and a self-signed certificate that we needed for our FTP server’s configuration. Afterwards, we used chmod to ensure that only the root user can read this file. Then, we appended six lines of code to our main vsftpd configuration file (first, we made a backup of the original file); they are pretty self-explanatory: enable the SSL protocol, use the self-signed certificate, disallow any non-SSL communication, and use a static range of passive control ports. Also, we created a new firewall service that will open these passive control ports that are needed for FTPS.
Afterwards, we configured SFTP using a chroot jail. If setting up SFTP without it, every login user can view the root filesystem, which is very insecure. Configuring SFTP is done completely in the main sshd config file. After making a backup of the original file, we changed the FTP subsystem to internal-sftp, which is a newer ftp server version, has better performance, and runs in the same process. Next, we added three lines to the vsftpd configuration file; only users in the sshftp group are using SFTP and are put into a chroot jail and can only view files up to their home directory. ForceCommand ignores all local settings by the users and enforces these rules here instead. To add new chrooted SFTP users, all you have to do is create a standard Linux user account and add them to the sshftp user group.
There's more…
If you want to test your enabled FTPS server, you need an FTP client that supports “FTP over TLS.” You have to find and enable this option in your FTP client’s settings. Under Linux, you can install the lftp client to test if you can connect to our FTPS server. First, install the lftp package (for example, yum install lftp). Then, configure the client using TLS:echo "set ftp:ssl-auth TLS
set ftp:ssl-force true
set ftp:ssl-protect-list yes
set ftp:ssl-protect-data yes
set ftp:ssl-protect-fxp yes
set ssl:verify-certificate no" >~/.lftprc
Now, you can connect and test your FTPS server using the following:lftp -u username <server name>
If you want to test your enabled SFTP server, you need the program called sftp:sftp john@<server name or ip address> -p 22
Note
You have to remember that all the changes to sshd_config will be reflected in SFTP as well. So, if you disabled root login or ran SSH over a different port than 22, you have to take it into consideration when you try to log in to SFTP.