Friday, 13 March 2015

Installation and Configuring FTPS - Redhat/CentOS

     
'vsftpd' is a very popular package for FTP, but poses a security threat because it transfers username,passwords etc in plain text, I would explain in this article as how FTP offers encryption with the help of SSL and TLS protocols.

FTP defines a client-server architecture that uses two ports in-order to establish connectivity between server and the client.
1. Port # 20 : data transfer
2. Port # 21 : autentication connnections.

as a security measure, we have two options that offer secure file transfer capabilities, which are SFTP and FTPS.
SFTP uses a SSH connection to run file transfers over a secure channel, while FTPS uses cryptographic protocols such as SSL( Secure Socket Layer) and TLS (Transport Layer Security).

I would elobrate SFTP protocol in order to setup a secure FTP server using SSL certificates.

Environment: CentOS 6.6/Redhat 6.6 (x86_64)
Packages : vsftpd-2.2.2-12.el6_5.1.i686 / openssl-1.0.1e-30.el6.i686

Install openssl and vsftpd based on your distros:

sudo apt-get install vsftpd openssl  -> Debian
yum install vsftpd openssl           -> Redhat
zypper install vsftpd openssl        -> SuSE

For, data encryption purpose we need to create a SSL certificate(rsa_cert_file)and RSA key file(rsa_private_key) which is used by 'vsftpd' in the configuration file (/etc/vsftpd/vsftpd.conf).

[root@centnode1]# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/vsftpd/vsftpd.pem -out /etc/vsftpd/vsftpd.pem
Generating a 2048 bit RSA private key
.+++
.............+++
writing new private key to '/etc/vsftpd/vsftpd.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:Karnataka
Locality Name (eg, city) [Default City]:Bangalore
Organization Name (eg, company) [Default Company Ltd]:testlabs
Organizational Unit Name (eg, section) []:OperatingSystems
Common Name (eg, your name or your server's hostname) []:centnode1
Email Address []:sunlnx@gmail.com
[root@centnode1]#

We need to instruct vsftpd to use that SSL certificate to carry encryption process for data and authentication:

[root@centnode1]# vi /etc/vsftpd/vsftpd.conf

#Turn on SSL
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES

#Mention the certificate and key file location
rsa_cert_file=/etc/vsftpd/vsftpd.pem
rsa_private_key_file=/etc/vsftpd/vsftpd.pem

#Enable TLS as it is more secure than SSL
ssl_tlsv1=YES
ssl_sslv2=YES
ssl_sslv3=YES

#allow local users added to the system to use FTP
local_enable=YES

#Prevent anonymous logins
anonymous_anable=NO

#accept FTP write command
write_enable=YES

#chroot users
chroot_local_user=YES
[root@centnode1]#

start/restart your 'vsftpd' to take effect and make sure it start's during the boot time.

[root@centnode1]# service vsftpd start
[root@centnode1]# chkconfig vsftpd on

Now, your FTP server is ready and can add users who can access it. every user will get a separate home directory and with chroot jail activated users are forced to work within their home directories.

[root@centnode1 ~]# useradd ftpuser
[root@centnode1 ~]# passwd ftpuser

Test your SSL connection over 'vsftpd'

when you first try to connect using plain ftp, it must fail asking for encryption.

[root@centnode1 ~]# ftp 192.168.229.130
Connected to 192.168.229.130 (192.168.229.130).
220 (vsFTPd 2.2.2)
Name (192.168.229.130:root): ftpuser
530 Non-anonymous sessions must use encryption.  <<<=====================
Login failed.
ftp>

create few files in 'ftpuser' home directory and get them listed using 'curl' 

[root@centnode1 ~]# curl --ftp-ssl --insecure --user ftpuser:password ftp://ftpserver
-rw-rw-r--    1 500      500             0 Mar 13 06:15 ftptestfile
[root@centnode1 ~]#

ftp-ssl  : tells curl to use ftps
insecure : tells curl not to use any ssl certificate to authenticate and instead just connect.
user     : specifies the username and password

Now, the user 'ftpuser' will be able to use the FTPS services with any FTP clients that supports SSL/TLS such as filezilla. If you want to limit access to FTPS server, but allow people to use FTPS services at the same time, by changing their shell to /sbin/nologin.