How to make a secure FTP server with vsftpd

This tutorial will guide you through how to make a secure ftp server on the Raspberry Pi, the program we will be using is vsftpd ( Very Secure File Transfer Protocol Deamon). This system is a secure version of the ftp protocol. Unlike ftp vsftpd encrypts all traffic so username and passwords aren’t sent over clear text.

The first step is to make sure all of your system is updated and upgraded. Then you need to install the program vsftpd, to do this run the install command;

sudo apt-get install vsftpd

 

As soon as you run this command you have set up and installed an ftp server. To make sure everything up to now has ran correctly and is all set up you can try to log in. First of all you need to download an ftp client for later on so go ahead and download it now. The client that i am going to use is FileZilla. FileZilla is a free open source program that can manage an ftp server connection.

Download a copy for your operating system – https://filezilla-project.org/

To test the server, get the program up and running  try and log in using anonymous as the user and leave the pass blank

Tip: Where the ip is 192.168.0.2, enter the address of your Raspberry Pi

But because ftp isnt secure you should configure the server to run over TLS. This would encrypt all traffic that goes between your machine and the ftp server. First of all we need to edit the vsftpd config file, before you edit all config files it is always reccomended to make a backup. So we back up the config file by running this command;

 sudo cp /etc/vsftpd.conf /etc/vsftpd.conf_bak

 

Once the file is backed up you can now edit the config file;

sudo nano /etc/vsftpd.conf

First of all you want to edit the following config file to look something like this one;

 

listen=YES
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=NO
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# You may change the default value for timing out an idle session.
idle_session_timeout=600
#
#This is a welcome message responce from your server
ftpd_banner=Welcome to my FTP
#
# SSL
ssl_enable=YES
#this selects the cipher type
ssl_ciphers=HIGH
#
#choose according to your preference
force_local_data_ssl=YES
#
#choose according to your preference
force_local_logins_ssl=YES
#
#enable this if you enable ssl.
ssl_tlsv1=YES
ssl_sslv2=YES
ssl_sslv3=YES
#
#give the correct path to your currently generated *.pem file
rsa_cert_file=/etc/vsftpd/vsftpd.pem
#the *.pem file contains both the key and cert
rsa_private_key_file=/etc/vsftpd/vsftpd.pem
#
pasv_enable=YES
pasv_min_port=12000
pasv_max_port=12100
#
#Some mobile clients require this
require_ssl_reuse=NO

Each of the lines are commented but if you need to understand this further please refer to the man page for vsftpd by typing in;

man vsftpd

Now just before you can connect to your ftp server with tls encryption you need to create a certificate and key for your ftp server to use. First of all we need to make sure OpenSSL is installed and updated. You should already have this installed and updated if you followed my previous tutorials.

sudo apt-get install openssl

sudo apt-get install update

sudo apt-get install upgrade

After this you then want to create the certificate and key for your server.

sudo openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/vsftpd/vsftpd.pem -out /etc/vsftpd/vsftpd.pem

Once you have ran this command you should then be able to connect to your server. Dont forget that each time you edit the config file you must then restart your vsftpd service. Run these commands to restart;

sudo service vsftpd restart

If this restarts with no errors you can now connect to your server, but beware that some routers must have ports forwarded to be able to work correctly. These are the ports that i have forwarded from my router;

Make sure that you put your IP address of your raspberry Pi in the IP address section. After this you should be able to get your ftp server working.

FileZilla Setup

Open the FileZilla program, go to file then site manager.

Screen Shot 2014-03-25 at 12.45.20

Then enter your Raspberry Pis Ip in the host section.

On the encryption box select “Require explicit FTP over TLS”

Change the logon type to normal and then enter your username and password into the boxes provided.

The screenshot doesnt show anything in Host But put your Raspberry Pi’s IP here.

When you then select connect you should get a pop up box asking if you wanted to accept the unknown certificate. Check that the credentials are the ones you entered earlier when you created the openssl certificate and key.

You should then be able to log in to your ftp server. If you would like to “jail” local users and have virtual users, keep an eye on this blog. I will be posting a part 2 soon.

If you have any comment or improvement please comment below. Also don’t be afraid to ask any question.

 

 

 

Advertisements

2 thoughts on “How to make a secure FTP server with vsftpd

  1. Thanks a lot. It did help met to get up and running. It would help to make a bullet (numbered) list of the changes you would propose in the conf file.

    One of the things I ask myself – and will test – is if this will run automatically now every time, or if I need to start the service again when I restart the raspberry pi.

    Great work. Nice contribution to overall knowledge!

    • Something that might help is to edit the /etc/rc.d/rc.local file and then add a line like ” /usr/sbin/vsftpd & “. this then should start the program upon boot.

      I do not have access to the setup to check if this works but if not research into starting it with cron.

      Additionally there are such things that you could add like trying to jail users. This locks each user to a specific part of the server to restrict access to other resources. Additionally to make it ultra secure you could try using a vpn server and only allow access to local users.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s