FTP (File Transfer Protocol) is a standard network protocol used to transfer computer files between clients and server. FTP uses plain text to transfer data and credentials. However, Sysadmins can overcome this limitation by configuring Secure FTP Server on CentOS 8 that uses FTPS protocol instead of FTP.
In this lab, you will learn how to install Secure FTP server on CentOS 8 using vsftpd.
Instructions in this article are of advance level, if you are new in Linux world then we strongly recommend you to read Red Hat RHCSA 8 Cert Guide: EX200 (Certification Guide) by Pearson IT Certification. It will provides basic to intermediate knowledge about RHEL (Red Hat Enterprise Linux) 8 or CentOS 8.
Table of Contents:
- Environment Specification
- Installing vsftpd on CentOS 8
- Configure User List in Secure FTP Server
- Enable Chroot Jail for Secure FTP Server on CentOS 8
- Generate a TLS certificate for Secure FTP service
- Create a CentOS 8 User to access Secure FTP Service
- Testing Secure FTP Server from CentOS 8 client
Environment Specification:
We are using a minimal CentOS 8 virtual machine with following specification.
FTP Server
- CPU - 3.4 Ghz (2 cores)
- Memory - 2 GB
- Storage - 20 GB
- Operating System - CentOS 8.0
- Hostname - ftp-server.sysadminlabs.com
- IP Address - 192.168.116.217 /24
FTP Client
- CPU - 3.4 Ghz (2 cores)
- Memory - 2 GB
- Storage - 20 GB
- Operating System - CentOS 8.0
- Hostname - ftp-client.sysadminlabs.com
- IP Address - 192.168.116.218 /24
Installing vsftpd on CentOS 8:
Connect with ftp-server.sysadminlabs.com as root user by using a ssh tool like PuTTY.
vsftpd (Very Secure FTP Daemon) is the software package that has been used since long for configuring FTP services on Linux.
vsftpd is available in default yum repositories and therefore it can be installed using a dnf command.
[root@ftp-server ~]# dnf install -y vsftpd
Last metadata expiration check: 0:07:10 ago on Wed 29 Jan 2020 07:27:26 PM PKT.
Dependencies resolved.
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
vsftpd x86_64 3.0.3-28.el8 AppStream 180 k
Transaction Summary
================================================================================
Install 1 Package
Total download size: 180 k
Installed size: 359 k
Downloading Packages:
vsftpd-3.0.3-28.el8.x86_64.rpm 115 kB/s | 180 kB 00:01
--------------------------------------------------------------------------------
Total 39 kB/s | 180 kB 00:04
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : vsftpd-3.0.3-28.el8.x86_64 1/1
Running scriptlet: vsftpd-3.0.3-28.el8.x86_64 1/1
Verifying : vsftpd-3.0.3-28.el8.x86_64 1/1
Installed:
vsftpd-3.0.3-28.el8.x86_64
Complete!
Take backup of existing vsftpd.conf file.
[root@ftp-server ~]# cp /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf.org
Now edit vsftpd configuration file.
[root@ftp-server ~]# vi /etc/vsftpd/vsftpd.conf
Find and set following directives therein.
anonymous_enable=NO # disable anonymous users
local_enable=YES # allow local users
write_enable=YES # allow ftp write commands
local_umask=022 # set default umask
dirmessage_enable=YES # enable messages on change directory
xferlog_enable=YES # enable logging of uploads and downloads
connect_from_port_20=YES # ensure PORT transfer connections from port 20 (ftp-data)
xferlog_std_format=YES # keep standard log format
listen=NO # prevent vsftpd run in stand alone mode
listen_ipv6=YES # allow vsftpd to listen on IPv6 socket
pam_service_name=vsftpd # set PAM Service name to vsftpd
Configure User List in Secure FTP Server:
Users that are allowed/deny to use FTP service are listed in a user_list file.
Default user_list file is located at /etc/vsftpd/user_list, we can add or remove FTP users in this file.
By default, all the users in the user_list are denied to access FTP service.
We have to explicitly allow users in user_list by setting following directives in vsftpd.conf file.
userlist_enable=YES # enable vsftpd to load usernames
userlist_deny=NO # allow access to users in userlist
Enable Chroot Jail for Secure FTP Server on CentOS 8:
To restrict FTP users in a chrooted environment, add following two directives in vsftpd.conf file.
chroot_local_user=YES # Create chrooted environment for users
allow_writeable_chroot=YES # Allow write permission to user on chroot jail directory
Generate a TLS certificate for Secure FTP service:
The FTP service does not use encryption. Therefore, it transfers data and login credentials in plain text. This makes FTP service highly vulnerable to Sniffing and Men in the Middle attacks.
However, we can configure Secure FTP (FTPS), to encrypt the communication between FTP server and clients.
Now, generate a TLS (Transport Layer Security) certificate by using following command.
[root@ftp-server ~]# openssl req -x509 -nodes -keyout /etc/vsftpd/vsftpd.key -out /etc/vsftpd/vsftpd.pem -days 365 -newkey rsa:2048
Generating a RSA private key
.............................+++++
....................+++++
writing new private key to '/etc/vsftpd/vsftpd.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:PK
State or Province Name (full name) []:Sindh
Locality Name (eg, city) [Default City]:Karachi
Organization Name (eg, company) [Default Company Ltd]:Ahmer's SysAdmin Recipes
Organizational Unit Name (eg, section) []:IT LAB
Common Name (eg, your name or your server's hostname) []:ftp-server.sysadminlabs.com
Email Address []:root@ftp-server.sysadminlabs.com
Edit vsftpd.conf file to configure FTP service to use the TLS certificate.
[root@ftp-server ~]# vi /etc/vsftpd/vsftpd.conf
Add following directives in this file.
ssl_enable=YES # Enable vsftpd Secure connections
ssl_sslv2=NO # Disallow SSL v2 protocol connections
ssl_sslv3=NO # Disallow SSL v3 protocol connections
ssl_tlsv1_2=YES # Allow TLS v1.2 protocol connections
rsa_cert_file=/etc/vsftpd/vsftpd.pem # Location of TLS certificate
rsa_private_key_file=/etc/vsftpd/vsftpd.key # Location of Private Key
allow_anon_ssl=NO # Disallow Anonymous Access
force_local_data_ssl=YES # Force users to use SSL connection for data transfer
force_local_logins_ssl=YES # Force users to use SSL connection for credentials
require_ssl_reuse=NO # Disable SSL session reuse
ssl_ciphers=HIGH
pasv_min_port=30000 # Min port number to define a range for PASV connections
pasv_max_port=31000 # Max port number to define a range for PASV connections
debug_ssl=YES # Dump OpenSSL diagnostics in vsftpd log file
Allow Secure FTP (FTPS) and Passive FTP ports in Linux firewall.
[root@ftp-server ~]# firewall-cmd --permanent --add-port=30000-31000/tcp
success
[root@ftp-server ~]# firewall-cmd --permanent --add-port=990/tcp
success
[root@ftp-server ~]# firewall-cmd --reload
success
Start and enable vsftpd service.
[root@ftp-server ~]# systemctl enable --now vsftpd.service
Created symlink /etc/systemd/system/multi-user.target.wants/vsftpd.service â /usr/lib/systemd/system/vsftpd.service.
Create a CentOS 8 User to access Secure FTP Service:
Create a user for using Secure FTP service.
[root@ftp-server ~]# useradd ahmer
[root@ftp-server ~]# passwd ahmer
Changing password for user ahmer.
New password:
BAD PASSWORD: The password is shorter than 8 characters
Retype new password:
passwd: all authentication tokens updated successfully.
Add this user to allowed user_list.
[root@ftp-server ~]# echo ahmer >> /etc/vsftpd/user_list
Our Secure FTP server has been configured successfully.
Testing Secure FTP Server from CentOS 8 client:
To connect to our Secure FTP server, we need a FTP client software.
There are many FTP clients are available in default yum repository of CentOS 8.
We are installing lftp: a sophisticated ftp/http file transfer program. By using lftp client we will test our Secure FTP server.
[root@ftp-client ~]# dnf install -y lftp
Last metadata expiration check: 1:11:25 ago on Wed 29 Jan 2020 07:27:26 PM PKT.
Dependencies resolved.
=================================================================================
Package Arch Version Repository Size
=================================================================================
Installing:
lftp x86_64 4.8.4-1.el8 AppStream 889 k
Transaction Summary
=================================================================================
Install 1 Package
Total download size: 889 k
Installed size: 3.2 M
Downloading Packages:
lftp-4.8.4-1.el8.x86_64.rpm 287 kB/s | 889 kB 00:03
---------------------------------------------------------------------------------
Total 159 kB/s | 889 kB 00:05
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : lftp-4.8.4-1.el8.x86_64 1/1
Running scriptlet: lftp-4.8.4-1.el8.x86_64 1/1
Verifying : lftp-4.8.4-1.el8.x86_64 1/1
Installed:
lftp-4.8.4-1.el8.x86_64
Complete!
Because our Secure FTP server uses a self-signed TLS certificate, therefore, the lftp client displays follow warning.
"Fatal error: Certificate verification: Not trusted"
To suppress this warning, we can add following directive in lftp configuration file.
[root@ftp-client ~]# echo "set ssl:verify-certificate no" >> /etc/lftp.conf
Connect to Secure FTP service using lftp command.
[root@ftp-client ~]# lftp ahmer@ftp-server
Password:
lftp ahmer@ftp-server:~>
Now test our Secure FTP server by executing some FTP commands.
lftp ahmer@ftp-server:~> ls
-rw-r--r-- 1 1000 1000 91 Jan 29 16:45 resolv.conf
lftp ahmer@ftp-server:/> put /etc/hosts
214 bytes transferred
lftp ahmer@ftp-server:/> ls
-rw-r--r-- 1 1000 1000 214 Jan 30 14:20 hosts
-rw-r--r-- 1 1000 1000 91 Jan 29 16:45 resolv.conf
lftp ahmer@ftp-server:/> exit
Our Secure FTP server on CentOS 8 is working fine.
No comments:
Post a Comment