9/4/2018 How To Configure vsftpd to Use SSL/TLS on a CentOS VPS | DigitalOcean

 Subscribe

How To Configure vsftpd to Use SSL/TLS on a

CentOS VPS 5

Posted October 28, 2013  152.4k SECURITY CENTOS

By: Justin Ellingwood

Introduction
Warning: FTP is insecure! Consider using SFTP instead of FTP.

FTP, or file transfer protocol, is a way to transfer files between local and remote servers.
Although very popular and ubiquitous, the use of this method of file transfer has fallen out
of favor due to the lack of security inherent in its design.

A very capable alternative is SFTP, as mentioned above. This protocol implements file
sharing over SSH. If you must use FTP, you should at least secure the connection with
SSL/TLS certificates.

In this guide, we will configure vsftpd to use TLS/SSL certificates on a CentOS 6.4 VPS.

Install vsftpd
The vsftpd server is available in CentOS's default repositories. We can install it by typing:

sudo yum install vsftpd

The vsftpd server is now installed on our VPS. We can configure some connections options
in the next section.

Configure Basic Settings for vsftpd

Sign up for our newsletter. Get the latest tutorials on SysAdmin and open source topics.
S C R O L L TO TO P ×
Enter your email address Sign Up

https://www.digitalocean.com/community/tutorials/how-to-configure-vsftpd-to-use-ssl-tls-on-a-centos-vps 1/12
9/4/2018 How To Configure vsftpd to Use SSL/TLS on a CentOS VPS | DigitalOcean

The main configuration file for vsftpd on CentOS is kept in the /etc/vsftpd/ directory. It is
called vsftpd.conf .

Open this file in your editor with root privileges:

sudo nano /etc/vsftpd/vsftpd.conf

We need to adjust some basic parameters in this file to increase security and establish our
connection options.

The first thing we will do is disable anonymous users. While this option may make sense for
a large, public facing file dump (like public software repositories), for a personal FTP server,
this is almost never a good idea.

anonymous_enable=NO

Since we are disabling anonymous users, we need to provide a way for our system to
authenticate our users. We will allow local users, meaning that vsftpd will use our Linux
system users and authentication to determine who can sign in.

To enable this, make sure that this option is set:

local_enable=YES

We will also allow them write access, so that they can upload material and modify content:

write_enable=YES

We also want to confine our users to their respective home directories. The option for that
is:

chroot_local_user=YES

This is enough for a basic (non-SSL) FTP configuration. We will add the SSL functionality
later.

Save and close the file.

Create an FTP User

https://www.digitalocean.com/community/tutorials/how-to-configure-vsftpd-to-use-ssl-tls-on-a-centos-vps 2/12
9/4/2018 How To Configure vsftpd to Use SSL/TLS on a CentOS VPS | DigitalOcean

We have selected to use local users and to confine them to their home directories with a
chroot environment.

Create a new user with this command:

sudo adduser ftpuser

Assign a password to the new user by typing:

sudo passwd ftpuser

The version of vsftpd in CentOS 6.4 is older, so this portion of the setup is easier than
some newer versions.

Configure SSL with vsftpd

The first step towards getting vsftpd to operate with SSL is to create our SSL certificate. We
will actually be using TLS, which is a protocol that is a successor to SSL and more secure.

We will create a subdirectory within the SSL directory to store our files:

sudo mkdir /etc/ssl/private

To create the certificate and the key in a single file, we can use this command:

-days 365 -newkey rsa:1024 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsf

Fill out the questions that it asks. The most important being the "Common Name" of your
server, which will be the IP address or domain name that you will use to connect.

Add the SSL Details to the vsftpd Configuration File

Now, we need to alter our configuration to point to the new keys and configure the secure
connection.

Open the vsftpd configuration file as root again:

sudo nano /etc/vsftpd/vsftpd.conf

https://www.digitalocean.com/community/tutorials/how-to-configure-vsftpd-to-use-ssl-tls-on-a-centos-vps 3/12
9/4/2018 How To Configure vsftpd to Use SSL/TLS on a CentOS VPS | DigitalOcean

Scroll to the bottom of the file. We will add our SSL/TLS information here.

We need to specify the location of our certificate and key files. We actually combined both
pieces of information into a single file, so we will point both options to the same file:

rsa_cert_file=/etc/ssl/private/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem

Next, we need enable the use of these files and disable anonymous users. We should also
force the use of SSL for both data transfer and login routines. This will make the security
mandatory:

ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES

Next, we will restrict the type of connection to TLS, which is more secure than SSL. We will
do this by explicitly allowing TLS and denying the use of SSL:

ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO

We'll add a few more configuration options before finishing:

require_ssl_reuse=NO
ssl_ciphers=HIGH

Save and close the file.

We need to restart vsftpd to enable our changes:

sudo /etc/init.d/vsftpd restart

We will also configure it to start automatically with every reboot:

sudo chkconfig vsftpd on

https://www.digitalocean.com/community/tutorials/how-to-configure-vsftpd-to-use-ssl-tls-on-a-centos-vps 4/12
9/4/2018 How To Configure vsftpd to Use SSL/TLS on a CentOS VPS | DigitalOcean

How To Connect to the vsftpd Server with FileZilla

SSL and TLS connections are possible with most modern FTP clients. We will show you
how to set up FileZilla to use secured connections due to its cross-platform compatibility.
We will assume that you have already installed the client using whatever the appropriate
installation procedures are for your computer.

Open the FileZilla program. In the interface, you can click on an icon to open "Site
Manager". It should look like the icon on the far left in this picture:

In the new interface that pops up, you should click on the "New Site" button in the lower
left corner. Name the server connection so that you can easily identify it later

Fill in the IP address in the "Host" field and select "FTP - File Transfer Protocol" from the
Protocol drop-down menu. For the Encryption drop-down, choose "Require explicit FTP
over TLS".

Select "Ask for password" from the Login Type menu. Fill in the FTP user we created for the
"User" field:

Now, you can click "Connect" at the bottom of the panel. You will be prompted to enter the
password for your FTP user:

https://www.digitalocean.com/community/tutorials/how-to-configure-vsftpd-to-use-ssl-tls-on-a-centos-vps 5/12
9/4/2018 How To Configure vsftpd to Use SSL/TLS on a CentOS VPS | DigitalOcean

The next step is the first sign that we are connecting with TLS to our remote server. We will
be asked to accept the certificate that is being used.

You should be able to see the information you filled out when you created the certificate in
order to verify that you're actually connecting to the correct place.

Accept the certificate to establish the connection.

Conclusion
https://www.digitalocean.com/community/tutorials/how-to-configure-vsftpd-to-use-ssl-tls-on-a-centos-vps 6/12
9/4/2018 How To Configure vsftpd to Use SSL/TLS on a CentOS VPS | DigitalOcean

While this configuration is a step in the right direction, it still suffers from security problems
prior to establishing the connection. It should be avoided in most setups that are open to
the internet due to these concerns. SFTP is a great alternative if you want the ability to use
some of the same tools you are familiar with, but with security you can trust.

By Justin Ellingwood

By: Justin Ellingwood Upvote (5)  Subscribe

Introducing Projects on DigitalOcean

Organize your resources according to
how you work.

READ MORE

Related Tutorials
How To Protect Your Server Against the Meltdown and Spectre Vulnerabilities
How To Protect Your Linux Server Against the GHOST Vulnerability
How to Protect Your Server Against the Shellshock Bash Vulnerability
How to Protect Your Server Against the Heartbleed OpenSSL Vulnerability
How to Install TrueCrypt (CLI) on Linux

29 Comments

https://www.digitalocean.com/community/tutorials/how-to-configure-vsftpd-to-use-ssl-tls-on-a-centos-vps 7/12
9/4/2018 How To Configure vsftpd to Use SSL/TLS on a CentOS VPS | DigitalOcean

Leave a comment...

Log In to Comment

info355111 December 14, 2013

0 Hey guys, thanks for the tutorial. Worked almost perfectly. I followed the initial setup tutorial
first and thus I wasn't root when executing these steps.
When I restarted vsftpd, I got an error that it couldn't find the certificate.
The openssl command needs "sudo" in front of it to successfully create and save the
certificate, when not logged in as root.

babinlonston December 16, 2013

0 Not Working for me ,Receiving this Error

Command: PASS *********

Error: GnuTLS error -15: An unexpected TLS packet was received.
Error: Could not connect to server

babinlonston December 16, 2013

0 This is my configuration file

http://paste.ubuntu.com/6582568/

kamaln7 MOD December 16, 2013

0 @babinlonston: After some Googling (you should consider doing that too ;) ), it appears that
Filezilla is causing it. Try another FTP client such as WinSCP.

babinlonston December 16, 2013

0 Oh, Thousand of Thanks for a Quick Response you guys Rocking ....

https://www.digitalocean.com/community/tutorials/how-to-configure-vsftpd-to-use-ssl-tls-on-a-centos-vps 8/12
9/4/2018 How To Configure vsftpd to Use SSL/TLS on a CentOS VPS | DigitalOcean

babinlonston December 16, 2013

0 Kamal Nasser can i Use the SSL Certificate which i'm Using for my Domain, .crt file and .key
file ?, It's multi Domain Certificate. Using Centos 6.4 Droplet, Apache

babinlonston December 17, 2013

0 I Have Tried from winscp too facing same issue can't login into my vps using ssl for vsftpd

kamaln7 MOD December 18, 2013

0 Yes, you should be able to use it. Did you configure it properly? Make sure these directives
point to your SSL certificate and key:

rsa_cert_file=/path/to/ssl/cert
rsa_private_key_file=/path/to/ssl/key

swagatoatwork December 20, 2013

0 I'm getting a 503 error access denied.

swagatoatwork December 20, 2013

0 Okay, now I can logged in using SFTP over SSH. So I simply just can't be logged with normal
ftp://example.com, right?

kamaln7 MOD December 21, 2013

0 Okay, now I can logged in using SFTP over SSH.

If I understood that correctly, you don't need vsftpd. Uninstall it.

jonebarker January 22, 2014

0 Hi, I just double check that I followed everything. I'm still getting an error: "Starting vsftpd for
vsftpd: 500 OOPS: SSL: cannot load RSA certificate"

jonebarker January 22, 2014

https://www.digitalocean.com/community/tutorials/how-to-configure-vsftpd-to-use-ssl-tls-on-a-centos-vps 9/12
9/4/2018 How To Configure vsftpd to Use SSL/TLS on a CentOS VPS | DigitalOcean
0
Adding to that: When ssl_enable=NO, I can shut down and restart. When ssl_enable=YES, I
can only shut down.

jonebarker January 22, 2014

0 [Solved]...sort of. I figured out that I had the common name set to one of my virtual domains
instead of the server ip. I thought I was locking ftp users to their respective 'virtual'
document root in this tutorial. Guess I was wrong?

jonebarker January 23, 2014

0 How to confine usesr to their home directories with a chroot environment? That step was
totally skipped!

kamaln7 MOD January 23, 2014

0 @Jonathan: Users should be chrooted if you have chroot_local_user set to YES.

jonebarker January 27, 2014

0 What I am missing is after I great user and password. What command will set user root to
desired directory?

jonebarker January 27, 2014

0 I had to use "usermod -d /var/www/domain.com/desiredFolder userName" to change the

document root. Then I deleted the previous default home locations. Was a bit tricky for me.
Another I did for a different user was to delete the user and home folder using "userdel -r -f
userName" to totally wipe any traces of the user. Then create the user again adding the
desired root in the same command: "adduser -d /var/www/domain.com/desiredFolder user".
Where one did not seem to the, the other did.

alainalemany August 28, 2015

0 I did everything exactly as the article says, and I'm getting a timeout error in both Filezilla and
WinSCP. What I'm missing?

amiehsan September 14, 2015

0 I am getting the below error :(

https://www.digitalocean.com/community/tutorials/how-to-configure-vsftpd-to-use-ssl-tls-on-a-centos-vps 10/12
9/4/2018 How To Configure vsftpd to Use SSL/TLS on a CentOS VPS | DigitalOcean

Disconnected from server

Status: Connecting to 172.29.10.140:21...
Status: Connection established, waiting for welcome message...
Status: Initializing TLS...
Status: Verifying certificate...
Status: TLS connection established.
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/home/ehsan"
Command: TYPE I
Response: 200 Switching to Binary mode.
Command: PASV
Response: 227 Entering Passive Mode (172,29,10,140,110,59).
Command: LIST
Error: Connection timed out after 20 seconds of inactivity
Error: Failed to retrieve directory listing

What to do ??????

pete227522 June 13, 2016

0 Try enabling passive mode: http://serverfault.com/questions/421161/how-to-configure-vsftpd-to-
work-with-passive-mode

Load More Comments

This work is licensed under a Creative

Commons Attribution-NonCommercial-
ShareAlike 4.0 International License.


Copyright © 2018 DigitalOcean™ Inc.

https://www.digitalocean.com/community/tutorials/how-to-configure-vsftpd-to-use-ssl-tls-on-a-centos-vps 11/12
9/4/2018 How To Configure vsftpd to Use SSL/TLS on a CentOS VPS | DigitalOcean

Community Tutorials Questions Projects Tags Newsletter RSS 

Distros & One-Click Apps Terms, Privacy, & Copyright Security Report a Bug Write for DOnations Shop

https://www.digitalocean.com/community/tutorials/how-to-configure-vsftpd-to-use-ssl-tls-on-a-centos-vps 12/12