How-to

How to Secure FTP Server with SSL/TLS Encryption

Introduction

Security is one of the most important things on the computer and the internet world. And more importantly, if you’re talking about the data transfer.

By default, the FTP protocol is not secure for the data transfer between client and server architecture. You need an additional configuration for securing the FTP protocol, such as using the TLS/SSL encryption, forced to use the secure protocol, etc.

In this tutorial, you will learn how to secure the FTP server by enabling the SSL/TLS secure connection and force clients to use a specific security protocol.

Prerequisites

For this tutorial, make sure you have got an FTP server application installed on your server.

Below is the tutorial about the FTP server installation on the Ubuntu system.

Install FTP Server on Ubuntu Server

And below is the tutorial about the FTP server installation on the CentOS system.

Install FTP Server on CentOS Server

Before going any further, log in to your Ubuntu server and type the sudo command to get the root privileges on your system.

sudo su

Step 1 – Generate SSL/TLS Certificate

First, you will create a new directory for storing SSL certificates and generate new SSL certificates into it.

Create a new SSL directory ‘/etc/vsftpd/ssl’.

mkdir -p /etc/vsftpd/ssl

Go to that directory and generate a new SSL certificate using the openssl command below.

cd /etc/vsftpd/ssl/
openssl req -x509 -nodes -newkey rsa:2048 -keyout vsftpd-private.pem -out vsftpd-cert.pem

Type details about your server information.

Generate SSL Certificate using OpenSSL Command

As a result, you’ve generated the SSL certificates to secure FTP server, it’s all located at ‘/etc/vsftpd/ssl’ directory.

Step 2 – Configure vsFTPd

In this step, you will edit the vsFTPd configuration ‘/etc/vsftpd.conf’ and add additional configuration for enabling the SSL/TLS encryption support, force clients to use a specific security protocol with strong ciphers.

Edit the vsFTPd configuration ‘/etc/vsftpd.conf’ using vim editor.

vim /etc/vsftpd.conf

– Enable SSL/TLS Encryption Support

Change the following configuration to enable SSL/TLS support on your vsFTPd server.

ssl_enable=YES
rsa_cert_file=/etc/vsftpd/ssl/vsftpd-cert.pem
rsa_private_key_file=/etc/vsftpd/ssl/vsftpd-private.pem

Also, change the details path of the SSL certificate directory with your own.

– Force Clients to use SSL/TLS

Now you will force clients to use the secure SSL/TLS encryption for both data transfer and login operation.

This configuration will ensure the data transfer between clients and server are secured by the SSL/TLS. Also, your clients are authenticated against secure protocol.

allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES

– Restrict TLS Connection

Now you will restrict access to the FTP server only using the TLS 1.2 connections and using stronger cipher suites.

Restrict the FTP Server access to only accept TLS 1.2 connections using the following configuration.

For the Ubuntu system, use the following configuration.

ssl_sslv2=NO
ssl_sslv3=NO
ssl_tlsv1=NO

require_ssl_reuse=NO
ssl_ciphers=TLSv1.2

And for the CentOS system, use the following configuration.

ssl_sslv2=NO
ssl_sslv3=NO
ssl_tlsv1=NO
ssl_tlsv1_1=NO
ssl_tlsv1_2=YES

require_ssl_reuse=NO
ssl_ciphers=HIGH

Save and close.

Next, restart the vsFTPd service using the following command.

systemctl restart vsftpd

As a result, you’ve successfully secured the FTP server using the SSL/TLS. Also, all clients are forced to use the secure SSL/TLS connection with TLS 1.2 and strong ciphers.

Step 3 – Testing

To test the FTP server setup with SSL/TLS enabled on it, use graphical applications such as ‘FileZilla’.

Connect to the FTP server with your credentials and you will be asked for accepting the FTP server certificates.

Connect to secure FTP Server with FileZilla

And at the ‘Session details’ section, you will see that you’re connect to the FTP server with the secure TLS Protocol 1.2 using the strong cipher ‘AES-256-GCM‘.

Click ‘OK‘ to accept the server certificate and connect to the FTP server with secure TLS connection.

As a result, you’ve successfully secured an FTP Server with the SSL/TLS encryption.

Write A Comment