Security is one of the most important things on the computer and the internet world. And more importantly, if you’re talking about the data transfer.
By default, the FTP protocol is not secure for the data transfer between client and server architecture. You need an additional configuration for securing the FTP protocol, such as using the TLS/SSL encryption, forced to use the secure protocol, etc.
In this tutorial, you will learn how to secure the FTP server by enabling the SSL/TLS secure connection and force clients to use a specific security protocol.
For this tutorial, make sure you have got an FTP server application installed on your server.
Below is the tutorial about the FTP server installation on the Ubuntu system.
And below is the tutorial about the FTP server installation on the CentOS system.
Before going any further, log in to your Ubuntu server and type the sudo command to get the root privileges on your system.
Step 1 – Generate SSL/TLS Certificate
First, you will create a new directory for storing SSL certificates and generate new SSL certificates into it.
Create a new SSL directory ‘/etc/vsftpd/ssl’.
mkdir -p /etc/vsftpd/ssl
Go to that directory and generate a new SSL certificate using the openssl command below.
cd /etc/vsftpd/ssl/ openssl req -x509 -nodes -newkey rsa:2048 -keyout vsftpd-private.pem -out vsftpd-cert.pem
Type details about your server information.
As a result, you’ve generated the SSL certificates to secure FTP server, it’s all located at ‘/etc/vsftpd/ssl’ directory.
Step 2 – Configure vsFTPd
In this step, you will edit the vsFTPd configuration ‘/etc/vsftpd.conf’ and add additional configuration for enabling the SSL/TLS encryption support, force clients to use a specific security protocol with strong ciphers.
Edit the vsFTPd configuration ‘/etc/vsftpd.conf’ using vim editor.
– Enable SSL/TLS Encryption Support
Change the following configuration to enable SSL/TLS support on your vsFTPd server.
ssl_enable=YES rsa_cert_file=/etc/vsftpd/ssl/vsftpd-cert.pem rsa_private_key_file=/etc/vsftpd/ssl/vsftpd-private.pem
Also, change the details path of the SSL certificate directory with your own.
– Force Clients to use SSL/TLS
Now you will force clients to use the secure SSL/TLS encryption for both data transfer and login operation.
This configuration will ensure the data transfer between clients and server are secured by the SSL/TLS. Also, your clients are authenticated against secure protocol.
allow_anon_ssl=NO force_local_data_ssl=YES force_local_logins_ssl=YES
– Restrict TLS Connection
Now you will restrict access to the FTP server only using the TLS 1.2 connections and using stronger cipher suites.
Restrict the FTP Server access to only accept TLS 1.2 connections using the following configuration.
For the Ubuntu system, use the following configuration.
ssl_sslv2=NO ssl_sslv3=NO ssl_tlsv1=NO require_ssl_reuse=NO ssl_ciphers=TLSv1.2
And for the CentOS system, use the following configuration.
ssl_sslv2=NO ssl_sslv3=NO ssl_tlsv1=NO ssl_tlsv1_1=NO ssl_tlsv1_2=YES require_ssl_reuse=NO ssl_ciphers=HIGH
Save and close.
Next, restart the vsFTPd service using the following command.
systemctl restart vsftpd
As a result, you’ve successfully secured the FTP server using the SSL/TLS. Also, all clients are forced to use the secure SSL/TLS connection with TLS 1.2 and strong ciphers.
Step 3 – Testing
To test the FTP server setup with SSL/TLS enabled on it, use graphical applications such as ‘FileZilla’.
Connect to the FTP server with your credentials and you will be asked for accepting the FTP server certificates.
And at the ‘Session details’ section, you will see that you’re connect to the FTP server with the secure TLS Protocol 1.2 using the strong cipher ‘AES-256-GCM‘.
Click ‘OK‘ to accept the server certificate and connect to the FTP server with secure TLS connection.
As a result, you’ve successfully secured an FTP Server with the SSL/TLS encryption.