There are many important things to know when setting up an ftp. first, FTP is not secure and for security reasons FTP should not be used without ssl/tls(tls is the new version of ssl which is considered to be more secure based on the crypto algorithm employed ), it is better to consider using SFTP which implement file transfer using SSH.
Please note that we will be installing vsftpd(called: very secure ftp daemon). and we need to log into CentOs as root.
Set:
anonymous_enable = No
local_enable=Yes
write_enable=Yes
chroot_localuser=YesPress escape and type :wq to write and quit (to save)
Restart vsftpd service (#systemctl restart vsftpd ) and (#systemctl enable vsftpd) to enable ftp at startup
3. Adjust (#vi /etc/hosts) add ip address and domain name for your server example: 192.168.0.111 ftp.localhost.com
4. We need to allow port 21 through the firewall otherwise, we won't be able to connect, firewall will block the port 21. Use cmd (#firewall-cmd --permanent --add-port=21/tcp) then reload the firewall (#firewall-cmd reload)
5. Create a username and password that will be used for access example: #adduser abcd #passwd abdc then enter the password for the new user abcd
6. Login to ftp using the server ipaddress or hostname Example: ftp 192.168.0.111 then enter the username follow by password #abcd #password
Sample output:
# ftp 192.168.0.111 Connected to 192.168.0.111. 220 (vsFTPd 3.0.2) Name (192.168.0.116:root): abcd 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp>
Example:
#put (local-file) /home/aldeen/Documents/text.txt (remote-file) /home/adcd/text.txt
To see that ftp transfer file in plain text, start wireshark then connect to your ftp server and enter your username and password. You will be able to see your username and password in plain text inside the packet captured by wireshark. for this reason FTP is insecure.
Next we will configure FTP to use SSL/TLS
First create a directory, you may name it private
# mkdir /etc/ssl/private
then create the certificate and a 1024 bit key
# openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem
- answer the questions, most important is server's hostname.
Sample output
Generating a 1024 bit RSA private key ....++++++..........................++++++ writing new private key to '/etc/ssl/private/vsftpd.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]: State or Province Name (full name) []: Locality Name (eg, city) [Default City]: Organization Name (eg, company) [Default Company Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:192.168.0.111 Email Address []:
- if you open the file vsftpd.pem, you will see the private key followed by the certificate(#vi ssl/private/vsftpd.pem)
Now adjust vsftpd.conf by adding SSL information into it.
#vi /etc/vsftpd/vsftpd.conf
add the followings:
rsa_cert_file=/etc/ssl/private/vsftpd.pem rsa_private_key_file= /etc/ssl/private/vsftpd.pem
ssl_enable=YES allow_anon_ssl=NO force_local_data_ssl=YES force_local_logins_ssl=YES
ssl_tlsv1=YES ssl_sslv2=NO ssl_sslv3=NO
require_ssl_reuse=NO
ssl_ciphers=HIGHthe save and exit
Conclusion
As I have said consider using SFTP which uses SSH instead of FTP as FTP is insecure, However, FTP can still be made secured by using it with SSL/TLS