How to Install an FTP over SSL Server (FTPS)

Post Reply
User avatar
LHammonds
Site Admin
Site Admin
Posts: 874
Joined: Fri Jul 31, 2009 6:27 pm
Are you a filthy spam bot?: No
Location: Behind You
Contact:

How to Install an FTP over SSL Server (FTPS)

Post: # 348Post LHammonds »

Greetings and salutations,

I hope this thread will be helpful to those who follow in my foot steps as well as getting any advice based on what I have done / documented.

To discuss this thread, please participate here: Ubuntu Forums

High-level overview

This document will describe how to setup an FTP server which utilizes SSL (FTPS) encryption and local login IDs to allow users to login and upload files but cannot login to the console.

Tools utilized in this process
Helpful links

The list below are sources of information that helped me configure this system.
Assumptions

This documentation will need to make use of some very-specific information that will most-likely be different for each person / location. This variable data will be noted in this section and highlighted in red throughout the document as a reminder that you should plug-in your own value rather than actually using these "place-holder" values.

Under no circumstance should you use the actual values listed below. They are place-holders for the real thing. This is just a checklist template you need to have answered before you start the install process.

Wherever you see RED in this document, you need to substitute it for what your company uses.
  • Minimum Passive Port: 9000
  • Maximum Passive Port: 9020
  • FTP User Account: myftp
  • FTP User Password: mypass123

User avatar
LHammonds
Site Admin
Site Admin
Posts: 874
Joined: Fri Jul 31, 2009 6:27 pm
Are you a filthy spam bot?: No
Location: Behind You
Contact:

Re: How to Install an FTP over SSL Server (FTPS)

Post: # 349Post LHammonds »

Install Ubuntu Server

The 1st thing to do is the installation of Ubuntu Server. The following guide will describe how to setup a server for use in a production environment and this document assumes the guide was followed to setup Ubuntu.

The tutorial also contains an "Assumption" section with variables colored in RED, instead of using those values, this guide will instead use the following as replacements:

Ubuntu Server name: srv-ftps
Ubuntu Server IP address: 192.168.107.28

IMPORTANT: Keep in mind, these are typically different for each site/install. Do not use these exact values yourself...make up your own that matches your environment, write them down and use them instead of the values in the guide.

NOTE: These are the sections you can skip in the install guide which are not necessary for this server (however, you might want them...it is up to you):
  • Configure Ubuntu for File Sharing (Samba)
  • Configure Windows Server as a Remote Mount Point
  • SSH Public and Private Keys
Follow the How to Install Ubuntu Server guide and come back when finished.

User avatar
LHammonds
Site Admin
Site Admin
Posts: 874
Joined: Fri Jul 31, 2009 6:27 pm
Are you a filthy spam bot?: No
Location: Behind You
Contact:

Re: How to Install an FTP over SSL Server (FTPS)

Post: # 350Post LHammonds »

Install FTP Service

At the login prompt, login with your administrator account (administrator / myadminpass)

At the $ prompt, temporarily grant yourself super user privileges by typing sudo su {ENTER} and then provide the administrator password (myadminpass).

Install vsftpd and make a backup of the original config file.

Code: Select all

aptitude -y install vsftpd
cp /etc/vsftpd.conf /etc/vsftpd.bak

Generate an SSL Certificate

Code: Select all

openssl req -x509 -nodes -days 730 -newkey rsa:2048 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem
chown root:ftp /etc/ssl/private/vsftpd.pem
chmod 644 /etc/ssl/private/vsftpd.pem

Configure vsftpd

Edit /etc/vsftpd.conf and find/uncomment following lines:

Code: Select all

local_enable=YES
write_enable=YES
local_umask=022
ftpd_banner=Welcome to our FTP server.
chroot_local_user=YES
Find the following existing lines and change the values as follows:

Code: Select all

anonymous_enable=NO
connect_from_port_20=NO
rsa_cert_file=/etc/ssl/private/vsftpd.pem
Add the following new lines (feel free to adjust values as desired):
listen_port=990 # Turn on SSL ssl_enable=YES # Allow anonymous users to use secured SSL connections allow_anon_ssl=NO # All non-anonymous logins are forced to use a secure SSL connection in order to # send and receive data on data connections. force_local_data_ssl=YES # All non-anonymous logins are forced to use a secure SSL connection in order to send the password. force_local_logins_ssl=YES # Permit TLS v1 protocol connections. TLS v1 connections are preferred ssl_tlsv1=YES # Permit SSL v2 protocol connections. TLS v1 connections are preferred ssl_sslv2=YES # permit SSL v3 protocol connections. TLS v1 connections are preferred ssl_sslv3=YES # Hide the info about the owner (user and group) of the files. hide_ids=YES # Connection limit for each IP: max_per_ip=10 # Maximum number of clients: max_clients=10 # When port_enabled is YES, active mode connects are allowed. port_enable=YES # When pasv_enable is YES, passive mode connects are allowed. pasv_enable=YES # pasv_min_port specifies the lowest possible port sent to the FTP clients for passive mode connections. This setting is used to limit the port range so that firewall rules are easier to create. The value must not be lower than 1024. pasv_min_port=9000 # pasv_max_port specifies the highest possible port sent to the FTP clients for passive mode connections. This setting is used to limit the port range so that firewall rules are easier to create. The value must not exceed 65535. pasv_max_port=9020 # require_ssl_reuse, if YES, all SSL data connections are required to exhibit SSL session reuse. Set to NO if your log shows failures to upload because of no session reuse. require_ssl_reuse=NO # Set to YES to get extra information in the logs if you are having issues connecting. debug_ssl=NO # This setting allows FileZilla to connect or you would see something like "handshake failed" otherwise. ssl_ciphers=HIGH

User avatar
LHammonds
Site Admin
Site Admin
Posts: 874
Joined: Fri Jul 31, 2009 6:27 pm
Are you a filthy spam bot?: No
Location: Behind You
Contact:

Re: How to Install an FTP over SSL Server (FTPS)

Post: # 351Post LHammonds »

Configure User Accounts

At the login prompt, login with your administrator account (administrator / myadminpass)

At the $ prompt, temporarily grant yourself super user privileges by typing sudo su {ENTER} and then provide the administrator password (myadminpass).

Add an ftpusers group.

Code: Select all

addgroup ftpusers
Use the default ftp folder of /srv/ftp but move the home directory of the default "ftp" account underneath that folder. The /srv/ftp folder will be become the base folder for all FTP user accounts but nobody will be able to access it directly.

Code: Select all

mkdir -p /srv/ftp/ftp/public
usermod -d /srv/ftp/ftp ftp
chmod 555 /srv/ftp
chmod 555 /srv/ftp/ftp
chmod 755 /srv/ftp/ftp/public
chown -R ftp:ftpusers /srv/ftp/ftp
Type this to add /usr/sbin/nologin to /etc/shells (* This allows users to login via FTP which cannot login directly on the server *)

Code: Select all

echo "/usr/sbin/nologin" >> /etc/shells
Now add a user called myftp with a password of mypass123
mkdir -p /srv/ftp/myftp/public chmod 555 /srv/ftp/myftp chmod 755 /srv/ftp/myftp/public useradd -g ftpusers -d /srv/ftp/myftp -s /usr/sbin/nologin myftp chown -R myftp:ftpusers /srv/ftp/myftp passwd myftp mypass123

User avatar
LHammonds
Site Admin
Site Admin
Posts: 874
Joined: Fri Jul 31, 2009 6:27 pm
Are you a filthy spam bot?: No
Location: Behind You
Contact:

Re: How to Install an FTP over SSL Server (FTPS)

Post: # 352Post LHammonds »

Configure Firewall/Router

Configure your firewall/router to allow your external IP to route to your internal IP on port 990 and a port range of 9000 to 9020 (for passive mode connections)


Connect via FTP Clients

It is recommended to test client connectivity from the local area network (LAN) to make sure everything is working before trying to test from outside the LAN. This will help with troubleshooting if necessary.

If you have another Linux server on the LAN, login to that server and type the following to test out the FTP capability:
aptitude -y install ftp-ssl ftp-ssl 192.168.107.28 990 myftp mypass123 cd /public pwd lcd /etc put hosts dir del hosts dir quit
To test from Windows over the LAN, use SmartFTP with the FTPS protocol and connect to the internal IP address.

Name: My FTPS Server
Protocol: FTPS (Explicit)
Host: 192.168.107.28
Port: 990
Path: /public
Timezone: Automatic
Login Type: Username & Password
Username: myftp
Password: mypass123

Or you can test it with WinSCP 5.9 or higher using the following settings:

Protocol: FTP
Encryption: TLS/SSL Explicit encryption
Host name: 192.168.107.28
Port number: 990
User name: myftp
Password: mypass123

Once you verified that it works on your LAN, you can now test the connection from the outside through your firewall/router by connecting to the external IP from a PC/Server outside of your LAN.

Post Reply