Install FTP with TLS/SSL with vsftpd

I’ve been meaning to set up FTPS on my servers but since SFTP has generally been working ok, I haven’t bothered. There are times, however, that you would want true FTP, so here are some tips on setting it up with VSFTP.

some vsftpd.conf settings:

ssl_enable=YES
rsa_cert_file=/etc/vsftpd/privatekey.pem
force_local_data_ssl=YES

pasv_enable=YES
pasv_max_port=10100
pasv_min_port=10090
connect_from_port_20=NO

# if needed:
equire_ssl_reuse=NO

Obviously, change as needed based on your firewall settings, etc. If you do use those port settings on RedHat/Cent, you can use:

# /sbin/iptables -I INPUT -p tcp --destination-port 10090:10100 -j ACCEPT

and if that works:

# service iptables save

That should do it. You do need to make sure you have SSL, tcpwrappers and PAM support compiled in your vsftpd binary (which the yum version usually seems to). If you want to compile your own from source, do:

# echo "#define VSF_BUILD_TCPWRAPPERS" >>builddefs.h
# echo "#define VSF_BUILD_SSL" >>builddefs.h

in the builddefs.h file in the source directory before make.

I’m assuming you already had a working version of vsftpd, but if you have any problems connecting (using the users on your server as login), make sure you also have these settings in the vsftpd.conf:

tcp_wrappers=YES
local_enable=YES

Since I’m usually setting this up for collaborative projects, it’s often useful to have a shared group in which case you might also want to set:

local_umask=002

in order to have the group +write permissions set by default.

If you have any problems with your SSL certificate, you can generate your own PEM file or if you have separate SSL keys for HTTP, combine them in the format:

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----

and name the file the same as in your config for the rsa_cert_file value and make sure it’s permissions are set to 0700.

This worked for me on CentOS for both the yum version (2.05) as well as compiled from source (3.02) vsftpd.

View contents of SSL certificate

openssl x509 -in certificate.crt -text -noout