I’ve been meaning to set up FTPS on my servers but since SFTP has generally been working ok, I haven’t bothered. There are times, however, that you would want true FTP, so here are some tips on setting it up with VSFTP.
some vsftpd.conf settings:
ssl_enable=YES rsa_cert_file=/etc/vsftpd/privatekey.pem force_local_data_ssl=YES pasv_enable=YES pasv_max_port=10100 pasv_min_port=10090 connect_from_port_20=NO # if needed: equire_ssl_reuse=NO
Obviously, change as needed based on your firewall settings, etc. If you do use those port settings on RedHat/Cent, you can use:
# /sbin/iptables -I INPUT -p tcp --destination-port 10090:10100 -j ACCEPT
and if that works:
# service iptables save
That should do it. You do need to make sure you have SSL, tcpwrappers and PAM support compiled in your vsftpd binary (which the yum version usually seems to). If you want to compile your own from source, do:
# echo "#define VSF_BUILD_TCPWRAPPERS" >>builddefs.h # echo "#define VSF_BUILD_SSL" >>builddefs.h
in the builddefs.h file in the source directory before
I’m assuming you already had a working version of vsftpd, but if you have any problems connecting (using the users on your server as login), make sure you also have these settings in the vsftpd.conf:
Since I’m usually setting this up for collaborative projects, it’s often useful to have a shared group in which case you might also want to set:
in order to have the group +write permissions set by default.
If you have any problems with your SSL certificate, you can generate your own PEM file or if you have separate SSL keys for HTTP, combine them in the format:
-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- -----BEGIN RSA PRIVATE KEY----- ... -----END RSA PRIVATE KEY-----
and name the file the same as in your config for the rsa_cert_file value and make sure it’s permissions are set to 0700.
This worked for me on CentOS for both the yum version (2.05) as well as compiled from source (3.02) vsftpd.
openssl x509 -in certificate.crt -text -noout