devshell.io

Secure FTP with Linux

Julian Balog's photo
Julian Balog
·

2 min read

Secure FTP with Linux

Secure FTP communication with your Linux host. These instructions apply to Ubuntu 18.04 and can easily be adapted for a vast majority of Linux platforms.

Install FTP Server

Run the following commands to install FTP (vsftpd):

sudo apt-get update
sudo apt-get install vsftpd

To enable a local user account for FTP access, make the following changes to the /etc/vsftpd.conf file.

anonymous_enable=NO
connect_from_port_20=NO
local_enable=YES
write_enable=YES

To enable secure FTP over SSL/TLS, make the following changes to the /etc/vsftpd.conf file.

rsa_cert_file=/etc/letsencrypt/devshell.io/fullchain.cer
rsa_private_key_file=/etc/letsencrypt/devshell.io/devshell.io.key

listen_port=990
ssl_enable=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
require_ssl_reuse=NO
ssl_ciphers=HIGH
pasv_min_port=40000
pasv_max_port=50000

Note the rsa_cert_file and rsa_private_key_file referencing the trusted Let's Encrypt SSL/TLS certificate/key pair generated via the Ghost platform setup. Alternatively, you can generate your own (self-signed) certificate.

Restart the vsftpd service:

sudo service vsftpd restart

Configure Firewall

Create the following ufw firewall profile file /etc/ufw/applications.d/vsftpd, with the following content:

[FTP Secure]
title=FTP Secure
description=Secure FTP over SSL/TLS
ports=990,40000:50000/tcp

The values for ports should correspond to the ones set in the /etc/vspftpd.conf file. Enable the secure FTP ports in the firewall:

sudo ufw allow 'FTP Secure`

Check to make sure the FTP Secure connectivity is enabled in the firewall:

sudo ufw status

You should get an output similar to:

Status: active

To                         Action      From
--                         ------      ----
FTP Secure                 ALLOW       Anywhere
FTP Secure (v6)            ALLOW       Anywhere (v6)

Testing

Test the secure FTP connectivity with an FTP client (e.g. FileZilla).

Troubleshooting

You may get the following error when attempting to connect to the default FTP port (21) via a secure SSL/TLS connection.

Status:      Connection established, waiting for welcome message...
Response:    220 (vsFTPd 3.0.3)
Command:     AUTH TLS
Response:    502 Command not implemented.
Command:     AUTH SSL
Error:       Could not read from socket: ECONNRESET - Connection reset by peer
Error:       Could not connect to server

This could happen in the case you tried to configure secure FTP connectivity in /etc/vsftpd (with all the changes described above), without changing the listen_port parameter. Hence the change of:

listen_port=990

References

FTP with Ubuntu

Linuxftp