How to Set Up a Secure FTP Server on Linux Server with SSL/TLS Encryption (vsftpd)

  • Post last modified:October 21, 2023
  • Post category:Linux
  • Post comments:1 Comment
  • Reading time:12 mins read

In this post, I will show you how to set up a secure FTP server on a Linux server with SSL/TLS encryption, using either a purchased SSL certificate or a Let’s Encrypt certificate.

Prerequisites:

  • A Linux server with root access
  • A domain name (e.g., ftp.example.com) pointed to your server IP address (Optional)

Table of Contents:

Step 1: Install vsftpd

The first step is to install vsftpd, a popular FTP server software, on your Linux server. Open a terminal and run:

sudo apt update
sudo apt install vsftpd -y

Step 2: Configure vsftpd

You need to configure it by editing the vsftpd configuration file /etc/vsftpd.conf. Open the file with a text editor, such as nano:

sudo nano /etc/vsftpd.conf

Advertisements

Make the following changes to the configuration file:

anonymous_enable=NO
local_enable=YES
write_enable=YES
chroot_local_user=YES

Save the changes and close the file.

echo allow_writeable_chroot=YES >> /etc/vsftpd.conf && systemctl restart vsftpd
vsftpd config

Step 3: Create FTP User Accounts

Next, you need to create FTP user accounts to allow users to connect to your FTP server. You can create local system users and set their passwords using the following command:

sudo useradd -m [username]
sudo passwd [username]

Replace [username] with the name for the FTP user.

Step 4: Configure Firewall

If you have a firewall enabled on your Linux server, you need to configure it to allow FTP traffic. By default, FTP uses two ports for communication – port 20 and port 21. You need to open these ports in your firewall to allow FTP traffic. You can do this using a tool like UFW (Uncomplicated Firewall) by running the following commands:

sudo ufw allow 20/tcp
sudo ufw allow 21/tcp

Step 5: Test FTP Server

Once you have completed the above steps, your FTP server should be up and running. You can now test the FTP server by connecting to it using an FTP client such as Winscp. Enter the hostname or IP address of your Linux server, along with the FTP username and password that you created earlier. If everything is configured correctly, you should be able to connect and transfer files from your server.

winscp client
WinSCP
winscp look after login

Step 6: Enable SSL/TLS Encryption (Optional)

To secure your FTP server, you can enable SSL/TLS encryption. This step is optional, but highly recommended for the security of your FTP server.

Option A: Using a Purchased SSL Certificate

If you have already purchased an SSL certificate from a trusted Certificate Authority (CA), you can install it on your server. Here are the steps.

Step 6 A.1: Upload SSL Certificate Files

Upload the SSL certificate files (e.g., .crt and .key files) to a directory on your server, such as /etc/ssl/private/. You can use FTP or SCP to upload the files.

Step 6 A.2: Configure vsftpd for SSL/TLS

In the vsftpd configuration file /etc/vsftpd.conf, add the following lines or uncomment them if they already exist:

rsa_cert_file=/etc/ssl/private/[your_domain_name].crt
rsa_private_key_file=/etc/ssl/private/[your_domain_name].key
ssl_enable=YES
force_local_data_ssl=YES
force_local_logins_ssl=YES

Replace [your_domain_name] with your actual domain name and the SSL certificate file location.

Step 6 A.3: Restart vsftpd Service

After making changes to the vsftpd configuration file, restart the vsftpd service for the changes to take effect:

sudo service vsftpd restart

Option B: Using Let’s Encrypt Certificate

If you prefer to use a free SSL certificate from Let’s Encrypt, you can install Certbot Here are the steps

Step 6 B.1: Install Certbot

Install Certbot on your server:

sudo apt update
sudo apt install certbot -y

Step 6 B.2: Get Let’s Encrypt Certificate

Get a Let’s Encrypt certificate for your domain:

sudo certbot certonly --standalone -d ftp.example.com

Replace ftp.example.com with your actual domain name.

Step 6 B.3: Configure vsftpd for SSL/TLS

In the vsftpd configuration file /etc/vsftpd.conf, add the following lines:

rsa_cert_file=/etc/letsencrypt/live/ftp.example.com/fullchain.pem
rsa_private_key_file=/etc/letsencrypt/live/ftp.example.com/privkey.pem
ssl_enable=YES
force_local_data_ssl=YES
force_local_logins_ssl=YES

Advertisements

Replace ftp.example.com with your actual domain name.

vsftpd config adding ssl

Step 6 B.4: Restart vsftpd Service

After Generating the Let’s Encrypt certificate and making changes to the vsftpd configuration file, restart the vsftpd service:

sudo service vsftpd restart

Step 7: Test FTP Server with SSL/TLS Encryption

Test your FTP server with SSL/TLS encryption by connecting to it using an FTP client that supports SSL/TLS, Connect to your FTP server using the domain name, and choose the “TLS/SSL Explicit encryption” option in your FTP client.

using ssl on winscp
WinSCP
with ssl winscp login

Conclusion

You have successfully set up a secure FTP server on your Linux server with SSL/TLS encryption. By enabling SSL/TLS encryption, you have added an additional layer of security to protect your file transfers.

This Post Has One Comment

  1. jaywalker

    thanks dude

Leave a Reply