Tag Archives: ssl

Linux

VSFTPD

Here I will show how to configure VSFTPD for basic authentication so that we have a base working daemon.  Then we will build on that by implementing SSL and then virtual users.

Obviously first thing is first ;)  If you haven't already, install vsftpd.

emerge -av vsftpd
...
net-ftp/vsftpd-3.0.2-r1::gentoo USE="pam ssl tcpd -caps (-selinux) -xinetd"

We want to enable pam and ssl for later on.  Once done, pop this into /etc/vsftpd/vsftpd.conf

##################
# Basic Settings #
##################
anonymous_enable=NO
dirmessage_enable=YES
xferlog_enable=YES
vsftpd_log_file=/var/log/vsftpd.log
connect_from_port_20=YES
xferlog_file=/var/log/vsftpd.log
data_connection_timeout=120
nopriv_user=ftp
ftpd_banner=Insert Welcome Message
listen=YES
listen_address=<server IP>
listen_port=21

###############
# Local Users #
###############
local_enable=YES
write_enable=YES
chroot_local_user=YES
passwd_chroot_enable=YES
allow_writeable_chroot=NO
userlist_enable=YES
userlist_deny=NO
userlist_file=/etc/vsftpd/vsftpd.user_list

The above will tell vsftpd to not allow any anonymous connections eg mandatory login.  What and where to log. What IP and port to listen on.  To lock users into their home directory (defined in /etc/passwd).

The bottom 3 lines userlist_* we define so we don't grant all local users ftp access.  If you answer YES to userlist_deny, the user list will deny any users listed in the file and allow everything else.

cat /etc/vsftpd/vsftpd.user_list
user1
user2
user3

Restart vsftpd to activate the new config.

Let's test and make sure everything is working.

$ ftp cdstealer.com
Connected to cdstealer.com (<IP>).
220 (vsFTPd 3.0.2)
Name (cdstealer.com:user1): 
530 Please login with USER and PASS.
SSL not available
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

SSL

So let's get some encryption so we aren't transmitting plain text credentials.

Generate a self signed cert.

# openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout /etc/ssl/apache2/vsftp.pem -out /etc/ssl/apache2/vsftp.pem
Generating a 4096 bit RSA private key
..........................................................................................++
....++
writing new private key to '/etc/ssl/apache2/vsftp.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:GB
State or Province Name (full name) [Some-State]:Somewhere nice
Locality Name (eg, city) []:Leeds
Organization Name (eg, company) [Internet Widgits Pty Ltd]:cdstealer.com
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:cdstealer.com
Email Address []:

The openssl command I've used, generates a 4096bit encrypted cert (this is good) that is valid for 10 years. :)

Execute the following to remove unwanted access to the cert.

chmod 600 /etc/ssl/apache2/vsftp.pem

Add this section to your /etc/vsftpd/vsftpd.conf file.

##############
# Enable SSL #
##############
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
require_ssl_reuse=NO
ssl_tlsv1=NO
ssl_sslv2=NO
ssl_sslv3=NO
implicit_ssl=NO
ssl_ciphers=TLSv1.2+HIGH:TLSv1.3+HIGH:@STRENGTH:!eNULL:!aNULL
rsa_cert_file=/etc/letsencrypt/live/cdstealer.com/fullchain.pem
rsa_private_key_file=/etc/letsencrypt/live/cdstealer.com/privkey.pem

Restart vsftpd to activate the new config.

Let's test and make sure everything is still working.

$ ftp cdstealer.com
Connected to cdstealer.com (<IP>).
220 (vsFTPd 3.0.2)
Name (cdstealer.com:user1): 
234 Proceed with negotiation.
[SSL Cipher AES128-SHA]
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

GREAT!  So now we have a secure FTP service running.

Extra Options:

##################
# Other Settings #
##################
dirlist_enable=YES
download_enable=YES
force_dot_files=NO
hide_ids=YES
max_clients=2
max_per_ip=2

#######################
# Passive Connections #
#######################
pasv_enable=YES
pasv_address=<domainname>
pasv_min_port=63899
pasv_max_port=63999
pasv_addr_resolve=YES

Virtual Users:

In the interest of security, I'm not comfortable having system user accounts, even though we have secured things with only specific users able to ftp.  I believe that standard ftp authentication does not support encryption for system users, but does for virtual users?

This is a little more involved than having standard system users :(

So, add the following to your /etc/vsftpd/vsftpd.conf file.

##################
## Virtual Users #
##################
virtual_use_local_privs=YES
pam_service_name=vsftpd
user_sub_token=$USER
local_root=/FTP/$USER
secure_chroot_dir=/var/run/vsftpd
guest_enable=YES
guest_username=ftp
user_config_dir=/etc/vsftpd/virtualUsers

Here we define that virtual users get the same permissions as the ftp system user, are unable to browse outside their directory, use a PAM database for credentials and define custom settings per user.

Create the PAM config.
vi /etc/pam.d/vsftpd
Populate with the following.
auth required /lib/security/pam_userdb.so db=/etc/vsftpd/virtualUsers
account required /lib/security/pam_userdb.so db=/etc/vsftpd/virtualUsers
session required /lib/security/pam_loginuid.so

pam_userdb.so is part of pam, so nothing else to do.

Create user database.
cd /etc/vsftpd
vi virtualUsers.txt

The format of this file is:

username
password
username
password
<empty line>
Execute the following to create the database.
db5.3_load -T -t hash -f /etc/vsftpd/virtualUsers.txt /etc/vsftpd/virtualUsers.db
Update the permissions.
chmod 600 virtualUsers.txt virtualUsers.db

NOTE: You may notice that the file extension is missing from the path in /etc/pam.d/vsftpd.  This is intentional as PAM automatically adds the .db suffix.

You will need to add the users from the database to the access list file.

/etc/vsftpd/vsftpd.user_list

For your convenience, I've written a user management script, here :)

Define custom settings.

Create the directory which will store the configs.  We defined this earlier as user_config_dir=/etc/vsftpd/virtualUsers.

mkdir /etc/vsftpd/virtualUsers
Create a user config.
vi /etc/vsftpd/virtualUsers/user1

write_enable=NO
local_root=/FTP/user1
chroot_local_user=YES
dirlist_enable=YES
download_enable=YES

Here we set the users CHROOT directory, deny write permissions and allow downloading.  Options here (not all) override specific options defined in the main config.

RTFM

NOTES:

If you get the following when logging in or listing a directory, it maybe due to the user directory not existing or not having permission.

ssl_getc: SSL_read failed -1 = 0
421 Service not available, remote server has closed connection
Login failed.
No control connection for command: Success

The following error may occur on ftp clients with vsftpd 3.0.x:

500 OOPS: priv_sock_get_cmd

This is caused by seccomp filter sanboxing, which is enabled by default on amd64. To workaround this issue, disable seccomp filter sanboxing:

Add the following line to /etc/vsftpd/vsftpd.conf.

seccomp_sandbox=NO

Don't forget to restart vsftpd :)

Linux

Generate SSL Certificate Request.

Generate the RSA key

Run the following commands to create a directory in which to store your RSA key, substituting a directory name of your choice:

mkdir ~/domain.com.ssl/
cd ~/domain.com.ssl/

Run the following command to generate a private key:

openssl genrsa -out ~/domain.com.ssl/domain.com.key 2048

Create a CSR

Type the following command to create a CSR with the RSA private key (output is in PEM format):

openssl req -new -sha256 -key ~/domain.com.ssl/domain.com.key -out ~/domain.com.ssl/domain.com.csr

When prompted, enter the necessary information for creating a CSR by using the conventions shown in the following table.

Note: The following characters cannot be used in the Organization Name or theOrganizational Unit: < > ~ ! @ # $ % ^ * / \ ( ) ?.,&

DN field Explanation Example
Common Name The fully qualified domain name for your web server. This must be an exact match. If you intend to secure the URL https://www.yourdomain.com, then your CSR’s common name must be www.yourdomain.com. If you plan to get a wildcard certificate, make sure to prefix your domain name with an asterisk, for example: *.domain.com.
Organization Name The exact legal name of your organization. Do not abbreviate your organization name. domain.com
Organizational Unit Section of the organization. IT
City or Locality The city where your organization is legally located. Wellesley Hills
State or Province The state or province where your organization is legally located. Do not use an abbreviation. Massachusetts
Country The two-letter ISO abbreviation for your country. US

Warning: Leave the challenge password blank (press Enter).

Verify your CSR

Run the following command to verify your CSR:

openssl req -noout -text -in ~/domain.com.ssl/domain.com.csr

Submit your CSR

Submit the CSR that you created to a certificate authority.

Trouble Shooting:
A really cool list of commands you can run here