Setting up a secure FTP Server using SSL/TLS on Ubuntu

SSL stands for Secure Socket Layer, in short, it’s the standard technology for keeping an internet connection secure and safeguarding any sensitive data that is being sent between two systems, preventing criminals from reading and modifying any information transferred. However, according to wikipedia, SSL is now deprecated, and TLS is the successor. In this tutorial, we will make our FTP server more secure with SSL/TLS. For this tutorial, you need to have FTP server that has been configured in Ubuntu 20.04.

1. Generating SSL/TLS certificate for FTP on Ubuntu 20.04.

Run these following command to generate RSA private key :

$ sudo openssl req -x509 -nodes -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem -days 365 -newkey rsa:2048

The above command will prompt you to answer some questions. You can enter values that applicable in your scenario.

2. Open the ports 990 and and 40000–50000 to allow TLS connections

$ sudo ufw allow 990/tcp
$ sudo ufw allow 40000:50000/tcp
$ sudo ufw status

3. Edit vsftpd.conf file

$ sudo vi /etc/vsftpd.conf 
or
$ sudo nano /etc/vsftpd.conf

Add or locate these following settings :

ssl_enable=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO

We set ssl_enable to YES to activate the use of SSL. Also, we restrict VSFTPD to use TLS instead, by enabling ssl_tlsv1 option.

Then, add these following lines to define the location of SSL certificate and key file :

rsa_cert_file=/etc/ssl/private/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem

To prevent anonymous users from using SSL, then force all non-anonymous logins to use a secure SSL connection for data transfer and to send the password during login, we add following lines :

allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES

Also, to add more security features in the FTP server, with option require_ssl_reuse=NO to make all of SSL data connections not required to exhibit SSL session reuse.

require_ssl_reuse=NO 

To help frustrate any efforts by attackers who try to force a specific cipher which they possibly discovered vulnerabilities in, add this line :

ssl_ciphers=HIGH

Then, define the port range (min and max) of passive ports.

pasv_min_port=40000
pasv_max_port=50000

To enable SSL debugging, to make openSSL connection diagnostics are recorded to the vsftpd log file, we can use debug_ssl=YES configuration “

debug_ssl=YES

Save the changes and close the file. Then, restart vsftpd service

$ systemctl restart vsftpd

3. Verify FTP with SSL/TLS

Let’s try to connect to the FTP server with ftp command in the terminal :

$ ftp <your_ftp_ip_address>

From the output above, there is an error message telling us that non-anonymous sessions must use encryption, or, in other words, users have to login from secure clients which support encryption services. So, to test the FTP server setup, we need a FTP client that supports TLS/SSL by default, such as FileZilla.

4. If you don’t have FileZilla installed in your system, you can install it by run this command :

$ sudo apt-get install filezilla

After FileZilla installed, open Site Manager > New Site. Configure the new site with following details. And fill Host field with your FTP IP Address.

After that, click OK. Now you should see a pop up window from FileZilla that displayed the certificate information and asked you to trust the certificate and carry on connecting to the FTP server. Click ok. After that, you should see the FTP server root directory.

Let’s try to upload a file to the FTP folder. Right click in a file, then choose Upload.

If FileZilla show the message above, that means our FTP server with TLS/SSL has been setup correctly.

References :

1. https://en.wikipedia.org/wiki/Transport_Layer_Security
2. https://www.tecmint.com/secure-ftp-server-using-ssl-tls-on-ubuntu/
3. https://www.websecurity.digicert.com/security-topics/what-is-ssl-tls-https