FTPS: Securing FTP Transfers with SSL/TLS

Why use FTPS?

• Encryption: Protects login credentials and transferred data against network eavesdropping.
• Compliance: Required by many security standards (PCI-DSS, etc.) for transferring sensitive data.
• Authentication: Uses SSL/TLS certificates to verify the server's identity.

Prerequisites

• A Linux server (Ubuntu/Debian, CentOS/RHEL).
• Root access or sudo privileges.
• A firewall configured on the server.

Installing vsftpd

We will use vsftpd (Very Secure FTP Daemon), a popular and secure FTP server.

# On Debian / Ubuntu
sudo apt-get update
sudo apt-get install -y vsftpd

# On CentOS / RHEL
sudo yum install -y vsftpd

Configuring FTPS

Step 1: Create an SSL/TLS certificate

For encryption, we need a certificate. For a production environment, use a certificate from a certificate authority (such as Let's Encrypt). For this guide, we create a self-signed certificate valid for one year.

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/certs/vsftpd.pem

Fill in the requested information. For the "Common Name", you can use your server's domain name or its IP address.

Step 2: Configure vsftpd.conf

Back up the original configuration file and edit it.

sudo cp /etc/vsftpd.conf /etc/vsftpd.conf.orig
sudo nano /etc/vsftpd.conf

Make sure your configuration looks like this, adapting it as needed:

# Disable anonymous connections
anonymous_enable=NO
# Allow local users to log in
local_enable=YES
# Allow write commands (upload, delete, etc.)
write_enable=YES
# Lock users into their home directory (chroot)
chroot_local_user=YES
# Allow writing within the chroot directory (required with recent versions)
allow_writeable_chroot=YES

# --- FTPS configuration ---
# Enable SSL
ssl_enable=YES

# Force clients to use SSL for data transfer and login
force_local_data_ssl=YES
force_local_logins_ssl=YES

# Use secure TLS versions
ssl_tlsv1_2=YES
ssl_sslv3=NO
ssl_sslv2=NO

# Path to our certificate and key (the same file for our self-signed certificate)
rsa_cert_file=/etc/ssl/certs/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem

# --- Passive mode configuration ---
# Passive mode is needed to get through firewalls and NAT
pasv_enable=YES
# Specify a port range for passive connections
pasv_min_port=30000
pasv_max_port=31000

Step 3: Configure the firewall

You need to open the ports for FTP control and for the passive port range you defined.

# For UFW (Ubuntu/Debian)
sudo ufw allow 20/tcp
sudo ufw allow 21/tcp
sudo ufw allow 30000:31000/tcp
sudo ufw status

# For firewalld (CentOS/RHEL)
sudo firewall-cmd --permanent --add-service=ftp
sudo firewall-cmd --permanent --add-port=30000-31000/tcp
sudo firewall-cmd --reload

Step 4: Restart the service

sudo systemctl restart vsftpd

Create an FTP user

Create a standard system user. They will automatically be an FTP user.

sudo adduser my_ftp_user
# Follow the instructions to set a password

This user will be confined to their /home/my_ftp_user directory upon connection.

Testing the connection

Use a modern FTP client like FileZilla or WinSCP.

• Protocol: FTP
• Host: your server's IP address
• Encryption: Require explicit FTP over TLS (or "FTPES")
• Username / Password: Those of the user you just created.

Since you are using a self-signed certificate, the client will display a security warning. This is normal. Accept the certificate to continue.

Conclusion

Setting up an FTPS server with `vsftpd` is a crucial step in securing file transfers. By enforcing SSL/TLS encryption, you ensure that your users' data and credentials are protected. The configuration is relatively simple and considerably increases the security level compared to a standard FTP server.