Configure FTPS (FTP over SSL) for vsftpd on Scientific Linux 6

UPDATE (2013-05-06) This how-to does NOT work for WordPress plugin update.


There are mainly three forms of FTP:

  • FTP (File Transfer Protocol) – the original protocol. Very widely used, but not encrypted. It is becoming more and more vulnerable.
  • SFTP (SSH FTP) – using SSH to carry FTP transfer. Commands are very similar to FTP, but it is implemented under SSH protocol. The transfer is encrypted just as other SSH applications.
  • FTPS (FTP Secure) – FTP over SSL or TLS. Basically it is still FTP, but utilizes TLS/SSL for better safty. Login/data can be either or both encrypted.

WordPress update supports only FTP and FTPS. If you are not going to install SFTP plugins, then either you would risk exposing your account username and password, or you need to configure FTPS for account safety.

I assume that you have already configured vsftpd for basic FTP on your server, then there is not much to modify.

First, generate SSL key and cert. Unlike previous tutorial, we generate a single .pem file which contains both key and cert this time.

openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/vsftpd/vsftpd.pem -out /etc/vsftpd/vsftpd.pem

Then modify vsftpd config file.
vim /etc/vsftpd/vsftpd.conf

# Enable SSL support
ssl_enable=YES
# Use implicit SSL. It uses less commands than explicit SSL, but uses an 
# alternative port.
implicit_ssl=YES
# If you use implicit SSL, you can designate port number. (Default=990)
listen_port=990
# Whether SSL session reuse is required for data connections. (Default=YES)
# Many FTP clients don't support this (e.g. FTP Rush), then set it to NO.
require_ssl_reuse=YES
# Whether anonymous users on SSL. (Default=NO)
allow_anon_ssl=NO
# Force local users to use SSL for transferring data. (Default=YES)
force_local_data_ssl=YES
# Force local users to use SSL for transferring password. (Default=YES)
force_local_logins_ssl=YES
# Define permitted protocols
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
# The default SSL ciphers is DES-CBC3-SHA, but FileZilla regards it as 
# unsafe and rejects it. Therefore you should modify it.
ssl_ciphers=HIGH
# The path to cert file.
rsa_cert_file=/etc/vsftpd/vsftpd.pem
# Alternatively, you may use separate key and cert files.
#rsa_cert_file=/etc/pki/tls/certs/vsftpd.crt
#rsa_private_key_file=/etc/pki/tls/private/vsftpd.key

Finally, restart vsftpd.
service vsftpd restart

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.