FTP Server needed to be secure (at least SSL 128) and was running on Ubuntu 10.04.1 x32. FTP client was required to be platform independent but needed to be tested on Windows 7 and Windows XP. I decided to use Filezilla for various reasons.<\/p>\n
The easiest step was setting up the FTP server on the Ubuntu box. I followed along a bit on “Mike’s” blog (http:\/\/beginlinux.com\/blog\/2009\/10\/ubuntu-9-10-secure-ftp-with-ssl\/). I was logged in as root to avoid all those sudo’s.<\/p>\n
Update the system and install VSFTPD:<\/strong> Edit the VSDTPD configuration:<\/strong> # Example config file \/etc\/vsftpd.conf ## Permissions ## SSL Certificate Configuration ## Force encrypted login\/passwords Create the self-signed SSL certificate.<\/strong> I’m assuming you’re like me and don’t have a budget for miscellaneous SSL certificates. Restart the VSFTPD server:<\/strong> Open ports on your firewall\/router\/gateway.<\/strong> Obviously change these to whatever you require and have in your conf file. Connect using FileZilla:<\/strong> PS, this was done on a fresh install of ubuntu with SSH and LAMP installed.<\/p>\n ***EDIT*** No SSL session reuse on data channel<\/p><\/blockquote>\n I added “require_ssl_reuse=NO” to the vsconfig<\/p>\n Now I’m getting:<\/p>\n Connection terminated without SSL shutdown – buggy client?<\/p><\/blockquote>\n If you’re receiving complaints that some cannot perform a directory listing, or you dislike having the following errors in your logs: Edited to include pasv issue, remove sslv2, change the cert to 2048bit and valid for 2 years.<\/p>\n","protected":false},"excerpt":{"rendered":" FTP Server needed to be secure (at least SSL 128) and was running on Ubuntu 10.04.1 x32. FTP client was required to be platform independent but needed to be tested on Windows 7 and Windows XP. I decided to use Filezilla for various reasons. The easiest step was setting up the FTP server on the … Continue reading VSFTP SSL and Filezilla<\/span>
\napt-get update<\/code>
\napt-get upgrade<\/code>
\napt-get install vsftpd<\/code><\/p>\n
\nnano \/etc\/vsftpd.conf<\/code><\/p>\n
\n## Base Configuration
\nlisten=YES
\n#listen_ipv6=YES
\n#anonymous_enable=YES
\nlocal_enable=YES
\nwrite_enable=YES
\n#local_umask=022
\n#anon_upload_enable=YES
\n#anon_mkdir_write_enable=YES
\ndirmessage_enable=YES
\nuse_localtime=YES
\nxferlog_enable=YES
\nconnect_from_port_20=YES<\/p>\n
\n#chown_uploads=YES
\n#chown_username=whoever
\nchroot_local_user=YES
\nchroot_list_enable=NO
\nsecure_chroot_dir=\/var\/run\/vsftpd\/empty
\npam_service_name=vsftpd<\/p>\n
\n#implicit_ssl=YES
\nssl_enable=YES
\nrsa_cert_file=\/etc\/ssl\/certs\/vsftpd.pem
\nrsa_private_key_file=\/etc\/ssl\/certs\/vsftpd.pem
\nallow_anon_ssl=NO
\nssl_tlsv1=YES
\n#ssl_sslv2=YES
\nssl_ciphers=HIGH
\nssl_sslv3=YES
\nrequire_ssl_reuse=NO<\/p>\n
\nforce_local_data_ssl=YES
\nforce_local_logins_ssl=YES
\nlisten_port=990
\nforce_dot_files=NO
\ntcp_wrappers=NO
\n#listen_address=
\n#hide_file=
\n#anon_max_rate=
\n#local_max_rate=
\npasv_min_port=6000
\npasv_max_port=6500
\n#pasv_address=IPOFSERVER\n<\/p><\/blockquote>\nSave and exit.<\/code><\/p>\n
\nopenssl req -x509 -nodes -days 730 -newkey rsa:2048 -keyout \/etc\/ssl\/certs\/vsftpd.pem -out \/etc\/ssl\/certs\/vsftpd.pem<\/code>
\nEnter your information when prompted.<\/p>\n
\n\/etc\/init.d\/vsftpd restart<\/p>\n
\nTCP 20-21 (data and login)<\/code>
\nTCP 6000-6500 (PASV ports)<\/code><\/p>\n
\nUsing the SiteManager (quick connect won’t work in this case), enter in the following:
\nHost - your IP address of the server (you can use the local IP for testing functionality of the server, but use the public IP for testing the firewall rules)<\/code>
\nPort - 990<\/code>
\nServer type - FTPES (FTP over explicit TLS\/SSL)<\/code>
\nLogon Type - Normal<\/code>
\nUser - username on the system<\/code>
\nPassword - password for that user<\/code>
\nClick connect! Everything should work.<\/p>\n
\nI was looking through the logs (\/var\/log\/vsftpd.log) and watching connections:
\nwatch cat \/var\/log\/vsftpd.log<\/code>
\nWhen I noticed the following:<\/p>\nnano \/etc\/vsftp.conf<\/code>
\nrequire_ssl_reuse=NO<\/code>
\nSave and exit
\n\/etc\/init.d\/vsftpd restart<\/code><\/p><\/blockquote>\n
\nServer sent passive reply with unroutable address. Using server address instead.<\/code>
\nGnuTLS error -53: Error in the push function.<\/code>
\nAdd the following to your NAT’d device (ie firewall\/router):
\nnano \/etc\/vsftpd.conf<\/code>
\npasv_address=IPADDRESSOFYOUREXTERNALNAT<\/code>
\nSave and restart the vsftp server
\n\/etc\/init.d\/vsftpd restart<\/code><\/p>\n