Page 1 of 1
[HowTo] VSFTPD enable SSL/TLS
Posted: Tue Apr 09, 2019 9:39 pm
by dreiggy
Here is short how to enable SSL support for VSFTPD.
1) To vsftpd.conf at the end of file add:
Code: Select all
#SSL
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1_1=YES
ssl_tlsv1_2=YES
ssl_tlsv1=NO
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=YES
ssl_ciphers=HIGH
rsa_cert_file=/usr/local/vesta/ssl/certificate.crt
rsa_private_key_file=/usr/local/vesta/ssl/certificate.key
2) Restart vsftpd service
Re: [HowTo] VSFTPD enable SSL/TLS
Posted: Tue Jul 16, 2019 5:07 pm
by skamasle
Thanks for sharhing, will help somebody :)
Re: [HowTo] VSFTPD enable SSL/TLS
Posted: Tue Feb 25, 2020 10:23 am
by Bubblecatcher
Having an issue with setting this up, after adding details to vsftpd config it won't restart?
Code: Select all
systemctl status vsftpd
● vsftpd.service - vsftpd FTP server
Loaded: loaded (/lib/systemd/system/vsftpd.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Tue 2020-02-25 10:12:49 GMT; 3s ago
Process: 31362 ExecStart=/usr/sbin/vsftpd /etc/vsftpd.conf (code=exited, status=2)
Process: 31360 ExecStartPre=/bin/mkdir -p /var/run/vsftpd/empty (code=exited, status=0/SUCCESS)
Main PID: 31362 (code=exited, status=2)
Feb 25 10:12:49 server.domain.com systemd[1]: Starting vsftpd FTP server...
Feb 25 10:12:49 server.domain.com systemd[1]: Started vsftpd FTP server.
Feb 25 10:12:49 server.domain.com systemd[1]: vsftpd.service: Main process exited, code=exited, status=2/INVALIDARGUMENT
Feb 25 10:12:49 server.domain.com systemd[1]: vsftpd.service: Unit entered failed state.
Feb 25 10:12:49 server.domain.com systemd[1]: vsftpd.service: Failed with result 'exit-code'.
Code: Select all
# ls -l /usr/local/vesta/ssl/
total 8
-rw-rw---- 1 Debian-exim mail 3948 Feb 8 01:34 certificate.crt
-rw-rw---- 1 Debian-exim mail 3243 Feb 8 01:34 certificate.key
As you can see the ssl cert is owned by mail, could this be an issue?
Thnaks
Code: Select all
listen=NO
listen_ipv6=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
utf8_filesystem=YES
connect_from_port_20=YES
pasv_enable=YES
pasv_addr_resolve=YES
#pasv_address=192.168.1.108
pasv_max_port=12100
pasv_min_port=12000
#SSL
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1_1=YES
ssl_tlsv1_2=YES
ssl_tlsv1=NO
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=YES
ssl_ciphers=HIGH
rsa_cert_file=/usr/local/vesta/ssl/certificate.crt
rsa_private_key_file=/usr/local/vesta/ssl/certificate.key
Re: [HowTo] VSFTPD enable SSL/TLS
Posted: Tue Feb 25, 2020 10:32 am
by Bubblecatcher
Ok seem that vsftpd server will only restart when when I disable:
This regardless of whether ssl is enabled or not?
thanks
Re: [HowTo] VSFTPD enable SSL/TLS
Posted: Tue Feb 25, 2020 10:49 am
by Bubblecatcher
After some digging as i had this issue i found that in debian 9 using vsftpd 3.0.3-8+b1 the following settings are reductant, they are part of a RHL patch which do not work in debian version.
If you remove them and set the following vsftpd will restart.
#Options: SSLv3, TLSv1.0, TLSv1.2, HIGH (see man ciphers)
ssl_ciphers=TLSv1.2
Re: [HowTo] VSFTPD enable SSL/TLS
Posted: Tue Mar 10, 2020 3:49 pm
by therealalzeric1
Here's my settings for ProFTPd as well if you want .
ServerName "FTP"
ServerIdent on "FTP Server ready."
ServerAdmin root@localhost
DefaultServer on
DefaultRoot ~ !adm
<IfModule mod_vroot.c>
VRootEngine on
VRootAlias /etc/security/pam_env.conf etc/security/pam_env.conf
</IfModule>
AuthPAMConfig proftpd
AuthOrder mod_auth_pam.c* mod_auth_unix.c
UseReverseDNS off
User proftpd
Group nogroup
MaxInstances 20
UseSendfile off
LogFormat default "%h %l %u %t \"%r\" %s %b"
LogFormat auth "%v [%P] %h %t \"%r\" %s"
ListOptions -a
RequireValidShell off
PassivePorts 48900 48939
<Global>
Umask 002
IdentLookups off
AllowOverwrite yes
<Limit ALL SITE_CHMOD>
AllowAll
</Limit>
</Global>
If on AWS and servers running firewalls be sure to enabled the following ports.
(Note: I went with ProFTPd over vsFTPd because no amount of fiddling I did allowed vsFTPd to work with my AWS installation, so was forced into ProFTPd, so hope that bit of info will help out anyone attempting to install this on AWS and wants to avoid hours of headaches.)
Here are my open ports (INBOUND) as well (system wide)
5405
80 - WEB
8083 - VestaCP WebUI
873 --
1024-1048
3306 - MySQL
443 - HTTPS
48900-48939 - Needed for Passive FTP
20-22 - FTP Client
Re: [HowTo] VSFTPD enable SSL/TLS
Posted: Wed Apr 15, 2020 1:29 pm
by Lucario76
Good morning, I have the solution to the problem of the connection with TLS in vsftpd.
Just add a directive in the vsftp configuration file
nano /etc/vsftp.conf
and add the following line:
We will connect through port 1000 for example ...
and we restart the server:
service vsftpd restart
then we configure the firewall to accept port 1000 ftp
ACCEPT TCP/ FTP 1000,21,12000-12100 0.0.0.0/0
then in filezilla do not forget to make the connection through port 1000 or whichever you choose
This is the key to the solution
listen_port=1000
No modification is necessary, just add the directive:
listen _port = port number you want ...
Any problem leave a comment and help you ....
Re: [HowTo] VSFTPD enable SSL/TLS
Posted: Mon Aug 17, 2020 9:51 am
by aula2030
Hi! I had a problem connecting, getting the error "SSL_accept: failed" in the log file and nothing else. I was narrowing down to a firewall thing, then I found your comment.
I added the "listen_port" directive and now it works! :)
Thanks, Lucario76!!