We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on Vesta 2.0 and expect to release it by the end of 2024. Read more about it: https://vestacp.com/docs/vesta-2-development
[HowTo] VSFTPD enable SSL/TLS
[HowTo] VSFTPD enable SSL/TLS
Here is short how to enable SSL support for VSFTPD.
1) To vsftpd.conf at the end of file add:
2) Restart vsftpd service
1) To vsftpd.conf at the end of file add:
Code: Select all
#SSL
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1_1=YES
ssl_tlsv1_2=YES
ssl_tlsv1=NO
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=YES
ssl_ciphers=HIGH
rsa_cert_file=/usr/local/vesta/ssl/certificate.crt
rsa_private_key_file=/usr/local/vesta/ssl/certificate.key
Code: Select all
service vsftpd restart
Re: [HowTo] VSFTPD enable SSL/TLS
Thanks for sharhing, will help somebody :)
-
- Posts: 37
- Joined: Tue Mar 06, 2018 8:38 am
- Os: Debian 8x
- Web: apache
Re: [HowTo] VSFTPD enable SSL/TLS
Having an issue with setting this up, after adding details to vsftpd config it won't restart?
As you can see the ssl cert is owned by mail, could this be an issue?
Thnaks
Code: Select all
systemctl status vsftpd
● vsftpd.service - vsftpd FTP server
Loaded: loaded (/lib/systemd/system/vsftpd.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Tue 2020-02-25 10:12:49 GMT; 3s ago
Process: 31362 ExecStart=/usr/sbin/vsftpd /etc/vsftpd.conf (code=exited, status=2)
Process: 31360 ExecStartPre=/bin/mkdir -p /var/run/vsftpd/empty (code=exited, status=0/SUCCESS)
Main PID: 31362 (code=exited, status=2)
Feb 25 10:12:49 server.domain.com systemd[1]: Starting vsftpd FTP server...
Feb 25 10:12:49 server.domain.com systemd[1]: Started vsftpd FTP server.
Feb 25 10:12:49 server.domain.com systemd[1]: vsftpd.service: Main process exited, code=exited, status=2/INVALIDARGUMENT
Feb 25 10:12:49 server.domain.com systemd[1]: vsftpd.service: Unit entered failed state.
Feb 25 10:12:49 server.domain.com systemd[1]: vsftpd.service: Failed with result 'exit-code'.
Code: Select all
# ls -l /usr/local/vesta/ssl/
total 8
-rw-rw---- 1 Debian-exim mail 3948 Feb 8 01:34 certificate.crt
-rw-rw---- 1 Debian-exim mail 3243 Feb 8 01:34 certificate.key
Thnaks
Code: Select all
listen=NO
listen_ipv6=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
utf8_filesystem=YES
connect_from_port_20=YES
pasv_enable=YES
pasv_addr_resolve=YES
#pasv_address=192.168.1.108
pasv_max_port=12100
pasv_min_port=12000
#SSL
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1_1=YES
ssl_tlsv1_2=YES
ssl_tlsv1=NO
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=YES
ssl_ciphers=HIGH
rsa_cert_file=/usr/local/vesta/ssl/certificate.crt
rsa_private_key_file=/usr/local/vesta/ssl/certificate.key
-
- Posts: 37
- Joined: Tue Mar 06, 2018 8:38 am
- Os: Debian 8x
- Web: apache
Re: [HowTo] VSFTPD enable SSL/TLS
Ok seem that vsftpd server will only restart when when I disable:
This regardless of whether ssl is enabled or not?
thanks
Code: Select all
#ssl_tlsv1_1=YES
#ssl_tlsv1_2=YES
thanks
-
- Posts: 37
- Joined: Tue Mar 06, 2018 8:38 am
- Os: Debian 8x
- Web: apache
Re: [HowTo] VSFTPD enable SSL/TLS
After some digging as i had this issue i found that in debian 9 using vsftpd 3.0.3-8+b1 the following settings are reductant, they are part of a RHL patch which do not work in debian version.
If you remove them and set the following vsftpd will restart.
#Options: SSLv3, TLSv1.0, TLSv1.2, HIGH (see man ciphers)
ssl_ciphers=TLSv1.2
Code: Select all
#ssl_tlsv1_1=YES
#ssl_tlsv1_2=YES
If you remove them and set the following vsftpd will restart.
Code: Select all
ssl_ciphers=TLSv1.2
ssl_ciphers=TLSv1.2
-
- Posts: 3
- Joined: Tue Mar 10, 2020 3:32 pm
- Os: Ubuntu 16x
- Web: nginx + php-fpm
Re: [HowTo] VSFTPD enable SSL/TLS
Here's my settings for ProFTPd as well if you want .
(Note: I went with ProFTPd over vsFTPd because no amount of fiddling I did allowed vsFTPd to work with my AWS installation, so was forced into ProFTPd, so hope that bit of info will help out anyone attempting to install this on AWS and wants to avoid hours of headaches.)
Here are my open ports (INBOUND) as well (system wide)
If on AWS and servers running firewalls be sure to enabled the following ports.ServerName "FTP"
ServerIdent on "FTP Server ready."
ServerAdmin root@localhost
DefaultServer on
DefaultRoot ~ !adm
<IfModule mod_vroot.c>
VRootEngine on
VRootAlias /etc/security/pam_env.conf etc/security/pam_env.conf
</IfModule>
AuthPAMConfig proftpd
AuthOrder mod_auth_pam.c* mod_auth_unix.c
UseReverseDNS off
User proftpd
Group nogroup
MaxInstances 20
UseSendfile off
LogFormat default "%h %l %u %t \"%r\" %s %b"
LogFormat auth "%v [%P] %h %t \"%r\" %s"
ListOptions -a
RequireValidShell off
PassivePorts 48900 48939
<Global>
Umask 002
IdentLookups off
AllowOverwrite yes
<Limit ALL SITE_CHMOD>
AllowAll
</Limit>
</Global>
(Note: I went with ProFTPd over vsFTPd because no amount of fiddling I did allowed vsFTPd to work with my AWS installation, so was forced into ProFTPd, so hope that bit of info will help out anyone attempting to install this on AWS and wants to avoid hours of headaches.)
Here are my open ports (INBOUND) as well (system wide)
5405
80 - WEB
8083 - VestaCP WebUI
873 --
1024-1048
3306 - MySQL
443 - HTTPS
48900-48939 - Needed for Passive FTP
20-22 - FTP Client
Re: [HowTo] VSFTPD enable SSL/TLS
Good morning, I have the solution to the problem of the connection with TLS in vsftpd.
Just add a directive in the vsftp configuration file
nano /etc/vsftp.conf
and add the following line:
We will connect through port 1000 for example ...
and we restart the server:
service vsftpd restart
then we configure the firewall to accept port 1000 ftp
ACCEPT TCP/ FTP 1000,21,12000-12100 0.0.0.0/0
then in filezilla do not forget to make the connection through port 1000 or whichever you choose
This is the key to the solution
listen_port=1000
No modification is necessary, just add the directive:
listen _port = port number you want ...
Any problem leave a comment and help you ....
Just add a directive in the vsftp configuration file
nano /etc/vsftp.conf
and add the following line:
We will connect through port 1000 for example ...
Code: Select all
listen_port=1000
service vsftpd restart
then we configure the firewall to accept port 1000 ftp
ACCEPT TCP/ FTP 1000,21,12000-12100 0.0.0.0/0
then in filezilla do not forget to make the connection through port 1000 or whichever you choose
This is the key to the solution
listen_port=1000
No modification is necessary, just add the directive:
listen _port = port number you want ...
Any problem leave a comment and help you ....
Last edited by Lucario76 on Sun Feb 07, 2021 4:58 pm, edited 3 times in total.
Re: [HowTo] VSFTPD enable SSL/TLS
Hi! I had a problem connecting, getting the error "SSL_accept: failed" in the log file and nothing else. I was narrowing down to a firewall thing, then I found your comment.
I added the "listen_port" directive and now it works! :)
Thanks, Lucario76!!
I added the "listen_port" directive and now it works! :)
Thanks, Lucario76!!