Linux vsftp与SSL/TLS加密：如何提高传输安全性

How to Enhance Transfer Security for vsftpd with SSL/TLS on Linux

1. Install vsftpd and Obtain an SSL Certificate

First, install vsftpd (the secure FTP daemon) using your package manager. For Debian/Ubuntu:

sudo apt update && sudo apt install vsftpd

For CentOS/RHEL:

sudo yum install vsftpd

Next, generate an SSL certificate and private key. You can use a self-signed certificate (for testing) or obtain one from a trusted Certificate Authority (CA) like Let’s Encrypt (for production). To generate a self-signed certificate:

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/vsftpd.key -out /etc/ssl/certs/vsftpd.pem

Follow the prompts to enter details (country, organization, etc.). For a Let’s Encrypt certificate:

sudo apt install certbot python3-certbot-nginx  # Debian/Ubuntu
sudo certbot --nginx -d yourdomain.com         # Replace with your domain

2. Configure vsftpd to Enable SSL/TLS

Edit the vsftpd configuration file (/etc/vsftpd.conf) to enable SSL/TLS and enforce secure settings. Add or modify the following:

ssl_enable=YES                  # Enable SSL/TLS
force_local_data_ssl=YES        # Force SSL for data connections (e.g., file transfers)
force_local_logins_ssl=YES      # Force SSL for login credentials
ssl_tlsv1=YES                   # Allow TLSv1 (secure)
ssl_sslv2=NO                    # Disable SSLv2 (insecure)
ssl_sslv3=NO                    # Disable SSLv3 (insecure)
ssl_ciphers=HIGH:!aNULL:!MD5    # Use strong encryption ciphers (exclude weak ones like MD5)
rsa_cert_file=/etc/ssl/certs/vsftpd.pem  # Path to SSL certificate
rsa_private_key_file=/etc/ssl/private/vsftpd.key  # Path to private key
allow_anon_ssl=NO               # Disable SSL for anonymous users (recommended)

Save the file and exit. These settings ensure all connections (login and data) are encrypted using modern protocols and ciphers.

3. Restart vsftpd to Apply Changes

After configuring the file, restart the vsftpd service to load the new settings:

sudo systemctl restart vsftpd

For systems using systemctl, this command applies changes immediately. Verify the service status with sudo systemctl status vsftpd to ensure it’s running without errors.

4. Configure the Firewall to Allow FTPS Traffic

FTPS uses two ports by default: 21/tcp for control connections (handshakes) and 990/tcp for data connections (implicit FTPS). If you’re using passive mode (recommended), you’ll also need to open a range of ports for data transfers (e.g., 40000–50000).

• For UFW (Uncomplicated Firewall, Debian/Ubuntu):

  sudo ufw allow 21/tcp
  sudo ufw allow 990/tcp
  sudo ufw allow 40000:50000/tcp
  sudo ufw reload
  

• For firewalld (CentOS/RHEL):

  sudo firewall-cmd --permanent --add-service=ftp
  sudo firewall-cmd --permanent --add-port=990/tcp
  sudo firewall-cmd --permanent --add-port=40000-50000/tcp
  sudo firewall-cmd --reload
  

These commands allow secure FTP traffic while blocking unauthorized access.

5. Implement Additional Security Measures

To further harden your vsftpd server, combine SSL/TLS with these best practices:

• Disable Anonymous Access: Set anonymous_enable=NO in /etc/vsftpd.conf to prevent unauthorized users from logging in.
• Use Local Users with Chroot: Enable chroot_local_user=YES to restrict local users to their home directories (preventing access to the entire filesystem).
• Enable Logging: Set xferlog_enable=YES and xferlog_std_format=YES to log file transfers (helps with auditing and detecting suspicious activity).
• Use Virtual Users: For more granular control, create virtual users (not tied to system accounts) using a database (e.g., MySQL) and PAM authentication. This limits access to specific directories and permissions.

By following these steps, you can significantly enhance the security of your vsftpd server, ensuring that data transfers are encrypted and protected from unauthorized access.