Good secure FTP server for Linux?

12 views
Skip to first unread message

Cyde Weys

unread,
Mar 9, 2005, 1:39:03 AM3/9/05
to
I'm running a server for a group of nine people. I know them all
personally and it's not that I don't trust them, I just don't trust them to
use good security policies. That's why I want to run an FTP server that
will only accept SSL connections (no sending username/password over
plaintext). Anyone have any good recommendations? I was looking at vsftpd
but so far I haven't found a way to disallow non-encrypted connections.

Another solution would be to use scp (and WinSCP on the Windows
client end), but my users are more familiar with FTP, so that's my first
choice.

--
~ Cyde Weys ~
So say we all.

Enkidu

unread,
Mar 9, 2005, 1:56:06 AM3/9/05
to
ftp is not secure and a kludge to make it secure may help a
little, but it does really go to the heart of the problem.
However WinScp is easier to use than ftp IMO.

Cheers,

Cliff


--

Barzoomian the Martian - http://barzoomian.blogspot.com

Menno Duursma

unread,
Mar 10, 2005, 9:53:57 AM3/10/05
to
On Wed, 09 Mar 2005 06:39:03 +0000, Cyde Weys wrote:

> [...] I was looking at vsftpd but so far I haven't found a way to
> disallow non-encrypted connections.

Appart from using SSL/TLS i would recoment you run under user "ftpd" which
seems to not be the default in most distros... Something like:

groupadd ftpd
gpasswd -R ftpd
grpconv
useradd -g ftpd -s /bin/false -d /usr/share/empty
passwd -l ptpd
pwconv

Then edit vsftpd.conf to incude:

# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
nopriv_user=ftpd

-----
About that SSL/TLS ; it's better if you have a cert from a CA but,
anyways here what worked for me:

mkdir -p /usr/share/ssl/certs
cd /usr/share/ssl/certs
openssl req -x509 -newkey rs:1024 -keyout vsftpd.pem -out vsftpd.pem \
-days 365 -nodes
chmod 0400 *

And added the following to vsftpd.conf

### SSL/TLS:

# If enabled, and vsftpd was compiled against OpenSSL, vsftpd will support
# secure connections via SSL. This applies to the control connection
# (including login) and also data connections. You'll need a client with
# SSL/TLS support too
ssl_enable=YES

# This option specifies the location of the RSA certificate to use for SSL
# encrypted connections - Default: /usr/share/ssl/certs/vsftpd.pem
#rsa_cert_file

# Only applies if ssl_enable is activated. If enabled, this option will permit
# SSLv2 protocol connections. TLSv1 connections are preferred
ssl_sslv2=YES

# Only applies if ssl_enable is activated. If enabled, this option will permit
# SSLv3 protocol connections. TLSv1 connections are preferred
ssl_sslv3=YES

# Only applies if ssl_enable is activated. If enabled, this option will permit
# TLSv1 protocol which is preferred
ssl_tlsv1=YES

# Only applies if ssl_enable is active. If set to YES, anonymous users will
# be allowed to use secured SSL connections
allow_anon_ssl=YES

# Only applies if ssl_enable is activated. If activated, all non-anonymous
# logins are forced to use a secure SSL connection in order to send the
# password
force_local_logins_ssl=YES

# Only applies if ssl_enable is activated. If activated, all non-anonymous
# logins are forced to use a secure SSL connection in order to send and
# receive data on data connections
force_local_data_ssl=NO

rapskat

unread,
Mar 11, 2005, 7:43:41 PM3/11/05
to
begin Error log for Wed, 09 Mar 2005 06:39:03 +0000 - Cyde Weys caused a
page fault at address <Xns961410C9122D42g...@128.8.10.18>,
details as follows .vbs

SFTP, FTP tunneled over an SSH connection. It is a part of OpenSSH. Runs
just like ftp, only on the same port as SSH (22 default).

Chances are you already have it.

--
rapskat - 19:41:54 up 52 min, 2 users, load average: 0.10, 0.18, 0.26
Reply hazy, ask again later.
I am jamming to bad boy bill - hard house mix

Reply all
Reply to author
Forward
0 new messages