Arch Linux

yabasta

Member

Registered: 2010-05-01

Posts: 167

ssl and vsftpd

hi folks, i've set up a vsftpd on my home arch box that i connect to via my android phone to download files. first of all i just set up normal ftp, which works fine i might add. no problems downloading files or whatever. i'm logging in as my normal user from my arch box, and it's set up to only allow me to see certain directories in my home directory. now that's been done i wanted to make things more secure, so i've gone down the ftp over ssl route. i basically did this :

Make SSL key
#openssl req -x509 -nodes -days 730 -newkey rsa:1024 -keyout /etc/vsftpd/vsftpd.pem -out /etc/vsftpd/vsftpd.pem

and added this to my vsftpd.conf

# Turn on SSL
ssl_enable=YES
# Allow anonymous users to use secured SSL connections
allow_anon_ssl=NO
# All non-anonymous logins are forced to use a secure SSL connection in order to
# send and receive data on data connections.
force_local_data_ssl=YES
# All non-anonymous logins are forced to use a secure SSL connection in order to send the password.
force_local_logins_ssl=YES
# Permit TLS v1 protocol connections. TLS v1 connections are preferred
ssl_tlsv1=YES
# Permit SSL v2 protocol connections. TLS v1 connections are preferred
ssl_sslv2=NO
# permit SSL v3 protocol connections. TLS v1 connections are preferred
ssl_sslv3=NO
# Specifies the location of the RSA certificate to use for SSL encrypted connections
rsa_cert_file=/etc/vsftpd/vsftpd.pem
require_ssl_reuse=NO

i don't allow anonymous logins on my vsftpd server, no need to as only i will use it.  so the way i see it, my server is set up to only allow local users to log in (i've also disallowed root logins), and they can only do so by using ssl to login and to transmit data. now, this all works fine, i can download any file i wish. but i don't understand whats going on here. i'm not entirely sure i understand ssl. i didn't have to do anything fancy with the client on my android phone, only select ftps instead of ftp for the connection. i thought i had to have some sort of key on the android end of things to enable me to connect to vsftpd. as it stands i'm using the exact same login and password as before. so i'm failing to see how this is any more secure, i still have the same port forwarded etc on my router too.

like i say i'm probably not understanding ssl fully, any light anyone can shed on this would help put my mind at rest. i'm just a bit anxious in case there's one more little thing i should be doing to make the server secure.
thanks for taking the time to read this by the way

fr33ke

Member

Registered: 2010-08-21

Posts: 20

Re: ssl and vsftpd

SSL is just for encryption of the connection (nobody can sniff your password or your sensitive data) and knowing that the server you connect to is the one you meant (preventing MITM attacks).

If you want passwordless ftp login you need client certificates, check out http://serverfault.com/questions/142981 … o-a-vsftpd for instance. But not many clients support client certificates as far as I know.

You can also share files over SSH with SFTP, but that's totally different from FTP.

broken pipe

Member

Registered: 2010-12-10

Posts: 238

Re: ssl and vsftpd

mind sharing your full vsftpd.conf?

yabasta

Member

Registered: 2010-05-01

Posts: 167

Re: ssl and vsftpd

of course it still needs tidying up and i've obviously edited out the sensitive stuff. i'm not exactly a networking guru as you can probably tell from this conf haha. there are probably more vsftpd settings i can play with, just havent had much time, what wth work and stuff.

# Example config file /etc/vsftpd.conf
#
# Use this to use vsftpd in standalone mode, otherwise it runs through (x)inetd
listen=YES
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).


anonymous_enable=NO
#anon_world_readable_only=YES
listen_port=20
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
#write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
#local_umask=022

max_clients=1

# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
xferlog_file=/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format.
# Note that the default log file location is /var/log/xferlog in this case.
xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that on some FTP servers, ASCII support allows a denial of service
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
ftpd_banner=you're in dipshit!.
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd.banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
chroot_local_user=YES
#chroot_list_enable=YES
# (default follows)
#chroot_list_file=/etc/vsftpd.chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
#
# When "listen" directive is enabled, vsftpd runs in standalone mode and
# listens on IPv4 sockets. This directive cannot be used in conjunction
# with the listen_ipv6 directive.
listen=YES
#
# This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6
# sockets, you must run two copies of vsftpd with two configuration files.
# Make sure, that one of the listen options is commented !!
#listen_ipv6=YES

userlist_enable=YES
userlist_file=/etc/vsftpd.user_list #this contains 'root', as i didn't want any root logins

pasv_enable=YES
pasv_min_port=XXXXX
pasv_max_port=XXXXX
pasv_address=XXX.XX.XXX.XX

hide_file={Mail,mail} #hides certain directories and files,

ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
rsa_cert_file=/etc/vsftpd/vsftpd.pem
require_ssl_reuse=NO

so basically i just wanted to download certain media files to my android as and when necessary. no need for any uploads to be enabled. i suppose to be really secure i should stop being so lazy and create a local user that can only acess the media directories. i've basically chrooted my normal user login and hidden things in the home directory.

thanks for that fr33ke. so if i couple this encryption with a special user with really strict permissions will this be very secure? or will this forwarded port on my router always be a security risk?