Configuring VSFTPD for secure connections (TLS/SSL)

I wanted to tighten up my FTP service. Currently, I use and love vsftpd. Unfortunately, as far as I know, it does not support SFTP protocol, but it does support TLS/SSL handling.

You will need to ensure that the vstpd has been compiled with ssl support. Here are my current USE flags for vsftpd:

net-ftp/vsftpd-2.0.6  USE="pam ssl tcpd -caps -logrotate (-selinux) -xinetd"

The first step is to create a self-signed certificate:

openssl req -x509 -nodes -days 730 -newkey rsa:2048 -keyout /etc/vsftpd/vsftpd.pem -out /etc/vsftpd/vsftpd.pem

Next, we need to add some additional configuration options to /etc/vsftpd/vsftpd.conf

ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=NO
force_local_logins_ssl=NO
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
rsa_cert_file=/etc/vsftpd/vsftpd.pem
rsa_private_key_file=/etc/vsftpd/vsftpd.pem
require_cert=NO

I set force_local_logins_ssl=NO because I have clients that won't be able to connect via TLS/SSL, by setting this to NO, both FTP clients will be able to connect. I did have trouble with CuteFTP 8 Professional connecting though. I would constantly get the following message:

The server is requesting a client certificate. Create or import one and try again

But, vsftpd has the following set (require_cert=NO) which is the default behavior. Apparently, this could be a bug related to CuteFTP client. I was able to manage secure FTP connections with Core FTP LE without a problem.

Make sure you restart the service and watch your vsftpd.log for errors. I watched traffic on my network via tcpdump and verified that authentication and data were being encrypted.