{"id":1011,"date":"2012-03-19T09:00:16","date_gmt":"2012-03-19T08:00:16","guid":{"rendered":"http:\/\/blog.spanger.org\/?p=1011"},"modified":"2012-03-22T16:13:07","modified_gmt":"2012-03-22T15:13:07","slug":"secure-ftp-server-on-centos","status":"publish","type":"post","link":"https:\/\/blog.spanger.org\/?p=1011","title":{"rendered":"secure ftp server on centos"},"content":{"rendered":"<p><strong>Prerequisites:<\/strong><br \/>\n1. open external firewall (cisco, linksys,&#8230;) ports 20, 21, 990 and port range 49500:50000 to the local FTP server 192.168.xx.yy<\/p>\n<p>* port range ports can be random ports higher than 49151 and lower than 65535<\/p>\n<p>2. open firewall for port 20,21,990\u00a0 and port range 49500:50000 on ftp server<\/p>\n<pre><code># vim \/etc\/sysconfig\/iptables \r\n-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 20:21 -j ACCEPT \r\n-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 20:21 -j ACCEPT \r\n-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 990 -j ACCEPT \r\n-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 49500:50000 -j ACCEPT <\/code><\/pre>\n<p>3. in\u00a0 \/etc\/sysconfig\/iptables-config add ip_nat_ftp and ip_conntrack_ftp<\/p>\n<pre><code>IPTABLES_MODULES=\"ip_nat_ftp ip_conntrack_ftp\"<\/code><\/pre>\n<p>Restart firewall<\/p>\n<pre><code># \/etc\/sysconfig\/iptables restart<\/code><\/pre>\n<p>4. configure selinux<\/p>\n<pre># setsebool -P ftp_home_dir on<\/pre>\n<p>5. add ftp users<\/p>\n<pre># useradd ftpuser ftpuser1 ftpuser2<\/pre>\n<p><strong>Install VSFTPD<\/strong><br \/>\n1. install vsftpd<code><\/code><\/p>\n<pre># yum install vsftpd<\/pre>\n<p>2. install certificate<\/p>\n<pre># openssl req -x509 -nodes -days 1825 -newkey rsa:1024 -keyout \/etc\/vsftpd\/vsftpd.pem -out \/etc\/vsftpd\/vsftpd.pem<\/pre>\n<p>3. Configure VSFTPD<\/p>\n<p>add or change lines in\u00a0\/etc\/vsftpd\/vsftpd.conf<br \/>\n<code><\/code><\/p>\n<pre># vim \/etc\/vsftpd\/vsftpd.conf\r\nanonymous_enable=NO\r\nlocal_enable=YES\r\nwrite_enable=YES\r\nlocal_umask=022\r\ndirmessage_enable=YES\r\nxferlog_enable=YES\r\nconnect_from_port_20=YES\r\nxferlog_file=\/var\/log\/vsftpd.log\r\nxferlog_std_format=YES\r\nftpd_banner=Welcome to blabla FTP service.\r\nchroot_list_enable=NO\r\nchroot_list_file=\/etc\/vsftpd\/chroot_list\r\nlisten=YES\r\nlog_ftp_protocol=YES\r\npam_service_name=vsftpd\r\nuserlist_enable=YES\r\ntcp_wrappers=YES\r\n\r\npasv_enable=YES\r\npasv_address=85.10.xx.zz (your public IP)\r\npasv_max_port=49500\r\npasv_min_port=50000\r\nssl_enable=YES\r\n\r\nallow_anon_ssl=NO\r\nforce_local_data_ssl=NO\r\nforce_local_logins_ssl=YES\r\nssl_tlsv1=YES\r\nssl_sslv2=NO\r\nssl_sslv3=NO\r\nrsa_cert_file=\/etc\/vsftpd\/vsftpd.pem<\/pre>\n<p>4. Restart FTP server<br \/>\n<code><\/code><\/p>\n<pre># \/etc\/rc.d\/init.d\/vsftpd restart<\/pre>\n<p><strong>Use ftp client wich support TLS AUTH to connect to the ftp server<\/strong><\/p>\n<p>I used mozilla plugin FireFTP or ftp-ssl (command line client)<\/p>\n<p>URI:<\/p>\n<p>http:\/\/wiki.vpslink.com\/Configuring_vsftpd_for_secure_connections_%28TLS\/SSL\/SFTP%29<br \/>\nhttp:\/\/www.cyberciti.biz\/tips\/rhel-fedora-centos-vsftpd-installation.html<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Prerequisites: 1. open external firewall (cisco, linksys,&#8230;) ports 20, 21, 990 and port range 49500:50000 to the local FTP server 192.168.xx.yy * port range ports can be random ports higher than 49151 and lower than 65535 2. open firewall for port 20,21,990\u00a0 and port range 49500:50000 on ftp server # vim \/etc\/sysconfig\/iptables -A RH-Firewall-1-INPUT -p [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[95,96,98,97],"class_list":["post-1011","post","type-post","status-publish","format-standard","hentry","category-linux-stuff","tag-centos","tag-ftps","tag-tls","tag-vsftpd"],"_links":{"self":[{"href":"https:\/\/blog.spanger.org\/index.php?rest_route=\/wp\/v2\/posts\/1011","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.spanger.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.spanger.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.spanger.org\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.spanger.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1011"}],"version-history":[{"count":32,"href":"https:\/\/blog.spanger.org\/index.php?rest_route=\/wp\/v2\/posts\/1011\/revisions"}],"predecessor-version":[{"id":1036,"href":"https:\/\/blog.spanger.org\/index.php?rest_route=\/wp\/v2\/posts\/1011\/revisions\/1036"}],"wp:attachment":[{"href":"https:\/\/blog.spanger.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1011"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.spanger.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1011"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.spanger.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1011"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}