vsftpd Configuration for TLS and Passive Mode

The vsftpd standard FTP daemon on Fedora 17 comes configured to not work.  It doesn’t work in normal mode (chroot problems) it doesn’t handle TLS, it allows anonymous by default, and it doesn’t handle passive mode in a way that works with the iptables firewall (because of TLS).

Goal: TLS, no chroot-ing, no anonymous,Passive Mode.

Setup:

First cd to /etc/pki/tls/certs and run ‘make vsftpd.pem’.  This will let you create a certificate.  ‘chmod 600’ the certificate.

Then, go edit /etc/vsftpd/vsftpd.conf .  Here’s a working configuration:

anonymous_enable=NO 
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
dual_log_enable=YES
connect_from_port_20=YES
xferlog_file=/var/log/vsftpd.log
xferlog_std_format=YES
chroot_local_user=NO
ls_recurse_enable=YES
listen=NO
listen_ipv6=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=NO
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
rsa_cert_file=/etc/pki/tls/certs/vsftpd.pem
pasv_min_port=50000 
pasv_max_port=50064
require_ssl_reuse=NO
seccomp_sandbox=NO

Now go edit /etc/sysconfig/iptables. Because of TLS, the standard nf_conntrack_ftp module isn’t going to work. It would be nice if somebody enhanced that to know about the .pem file. Here’s a working set of rules that matches the above (arbitrary) port range:

-A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A INPUT -p tcp --dport 50000:50064 -m state --state RELATED,ESTABLISHED,NEW -j ACCEPT

Then restart your vsftpd and iptables services and you should be good to go.    Filezilla will work with its defaults.  For lftp, you can create a .lftprc file like this:

set ssl:verify-certificate false
set ftp:ssl-auth TLS
set ftp:ssl-force true
set ftp:ssl-allow yes
set ftp:ssl-protect-list yes
set ftp:ssl-protect-data yes
set ftp:ssl-protect-fxp yes