web analytics

Archive for the ‘SFTP’ Category

Hardening guide for VSFTPD on RHEL 5.4

The guide bellow instruct how to install, configure and secure FTP server called VSFTP, based on RHEL 5.4, enabling only SFTP access to the server.

Installation phase

  1. Login to the server using Root account.
  2. Install from the RHEL 5.4 DVD the following RPM:
    rpm -ivh vsftpd-2.0.5-16.el5.i386.rpm
  3. Create a group for FTP users:
    groupadd ftp-users
  4. Create folder for the FTP:
    mkdir -p /ftp
  5. Change ownership and permissions on the FTP folder:
    chown root:ftp-users /ftp
    chmod 777 -R /ftp
  6. Example of user creation:
    useradd -g ftp-users -d /ftp user1
    passwd user1
  7. Edit using VI, the file /etc/vsftpd/vsftpd.conf
    Change from:
    anonymous_enable=YESTo:
    anonymous_enable=NO

    Change from:
    xferlog_std_format=YESTo:
    xferlog_std_format=NO

    Change from:
    #tftpd_banner=Welcome to blah FTP service.To:
    tftpd_banner=Secure FTP server

    Add the lines bellow:
    local_root=/ftp
    userlist_file=/etc/vsftpd/user_list
    userlist_deny=NO
    vsftpd_log_file=/var/log/vsftpd.log
    ssl_enable=YES
    allow_anon_ssl=NO
    force_local_data_ssl=YES
    force_local_logins_ssl=YES
    ssl_tlsv1=YES
    ssl_sslv2=NO
    ssl_sslv3=NO
    ssl_ciphers=ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
    rsa_cert_file=/etc/vsftpd/vsftpd.pem

  8. Run the command bellow to create VSFTP SSL key:
    openssl req -x509 -nodes -newkey rsa:1024 -keyout /etc/vsftpd/vsftpd.pem -out /etc/vsftpd/vsftpd.pem
    Note: The command above should written as one line.
  9. Edit using VI, the file /etc/vsftpd/user_list and add members of the FTP-Users group to this list.
  10. Run the command bellow to manually start the VSFTP service:
    /etc/init.d/vsftpd start
  11. Run the command bellow to configure the VSFTP to start at server startup:
    chkconfig vsftpd on