

There are three elements you will need to deal with when you are setting up SSL with VSFTPD. First, you will need to set up a self-signed certificate for VSFTPD and configure the VSFTPD to use that certificate. Second, you will need to set up FileZilla to connect on port 21 but use SSL to make the connection so all data and passwords are transferred encrypted. The third problem is to configure the UFW firewall to allow your connections. Set Up VSFTPD Create the self-signed certificate. openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout vsftpd.pem -out vsftpd.pem Enter the information that reflects your site. Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:MT Locality Name (eg, city) []:TC Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompany Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:Fred Smith Email Address []: This e-mail address is being protected from spambots. You need JavaScript enabled to view it This will then be reflected in the certificate when you see it. Copy the resulting vsftpd.pem to /etc/ssl/certs cp vsftpd.pem /etc/ssl/certs/ Edit /etc/vsftpd.conf to allow SSL. listen=YES #### No Anonymous Connections Allowed ##### anonymous_enable=NO ##### Customer Connections ##### local_enable=YES write_enable=YES chroot_local_user=YES use_localtime=YES dirmessage_enable=YES pam_service_name=vsftpd rsa_cert_file=/etc/ssl/certs/vsftpd.pem xferlog_std_format=YES ssl_enable=YES force_local_data_ssl=YES force_local_logins_ssl=YES ssl_tlsv1=YES ssl_sslv2=NO ssl_sslv3=NO ssl_ciphers=HIGH pasv_min_port=30000 pasv_max_port=40000 Several items to note in this configuration. The newer versions of FileZilla will require higher level encryption from VSFPTD. As a result this line must be added to the VSFTPD file: ssl_ciphers=HIGH The passive ports which will transfer data must be indicated: pasv_min_port=30000 pasv_max_port=40000 You can use any port range above 1024. It has to be a port range because passive FTP will use a number of ports. FileZilla v.3.5.3 This example is using the popular FileZilla which has both a Windows and Linux client to use to connect to a FTP server. With this setup all data and user authentication is forced to be encrypted. Proceed to this URL to download the FileZilla program (the example install on Windows): http://filezilla-project.org/download.php Scan the file for viruses (just a normal Windows precaution) and then install the file. Open FileZilla, you will find a link in the menu. When FileZilla opens click the Site Manager, it is highlighted in the example. The Site Manager will allow you to set the FTP site for your backups. Enter the information exactly as it is highlighted in the example. The next step is to enter the username and password you were provided when you had your account created for remote backups. Do not put what is in this example as your username/password are going to be different. When this is complete click “OK” to save your settings. Next navigate to the location on your local machine where the backups are that you want to copy to the backup server. Note your location may be different. Next connect to the server by clicking the Site Manager and “FTP” which will connect you to your remote backup server and home location. When you connect to the server the first time you will see a certificate which indicates that the server is using encryption so your data is protected while it transfers. Be sure to check the box on the certificate so you do not have to view the certificate each time. Now to transfer files, just drag from your local machine to the remote machine. Drag your files you want to backup to the directory highlighted. You will be able to see the files being transferred. You can also drag files from the backup server to your local machine by dragging to the local directory. Firewall You must add several rules to allow the passive connections to your FTP server. The remote machines will connect on port 21 and then transfer data on ports 30000:40000 (your port choice may be different). ufw allow proto tcp from any to any port 21 ufw allow proto tcp from any to any port 30000:40000 ufw status Status: active To Action From -- ------ ---- 20/tcp ALLOW 192.168.2.1 30000:40000/tcp ALLOW Anywhere 21/tcp ALLOW Anywhere That should do it, make sure you check /var/log/messages for errors or dropped connections.