Secure ftp while connecting with Filezilla

ftp
v7

(Jozef Francois) #1

NethServer Version: 7.4.1708
Module: vsftpd

I run Netserver on VPS. Every time I connect with the server through Filezilla, I get a message that the server is insecure and doesn’t support FTP over TLS.
I have installed Let’s Encrypt certificate. SSL/TLS works for e-mail.
Wikipedia shows : “vsftpd supports explicit (since 2.0.0) and implicit (since 2.1.0) FTPS.”

Am I missing something? Does vsftpd need to be configured so that secure transmission is enabled?


(Jeroen Visser) #2

The config from Nethserver doesnt support ftpes out of the box. It can be added with a little bit of extra config:

  1. mkdir -p /etc/e-smith/templates-custom/etc/vsftpd/vsftpd.conf

  2. touch /etc/e-smith/templates-custom/etc/vsftpd/vsftpd.conf/90ssl

  3. edit the just created /etc/e-smith/templates-custom/etc/vsftpd/vsftpd.conf/90ssl and add:

    rsa_cert_file=/etc/pki/tls/certs/localhost.crt
    rsa_private_key_file=/etc/pki/tls/private/localhost.key
    ssl_enable=YES
    allow_anon_ssl=NO
    force_local_data_ssl=YES
    force_local_logins_ssl=YES
    ssl_tlsv1=YES
    ssl_sslv2=NO
    ssl_sslv3=NO
    require_ssl_reuse=NO
    ssl_ciphers=HIGH

  4. signal-event nethserver-vsftpd-update

Edit: given how simple this is, it should be a checkbox, really


(Markus Neuberger) #3

templates shouldn’t be copied as system updates may provide updated templates, which will never have effect because of getting overwritten by copied custom templates.

Better way would be something like /etc/e-smith/templates-custom/etc/vsftpd/vsftpd.conf/90ftps.

Funny, I also saw the Filezilla message today, thought about a custom template and you just did it. Thanks!


(Jeroen Visser) #4

thanks for pointing that out! Will change immediately :slight_smile:


(Michael Träumner) #5

What is about using SCP? This works out of the box.


(Markus Neuberger) #6

For FileZilla to work, you need to enable SFTP on the server because FileZilla lacks SCP support AFAIK.

https://forum.filezilla-project.org/viewtopic.php?t=39656


(Michael Träumner) #7

At a windows mashine I do it with Win-SCP. That works fine.


(Eric) #8

When forcing FTP over SSL/TLS, seems I can only connect via an active FTP connection. Guessing I need to configure the firewall for passive FTP now…

Is that correct?


(Eric) #9

OK I think I found it.

I added “ftp:FTP(HELPER) loc -” to /etc/shorewall/rules