Secure ftp while connecting with Filezilla

NethServer Version: 7.4.1708
Module: vsftpd

I run Netserver on VPS. Every time I connect with the server through Filezilla, I get a message that the server is insecure and doesn’t support FTP over TLS.
I have installed Let’s Encrypt certificate. SSL/TLS works for e-mail.
Wikipedia shows : “vsftpd supports explicit (since 2.0.0) and implicit (since 2.1.0) FTPS.”

Am I missing something? Does vsftpd need to be configured so that secure transmission is enabled?

The config from Nethserver doesnt support ftpes out of the box. It can be added with a little bit of extra config:

  1. mkdir -p /etc/e-smith/templates-custom/etc/vsftpd/vsftpd.conf

  2. touch /etc/e-smith/templates-custom/etc/vsftpd/vsftpd.conf/90ssl

  3. edit the just created /etc/e-smith/templates-custom/etc/vsftpd/vsftpd.conf/90ssl and add:

    rsa_cert_file=/etc/pki/tls/certs/localhost.crt
    rsa_private_key_file=/etc/pki/tls/private/localhost.key
    ssl_enable=YES
    allow_anon_ssl=NO
    force_local_data_ssl=YES
    force_local_logins_ssl=YES
    ssl_tlsv1=YES
    ssl_sslv2=NO
    ssl_sslv3=NO
    require_ssl_reuse=NO
    ssl_ciphers=HIGH

  4. signal-event nethserver-vsftpd-update

Edit: given how simple this is, it should be a checkbox, really

2 Likes

templates shouldn’t be copied as system updates may provide updated templates, which will never have effect because of getting overwritten by copied custom templates.

Better way would be something like /etc/e-smith/templates-custom/etc/vsftpd/vsftpd.conf/90ftps.

Funny, I also saw the Filezilla message today, thought about a custom template and you just did it. Thanks!

2 Likes

thanks for pointing that out! Will change immediately :slight_smile:

2 Likes

What is about using SCP? This works out of the box.

For FileZilla to work, you need to enable SFTP on the server because FileZilla lacks SCP support AFAIK.

https://forum.filezilla-project.org/viewtopic.php?t=39656

1 Like

At a windows mashine I do it with Win-SCP. That works fine.

1 Like

When forcing FTP over SSL/TLS, seems I can only connect via an active FTP connection. Guessing I need to configure the firewall for passive FTP now…

Is that correct?

OK I think I found it.

I added “ftp:FTP(HELPER) loc -” to /etc/shorewall/rules

2 Likes