Re: [PLUG] Implicit SSL with vsftpd?

Mike Leone on 22 Jan 2010 16:53:44 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Implicit SSL with vsftpd?

From: Mike Leone <turgon@mike-leone.com>

To: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>

Subject: Re: [PLUG] Implicit SSL with vsftpd?

Date: Fri, 22 Jan 2010 19:53:45 -0500

Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>

Sender: plug-bounces@lists.phillylinux.org

User-agent: Thunderbird 2.0.0.23 (Windows/20090812)

George A. Theall had this to say: > On Fri, Jan 22, 2010 at 12:49:00PM -0500, Mike Leone wrote: > >> I need to set up a secure FTP server for our DMZ. So I set up vsftpd and >> activated SSL, and enforced only SSL connections. And that all works >> well. I used Filezilla (on Windows), and specified a FTP over explicit >> SSL connection. > ... >> What that means is that the client connects on port 21. And my firewall >> guy doesn't want to leave port 21 open, he wants 990 (which is implicit >> SSL). So I changed the vsftpd config to > > You seem to be mixing explicit and implicit FTP. I'm not mixing; I wanted explicit, which worked with minimal config changes, either to the firewall or the FTP server config. He wanted implicit, which isn't working as easily. My client (Filezilla) can do either. > The former requires > that you explicitly request the connect continue over TLS (eg, with an > 'AUTH TLS' command) after connecting over an unencrypted channel; the > latter that you handle SSL / TLS negotiation from the get-go. Right. And the former works without fail every time, and the latter does not. Not for me, anyway. > >> listen_port=990 >> >> and restarted it. And tried connecting again, this time specifying FTP >> over implicit SSL (which defaults to using port 990 to connect to). > > Doesn't that just tell vsftpd to listen on a specific port? Have you > actually enabled SSL support and defined certs? Yes; explicit SSL connections works perfectly. So SSL support is enabled in the FTP server (in fact, SSL is required) and a cert is defined. We eventually decided to just use explicit SSL. Since the SSL encryption takes place before logging into the FTP server, the ID and password are encrypted, as is the data stream. And the client is chrooted, and downloads are disabled. This is pretty good security, for our needs. So this has now become a moot point. Thanks everyone. > > George ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug

References:

[PLUG] Implicit SSL with vsftpd?
From: Mike Leone <turgon@mike-leone.com>

Re: [PLUG] Implicit SSL with vsftpd?
From: "George A. Theall" <theall@tifaware.com>

Prev by Date: Re: [PLUG] Implicit SSL with vsftpd?

Next by Date: [PLUG] Caldera OpenLinux 2.3 boxed set on ebay

Previous by thread: Re: [PLUG] Implicit SSL with vsftpd?

Next by thread: [PLUG] Remotely viewing Windows VNC from Ubuntu

Index(es):

Date

Thread