Contents

1. Background
1. FTPS and FTPES
2. Pitfalls
2. Basics
1. Server Configuration
2. Curl Syntax
3. Lftp Syntax
3. Experiment
1. Wireshark
2. Unencrypted
3. Encrypted
4. Conclusion


Background
Recently, I set up vsftpd on RHEL5 with SSLand it was significantly easier than I had suspected it
would be. I wanted to quickly share the methods I used to set up the server, test from a client,
and verfiy everything was encrypted.
I chose FTPS (FTP over SSL) with vsftpd as opposed to SFTP (over SSH) for several reasons.
First, I chose vsftpd because of the limits which are placed on the FTP shell. Using vsftpd also
allows us to use the same service for people who have older clients that cant use ssl. Finally,
vsftpd provides handing of the umask in a way that is conducive to teams working in the same
directory.
FTPS and FTPES
The next point of confusion is often Implicit FTPS vs explicit FTPS. . In writing both are referred to
simply as FTPS which can be very confusing. Worse, some FTPS clients can do one and not the
other. This article will discuss FTPES because it is generally used along side regular FTP with
vsftpd.
Explicit FTPS was developed to run on the same port as regular FTP. Explicit FTPS allows the
password, the data, or both to be encrypted. Each is optional and it is negotiated by the client and
server upon connection. Implicit FTPS is completely different. Implicit FTPS works similar to
HTTPS because it is run on a different port and the entire connection is encrypted. In some
clients FTPS refers to implicit, while FTPES refers to explicit. Also, when using FTPES, be careful
to encrypt both the password and the data.
Pitfalls
I have used vsftpd for several years with regular ftp and even anonymous ftp but never with ssl.
When using software in a new use case, it is critical to verify the behavior, especially when
dealing with something like sensitive data over ssl.
When I first set up Vsftpd and connected with Lftp, I noticed that it reported some clues that it was
connecting over SSL, but this was not enough. I verified the encrypted/unencrypted traffic with
wireshark and now I am confident the software is behaving the way I want it to.
Normally, I would have used tcpdump, which I am more comfortable with, but I didnt want to save
the pcap file with the right snap length, etc, etc. It was easier to do deep packet inspection in one
shot with Wireshark, but it can be uncomfortable to use a piece of software like this when it has
been 3 months since the last use.
Verification also takes a bit of reasoning and patience. For example, I couldnt remember what
FTP traffic looks like, it has been several years since the last time I did any kind of inspection. I
gained confidence, by first looking at the unencrypted traffic. When I was comfortable that I
understood it well enough, I verified that the encrypted traffic really was unreadable. I had
confidence, because I looked at the unencrypted traffic first.

Basics
Server Configuration
The general process is, generate SSL certificate, then configure vsftpd to use it. The following
commands will generate a key and certificate that will be valid for one year. There are only a
couple of commands that really have to be in the configuration file to make SSL work.
Generate SSL Certificate
openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout
/etc/vsftpd/vsftpd.pem -out /etc/vsftpd/vsftpd.pem

Basic Vsftpd Configuration
vim /etc/vsftpd/vsftpd.conf

ssl_enable=YES
rsa_cert_file=/etc/vsftpd/vsftpd.pem
rsa_private_key_file=/etc/vsftpd/vsftpd.pem

Vsftpd Configuration: Force Encryption for passwords and data
force_local_data_ssl=YES
force_local_logins_ssl=YES

Curl Syntax
List files
curl --ftp-ssl --insecure --user smccarty:p@@ceyourself555
ftp://ftp.eyemg.com
Upload a file
curl --ftp-ssl --insecure --user smccarty:p@@ceyourself555 -T test_file.txt
ftp://ftp.eyemg.com
Download a file
curl --ftp-ssl --insecure --user smccarty:p@@ceyourself555
ftp://ftp.eyemg.com/test_file.txt
Delete a file
curl --ftp-ssl --insecure --user smccarty:p@@ceyourself555 -X "DELE
test_file.txt" ftp://ftp.eyemg.com

Lftp Syntax
Connect to the server, enable SSL, and authenticate
lftp
lftp :~> set ssl-force true
lftp :~> set ssl-protect-data true
lftp :~> connect ftp.eyemg.com
lftp :~> login smccarty
Password:
Now run ftp commands as normal
lftp [email protected]:~> ls
-rw-rw-r-- 1 607 503 0 Feb 21 17:43 test_file.txt

Experiment
Wireshark
Capture command. Since I am using ssh to connect to the box, I want to exclude that traffic.
wireshark -f "host ftp.eyemg.com and port not 22"

Unencrypted
Un-encrypted command
curl --ftp-ssl --insecure --user smccarty:p@@ceyourself555 -T test_file.txt
ftp://ftp.eyemg.com
Un-encrypted screenshot


Encrypted
Encrypted command
curl --ftp-ssl --insecure --user smccarty:p@@ceyourself555 -T test_file.txt
ftp://ftp.eyemg.com
Encrypted Screenshot


Conclusion
At times, I feel myself being resistant to the verification process because the tool I need to use is
unfamiliar. I have found two things help with this pain. First, familiarity; even if it has been a year
since I last used a tool, the familiarity comes back quickly. Second, just do it; the pain never ends
up being as bad as I anticipated. It is critical to get over this pain if we are to deliver better service
and these scientific methods are invaluable for the edge.