[HOWTO] Securing ftp server with encryption

Hi all, [Edited config, there was a missing line]

This could be useful to those who want to use FTP but worried about the lack of security. the default setup sends everything in the clear and anyone with packet sniffer can see your username and password and able to reconstruct the upload/download.

This 5 minutes changes will secure the FTP server with encryption key and no additional software. After the changes you will be able to use FTP with everything encrypted.

you should be aware of using ssh and warranty thingy. Also, you should be able to use vi editor or whatever you are comfortable with. The procedure is straight forward:

  1. login to your wdmycloud with ssh

2 . do the following:

[root@wdmycloud] openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/ssl/certs/vsftpd.pem -out /etc/ssl/certs/vsftpd.pem

this will create an encryption certificate for vsfptd (wdmycloud standard ftp server).

it will last for 365 days, and uses 1024 bit encrypted key. You can change these.

it will ask for information to populate the certificate, enter them as you wish. Make it meaningful so you can differentiate it from others. such as your name, city etc …

  1. To configure vsftpd you edit the file /etc/vsftpd.conf and add the following lines:

    rsa_cert_file=/etc/ssl/certs/vsftpd.pemrsa_private_key_file=/etc/ssl/certs/vsftpd.pemssl_enable=YESallow_anon_ssl=NOforce_local_data_ssl=YESforce_local_logins_ssl=YESssl_tlsv1=YESssl_sslv2=NOssl_sslv3=NOrequire_ssl_reuse=NOssl_ciphers=HIGH

  Save the file.

  1. the FTP server will use ports 5000-5099 for data (look in vsftpd.conf) therefore you need to open (port forward)  these on your firewall/router as well as port 21-22 and enable ftp in your dashboard

5.  then do

[root@wdmycloud] service vsftpd restart

I also prefer to reboot, just in case to make sure the changes take hold. Now you need a FTP client that support TLS, Filezilla will do (but I prefer WinSCP). I also use similar on my ipad and laptop from work. The client will negotiate with the server and presented with certificate,  accept it since you created it. all connection including username and password is now encrypted with the above key you created.

 NOTE: THIS WILL ENCRYPT THE DATA, USER NAME AND PASSWORD. STILL YOU MUST CHOOSE A STRONG PASSWORD (MIXED LETTERS, PUNCTUATIONS and NUMBERS).

TIP: USE WinSCP for ftp with TLS authentication  (safer than filezilla).

NOTE: you can also have a look on how to secure SSHwith private key and passphrase.

5 Likes

Great guide! Additionally speedup FTPS by decreasing the cipher, add below to /etc/vsftpd.conf and restart vsftpd. Though a little less secure, you should see increase in the throughput, tradeoff between speed and security. 

ssl_ciphers=RC4-MD5

Thanks for the tip. there are so much to play with.

I mostly did it so that I can use my iPad in public networks (mostly cafes) and securely transfer photos that I downloaded from my DSLR.

Thanks again, I will be doing some tests later.

I kept getting “handshake failed” messages when trying to connect with filezilla

You have to tell Filezilla to use TLS. For example, on mine (could be a little older than Windows vesions) under encryption, below protocol (when creating a new site via site manager in menu File) choose “Use Explicit FTP over TLS if available” option.

did you restart the server or the mycloud?#

if you try to conenct as normal ftp it will fail.

quick test with command line ftp which does not have encryption should give you the following error.

Connected to 88.78.33.33 <--- put your own here (here I am doing it remotely)
220 Welcome to WD My Cloud
530 Non-anonymous sessions must use encryption.
ftp: Login failed
ftp>

Here is a screenshot

HTH

 “Use Explicit FTP over TLS if available” option.

I did, tried both implicit and explicit.

did you restart the server or the mycloud?#

yes, also rebooted just to make sure…

I’ll try again tomorrow when I got more time. One question though, why the need to open port 22? Isn’t this port used solely for SSH purposes?

When you connect first time are you presented with a certificate? Like this:

I suggest you recheck everything again.

Make sure you are saving the file to /etc/ssl/certs/vsftpd.pem

make sure you type everything correctly.

make sure the modifications are correct in vsftpd.conf

login as know user on your wdmycloud

enter correct password.

if failed look in /etc/log/vsftpd.log and see if there are any errors there.

OOOOOOH I am sorry I missed an important line in my first post. I corrected it. Here is my config

rsa_cert_file=/etc/ssl/certs/vsftpd.pem
rsa_private_key_file=/etc/ssl/certs/vsftpd.pem
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=NO
ssl_ciphers=HIGH

 I am so sorry, **bleep** cut and paste :smileyvery-happy:

lol no problem :smiley:

It’s working good now! thanks for this 

joskevermeulen wrote:

lol no problem :smiley:

 

It’s working good now! thanks for this 

Excellent. :slight_smile:

working nicely for me as well. I do remote backup via FTP.

Thanks for the tip.

Hey all,

you say:

To configure vsftpd you edit the file /etc/vsftpd.conf and add the following lines:

how do i edit the vsftpd.conf

how is the command line to open the file?

And must i lock in with root?

Because the PW for root (welc0me) did not work.

I only can lock in with:

admin

PW: the PW from ssh

Thank you for Help.

If things here are new to you (like they are to me), I found that this page was helpful:

https://mediatemple.net/community/products/dv/204643550/common-ssh-commands 

For some basic SSH commands (like open file) and also a guide on vi (visual editor) which is what you will use to edit the file with.

Also if you log in as sshd instead you have the same rights as root.

Unfortunatley I’m also stuck, my hickup was at the last stage i.e. ‘service vsftpd restart’ which won’t work. Just says “service not found”. Has anyone got any suggestions on that? 

Hi,
First thing - apologies for reopening such an old thread!
Thanks a lot for this guide. I have followed step by step but for some reason I cannot connect remotely to mycloud. No luck on android device with kitkat 4.4.2 and windows 8.1 with winscp. Please see error attached for winscp. I have had prompt about cert which I have accepted.
Please - has something has changed since firmware 4.0 on my cloud?
FTP works fine, its FTPS with, obviously, SSL=ON that won’t connect.
Your help would be much appreciated!
Thanks a lot!

@Nazar78 - sorry for direct asking - would you mind having a look at my issue please?

I’m still on a very old v4 version so I’m not so sure if there’s changes in the latest firmware, but I doubt so. From the first line of error, yours seems to be issues with passive mode. I noticed FTPS needs passive mode to be set properly while I can turn off passive mode in non-SSL else I’ve have issues behind NAT.

  1. Were you trying to connect using hostname or IP?
  2. Can you reach 192.168.0.104 from this PC (this is supposedly to be your MyCloud IP) ?
  3. What’s your config like?

I’ve got mine set to below (with NAT properly setup ports 2000-2021):

pasv_address=teanazar.com (use your DDNS host)
pasv_addr_resolve=YES
pasv_enable=YES
pasv_promiscuous=YES
pasv_min_port=2000
pasv_max_port=2021

Hi @Nazar78, thanks a lot for your response.
below is my config. I can get in via local lan, be it ssl or not. I’ve run out of ideas why it wouldn’t connect from external network - hostname or ip - doesn’t work. My nat is enabled, port forwarding set as well. port 21 is open.

ftpd_banner=Welcome to WD My Cloud
listen=yes
listen_port=21
accept_timeout=60
connect_timeout=60
data_connection_timeout=900
max_clients=0
max_per_ip=20
xferlog_enable=YES
hide_ids=YES
dirlist_enable=YES
download_enable=YES
use_localtime=YES
write_enable=YES
file_open_mode=0755
local_enable=YES
local_umask=02
local_max_rate=0
anon_root=/nfs/
local_root=/nfs/
check_shell=NO
chroot_local_user=YES
userlist_enable=YES
userlist_deny=NO
userlist_file=/etc/user_list
vsftpd_log_file=/var/log/vsftpd.log
anonymous_enable=NO
anon_mkdir_write_enable=NO
anon_upload_enable=NO
anon_world_readable_only=YES
anon_other_write_enable=NO
no_anon_password=YES
anon_max_rate=0
anon_umask=077
#~#  share_acl_enable=YES
pasv_enable=YES
pasv_promiscuous=no
pasv_min_port=4532	
pasv_max_port=4623
pasv_address=my_ddns
pasv_addr_resolve=YES
rsa_cert_file=/etc/ssl/certs/vsftpd.pem
rsa_private_key_file=/etc/ssl/certs/vsftpd.pem
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=NO
ssl_ciphers=HIGH

and here is last screen shot:

Thanks a lot for help!

Confirm your NAT setup:

pasv_min_port=4532
pasv_max_port=4623

Total 91 ports 4532 to 4623 correctly forwarded to your MyCloud besides the usual port 21? Check if your passive mode works fine in non-SSL, ftp externally to your my_dds host using non-SSL in passive mode (in WinSCP session->advanced settings->connections). If you can’t do passive mode in no-SSL, this will also not work in SSL.

Thank you for your help @Nazar78, I have given false number in ports, just for security. In real life that number is 20 apart. Ports are correctly forwarded as I have no problem connecting in passive mode when NON SSL connection is set up, from outside home network using my DDNS. It’s only a problem when I enable SSL I can’t connect at all and get the error previously posted… I don’t know where to look else, what to change. A big change was adding my ddns line to conf file. Because of that I don’t get this error no more:

Thanks a lot again, I just hope to get solution for my problem as I would love to use FTPS with mycloud.

Have a good day!

No problem. Again I’m not sure if the latest firmware has got anything to do with this as I’m still on the very old v4 firmware. Perhaps those with the latest firmware can help to test.