Howto Setup vsftpd for AML2 on EC2 With TLS

Howto Setup vsftpd for AML2 on EC2 With TLS

Open ports under security groups

Custom TCP Rule / TCP / port 21
Custom TCP Rule / TCP / ports 1024–1048

Install vsftpd

SSH into EC2 instance (tutorial) and install vsftpd:

$ sudo yum update -y
$ sudo yum install vsftpd mod_ssl

Create SSL Certs

$ cd /etc/pki/tls/certs

This will create a key file and a self-signed certificate file in 4096-bit RSA (change to rsa:2048 for lower bit encryption)
$ sudo openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout vsftpd.key -out vsftpd.crt -subj “/C=NA/ST=NA/L=NA/O=NA/OU=NA/CN=NA”

Configure FTP

Use Linux’s nano editing tool to open and edit vsftpd.conf from the command line:

$ sudo nano /etc/vsftpd/vsftpd.conf

Change anonymous_enable from YES to NO (optional but recommended). This will disable anonymous FTP users:

anonymous_enable=NO

Set chroot_local_user to YES (optional). This will restrict users to their home directories for security. This line may already exist but is commented out with #:

chroot_local_user=YES

Add the following to the end of the file. Replace [YOUR_IP] with the public IP of your EC2 instance:

rsa_cert_file=/etc/pki/tls/certs/vsftpd.crt
rsa_private_key_file=/etc/pki/tls/certs/vsftpd.key
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=NO
force_local_logins_ssl=NO
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=NO
ssl_ciphers=HIGH
pasv_enable=YES
pasv_min_port=1024
pasv_max_port=1048
pasv_address=[Your IP Address]
allow_writeable_chroot=YES

Change the default FTP upload folder (optional). Add the following to the end of the file:

local_root=/var/www/html

You may need to use chmod to change file permissions and allow FTP users to read and write to this folder (generally not needed):

$ sudo find /var/www/html -type d -exec chmod 777 {} \;

Start vsftpd service:

$ sudo systemctl restart vsftpd

Set vsftpd service to automatically start when restarting server:

$ sudo systemctl enable vsftpd

Check to see if the vsftpd service is enabled for reboot:

$ sudo systemctl is-enabled vsftpd

Create FTP User

Add FTP user with adduser. Replace [USERNAME] with the new username to be added:

$ sudo adduser [USERNAME]

Add password for user with passwd:

$ sudo passwd [USERNAME]

Restrict user’s access to a specific folder (optional). Restrict access to folder then add to apache group to allow access to /var/www folder:

$ sudo usermod -a -G apache [USERNAME]

Like this article, send me a tip: https://cryptuity.co/c/daostudios