User Tools

Site Tools


documentation:setup_and_user_guide:secure_ftpes_configuration

Secure FTPES Configuration

Introduction

Two separate methods were developed to invoke client security for use with FTP clients: Explicit or Implicit. The explicit method is a legacy compatible implementation where FTPS aware clients can invoke security with an FTPS aware server without breaking overall FTP functionality with non-FTPS aware clients. The implicit method requires that all clients of the FTPS server be aware that SSL is to be used on the session, and thus is incompatible with non-FTPS-aware clients.

In explicit mode (also known as FTPES), an FTPS client must “explicitly request” security from an FTPS server, and then step-up to a mutually agreed encryption method. If a client does not request security, the FTPS server can either allow the client to continue insecure or refuse/limit the connection.

The mechanism for negotiating authentication and security with FTP was added under RFC 2228, which included the new FTP command AUTH. While this RFC does not explicitly define any required security mechanisms (ie. SSL or TLS), it does require that the FTPS client will challenge the FTPS server with a mutually known mechanism. If the FTPS client challenges the FTPS server with an unknown security mechanism, the FTPS server will respond to the AUTH command with error code 504 (not supported). Clients could determine which mechanisms were supported by querying the FTPS server with the FEAT command, although it should be noted that servers are not necessarily required to be honest in disclosing what levels of security they support. Common methods of invoking FTPS security include AUTH TLS and AUTH SSL.

Traditional FTP is rather insecure. When you login, your username and password are transmitted in clear text, raising the possibility of your credentials being 'sniffed' by a malicious person. Fortunately there's an easy answer to this. You can quite easily configure your FTP server to use OpenSSL encryption, so that username & password, and even data files, are encrypted during transfer. It takes just a few simple steps:

Basic Configuration Steps

  1. Configure FTP in NAS4Free for TLS/SSL.
  2. Generate Self-Signed Certificate & Private Key.
  3. Connect with a Secure Client - ie. Filezilla or WinSCP.

1. Enable TLS/SSL in FTP Service

When you ENABLE the FTP Service in NAS4Free make sure that you ENABLE TLS/SSL so that your Username and Password transfers are encrypted. TLS/SSL ONLY should NOT be checked, unless you're 100% sure SFTP will not be used. NAS4Free uses ProFTPD, highly configurable GPL-licensed FTP server software, userguide available here.

See – SUG Section 6.2-FTP-File Transfer Protocol

2. Generate Self-Signed Certificate & Private Key

In cryptography and computer security, a self-signed certificate is an identity certificate that is signed by its own creator. That is, the person that created the certificate also signed off on its legitimacy. By using X.509 PKI schemes, one believes/trusts the certificate by definition.

Tip - More details about generating Self-Signed Certificates and Private Keys can be found in SUG Section 2.6.2-Secure SFTP Configuration

Generate Certificate in Windows.

If you have Filezilla Server installed you can use the Certificate Generator, or you may want to install CYGWIN, and use OpenSSL to generate the certificate.

Generate Certificate in Linux.

Use OpenSSL to generate a certificate and private key. The certificate file is stored on your server. You specify a 'lifetime' for the certificate. In the sample command below, it is set for a year (“-days 365”). You will be prompted with a series of questions, which you answer as they appear.

openssl req -new -x509 -nodes -sha1 -days 365 -newkey rsa:1024 > nas4freekb.cert

Copy & Paste Certificate & Private Key

Tip - More details about copying and pasting Self-Signed Certificates and Private Keys can be found in SUG Section 2.6.2-Secure SFTP Configuration

3. Connect with a Secure Client – using FTPES.

There are several free programs available that can provide secure connections supporting AUTH TLS / SSL / SFTP.

Client Software Windows Linux
FileZilla
WinSCP
FireFTP
CoreFTP
CuteFTP

REF: http://en.wikipedia.org/wiki/Comparison_of_FTP_client_software


Above is a sample FileZilla connection Setup.


Thanks to danmero for original KnowledgeBase article.

Thanks to ldkraemer for original contribution of this section.

documentation/setup_and_user_guide/secure_ftpes_configuration.txt · Last modified: 2018/07/08 16:57 (external edit)