This document provides instructions for configuring an SFTP server on CentOS 8. It describes installing vsftpd using DNF, backing up and editing the vsftpd configuration file, configuring allowed users in the user_list file, enabling chroot jailing for security, generating a TLS certificate for encrypted connections, configuring the vsftpd service to use the certificate, opening firewall ports for FTP/SFTP, and adding a test SFTP user.

1. CONFIGURATION OF SFTP SERVER ON CENTOS 8
vsftpd (Very Secure FTP Daemon) is the software package that has been used since long for
configuring FTP services on Linux. vsftpd is available in default yum repositories and therefore it can be
installed using a dnf command.
 Install vsftpd using below syntax:
 dnf install –y vsftpd
 Take backup of existing vsftpd.conf file.
 cp /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd-kaan.conf
 Now edit vsftpd configuration file.
 vi /etc/vsftpd/vsftpd.conf

2.  Configure User List in Secure FTP Server:
Users that are allowed/deny to use FTP service are listed in a user_list file. Default user_list file is
located at /etc/vsftpd/user_list, we can add or remove FTP users in this file. By default, all the users in
the user_list are denied to access FTP service. We have to explicitly allow users in user_list by setting
following directives in vsftpd.conf file.
 Enable Chroot Jail for Secure FTP Server on CentOS 8:
To restrict FTP users in a chrooted environment, add following two directives in vsftpd.conf file.
 Generate a TLS certificate for Secure FTP service:
The FTP service does not use encryption. Therefore, it transfers data and login credentials in plain
text. This makes FTP service highly vulnerable to Sniffing and Men in the Middle attacks.
However, we can configure Secure FTP (FTPS), to encrypt communication between FTP server-clients.
 Now, generate a TLS (Transport Layer Security) certificate by using following command.
 openssl req -x509 -nodes -keyout /etc/vsftpd/vsftpd.key -out /etc/vsftpd/vsftpd.pem -days 365 -newkey rsa:2048
 Edit vsftpd.conf file to configure FTP service to use the TLS certificate and add below parameters.
 vi /etc/vsftpd/vsftpd.conf

3.  Allow Secure FTP (FTPS) and Passive FTP ports in Linux firewall.
 iptables –A INPUT –s 10.30.30.254 –d 10.30.30.5 –p tcp –dport 31000:32000 –j ACCEPT
 iptables –A INPUT –s 10.30.30.50 –d 10.30.30.5 –p tcp –dport 31000:32000 –j ACCEPT
 iptables –A INPUT –s 10.30.30.52 –d 10.30.30.5 –p tcp –dport 31000:32000 –j ACCEPT
 iptables –A INPUT –s 10.30.30.254 –d 10.30.30.5 –p tcp –dport 990 –j ACCEPT
 iptables –A INPUT –s 10.30.30.50 –d 10.30.30.5 –p tcp –dport 990 –j ACCEPT
 iptables –A INPUT –s 10.30.30.52 –d 10.30.30.5 –p tcp –dport 990 –j ACCEPT
 We can create sftp user and add sftp user_list
 useradd sftpadmin
 passwd sftpadmin
 Add this user to allowed user_list.
 echo sftpadmin >> /etc/vsftpd/user_list
 cat /etc/vsftpd/user_list | grep sftpadmin
3/17/2022
X
Kaan Aslandag
Signed by: www.kaan1.com