Secure vsftpd service by SSL/TLS.

Support for security such as Firewalls and securing linux
hack3rcon
Posts: 652
Joined: 2014/11/24 11:04:37

Secure vsftpd service by SSL/TLS.

Post by hack3rcon » 2020/08/21 10:44:52

Hello,
In https://www.tecmint.com/secure-vsftpd-u ... entos/amp/ tutorial, why the author opened ports 990 and 40000-50000? But other tutorial like https://www.digitalocean.com/community/ ... centos-vps never did it?
Which one is better?
Why in most configurations, "ssl_sslv2" and "ssl_sslv3" disabled? They must not the better version of "ssl_sslv1"?

Thank you.

User avatar
TrevorH
Forum Moderator
Posts: 29435
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Secure vsftpd service by SSL/TLS.

Post by TrevorH » 2020/08/21 11:32:26

Port 990 is for ftps. If you use ftps then nf_conntrack_ftp cannot work as the packets it needs to read to be able to determine which random ports are in use will be encrypted so it cannot see them. Thus you then need to open all of the ports it might conceivably use for its random ports.

If you need to ask whether to enable sslv2 and sslv3 then you need to do some research on security. Both protocols have been broken for about 10 years and should never be used. The only safe SSL protocol that CentOS 7 supports is TLS 1.2 and CentOS 8 adds TLS 1.3 to that.

Have you ever considered hiring someone that actually knows what they're doing?
CentOS 6 will die in November 2020 - migrate sooner rather than later!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

User avatar
KernelOops
Posts: 321
Joined: 2013/12/18 15:04:03
Location: xfs file system

Re: Secure vsftpd service by SSL/TLS.

Post by KernelOops » 2020/08/21 11:35:17

About the ports. FTP works by using a base port for command execution and communication, typically that is port 21. In addition to that, FTP may also use port 20 as a "data" port. Finally, FTP supports passive connections, those use high port numbers and in vsftpd specifically, they are defined by the pasv_min_port & pasv_max_port options.

Regarding your ssl related question, there is some confusion about SSL vs TLS. Essentially SSL and all its versions have been deprecated and are no longer in use, but the name "SSL" is still used as a reference for certificates. Now days, we only use TLS certificates. Now about TLS, v1.0 and v1.1 have been deprecated as of 2020 and only v1.2 and v1.3 are considered secure.

Unfortunately, some services still use the deprecated SSL/TLS versions, mainly due to microsoft mail servers.
--
I love my computer - all my friends live there.
--

User avatar
TrevorH
Forum Moderator
Posts: 29435
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Secure vsftpd service by SSL/TLS.

Post by TrevorH » 2020/08/21 12:26:11

Code: Select all

ftps-data       989/tcp                 # ftp protocol, data, over TLS/SSL
ftps-data       989/udp                 # ftp protocol, data, over TLS/SSL
ftps            990/tcp                 # ftp protocol, control, over TLS/SSL
ftps            990/udp                 # ftp protocol, control, over TLS/SSL
So, ports 990 and 989 are used for SSL not 21/20.
CentOS 6 will die in November 2020 - migrate sooner rather than later!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

hack3rcon
Posts: 652
Joined: 2014/11/24 11:04:37

Re: Secure vsftpd service by SSL/TLS.

Post by hack3rcon » 2020/08/21 15:16:13


hack3rcon
Posts: 652
Joined: 2014/11/24 11:04:37

Re: Secure vsftpd service by SSL/TLS.

Post by hack3rcon » 2020/08/22 13:51:50

Any idea?

aks
Posts: 3020
Joined: 2014/09/20 11:22:14

Re: Secure vsftpd service by SSL/TLS.

Post by aks » 2020/08/23 07:47:57

I still use SSL and TLS terms interchangeably - which is probably confusing for new people.
SSL was a Netscape developed thing.
TLS is SSL when standardised (sort of).
This may help: https://www.globalsign.com/en/blog/ssl- ... difference
Thus, https://www.digitalocean.com/community/ ... centos-vps is a wrong setup?
No. It doesn't discuss the firewalling aspects that is all. It is not wrong, it does what it aimed to do.

hack3rcon
Posts: 652
Joined: 2014/11/24 11:04:37

Re: Secure vsftpd service by SSL/TLS.

Post by hack3rcon » 2020/08/23 07:56:15

aks wrote:
2020/08/23 07:47:57
I still use SSL and TLS terms interchangeably - which is probably confusing for new people.
SSL was a Netscape developed thing.
TLS is SSL when standardised (sort of).
This may help: https://www.globalsign.com/en/blog/ssl- ... difference
Thus, https://www.digitalocean.com/community/ ... centos-vps is a wrong setup?
No. It doesn't discuss the firewalling aspects that is all. It is not wrong, it does what it aimed to do.
It doesn't discuss the firewalling aspects? Thus, this configuration is not secure as the other method?
What is your prefer?

User avatar
jlehtone
Posts: 3021
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Secure vsftpd service by SSL/TLS.

Post by jlehtone » 2020/08/23 09:43:44

hack3rcon wrote:
2020/08/23 07:56:15
It doesn't discuss the firewalling aspects?
You did read that text. Did it say anything about configuring the firewall? If not, then it did not.
hack3rcon wrote:
2020/08/23 07:56:15
Thus, this configuration is not secure as the other method?
The writer must assume that you know how to configure the firewall and therefore describes only the "vsftpd with TLS".
Obviously you have to configure your firewall, but that is a separate issue.

None of these "methods" mention that humans have to eat, sleep, and visit restroom. Does that mean we should not? Would that make the setup more secure?

TrevorH wrote:
2020/08/21 11:32:26
Have you ever considered hiring someone that actually knows what they're doing?
This.

hack3rcon
Posts: 652
Joined: 2014/11/24 11:04:37

Re: Secure vsftpd service by SSL/TLS.

Post by hack3rcon » 2020/08/23 11:06:14

jlehtone wrote:
2020/08/23 09:43:44
hack3rcon wrote:
2020/08/23 07:56:15
It doesn't discuss the firewalling aspects?
You did read that text. Did it say anything about configuring the firewall? If not, then it did not.
hack3rcon wrote:
2020/08/23 07:56:15
Thus, this configuration is not secure as the other method?
The writer must assume that you know how to configure the firewall and therefore describes only the "vsftpd with TLS".
Obviously you have to configure your firewall, but that is a separate issue.

None of these "methods" mention that humans have to eat, sleep, and visit restroom. Does that mean we should not? Would that make the setup more secure?

TrevorH wrote:
2020/08/21 11:32:26
Have you ever considered hiring someone that actually knows what they're doing?
This.
Thank you.
It is a little odd for me. The firewalld on my CentOS just accept SSH and FTP and other ports and services are closed, but the method that doesn't configuration the firewall working!!!
Can it mean my vsftpd service working insecure?

Post Reply

Return to “CentOS 8 - Security Support”