Running an FTP server over a Secure Sockets Layer (SSL) encrypts the connection and helps secure your data. This connection uses an SSL certificate for encryption.

You can use a self-signed SSL certificate or one issued by a Certified Authority (CA).

  • An SSL certificate signed by a Certificate Authority is trusted and considered legitimate.

  • A self-signed SSL certificate is insecure because there is no verification process by a trusted Certificate Authority.

Getting Started

This tutorial uses vsftpdexternal link as the FTP server application and Fedoraexternal link as the operating system.

The vsftpd package is a mature, stable, secure FTP server application.

One of the reasons that I use Fedora is the default security measures enabled by default.

I’m referring specifically to SELinux and Firewalld.

SELinux adds an extra layer of security by forcing services and network ports to run with their default settings.

The Firewalld service only allows connections to the system that are specified in it’s configuration.

For these reasons, always leave SELinux and firewalld enabled and actively running.

We’ll be using a self-signed certificate.


  1. Install the vsftpd package.
$ sudo install -y vsftpd
  1. Create a subdirectory within the SSL directory to store the SSL certificate.
$ sudo mkdir /etc/ssl/private
  1. Create a self-signed certificate and key in a single file by running the following command and answering all of the prompts.
$ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem


  1. Backup the /etc/vsftpd/vsftpd.conf file.
$ sudo cp /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.backup       
  1. Create a new /etc/vsftpd/vsftpd.conf file.
$ sudo vi /etc/vsftpd/vsftpd.conf

The following options will be used:

pam_service_name - The name of the PAM service used by vsftpd.  
anonymous_enable - Allow or prevent anonymous logins. 
local_enable - Allow or prevent local logins.
write_enable - Allow or prevent write access.  
pasv_min_port - Minimum port to allocate for PASV style data connections.    
pasv_max_port - Maximum port to allocate for PASV style data connections.      
rsa_cert_file - The location of the SSL certificate.
rsa_private_key_file - The location of the SSL private key.
ssl_enable - Allow or prevent SSL connections.  
force_local_data_ssl - Force SSL connections in order to send and receive data.   
force_local_logins_ssl - Force SSL connections in order to send user's password.    
ssl_ciphers - Select SSL ciphers.

Here is the completed configuration:


The pasv_min_port and pasv_max_port values in this configuration are only an example. Use values to create a port range not in use on your system.

  1. Restart and enable the vsftpd daemon.
$ sudo systemctl restart vsftpd
$ sudo systemctl enable vsftpd
  1. Configure SELinux to allow passive FTP connections.
$ sudo setsebool -P ftpd_use_passive_mode on
  1. Add the appropriate firewalld rules to allow ftp connections.
$ sudo firewall-cmd --add-service=ftp --perm
$ sudo firewall-cmd --add-port=40000-40001/tcp --perm
$ sudo firewall-cmd --reload

The --add-port= parameter specifies the pasv_min_port and pasv_max_port option in your configuration.


Once you have completed the installation and configuration, you can now access your system via an SSL FTP connection using a client such as FileZillaexternal link or WinSCPexternal link .

Because you are using a self-signed certificate, you will get a warning that the server’s certificate is unknown. If you are using FileZilla, you can simply click on the option to Always trust certificate in future sessions and click OK to continue.

I will post a future article that discusses how to add a self-signed certificate to your trusted root certificates to eliminate this warning.

A digitally signed SSL certificate from a CA vendor such Lets Encryptexternal link will not have this issue.