Merge pull request hestiacp#1006 from hestiacp/feature/tls

Vsftpd security hardening

Author: ScIT-Raphael

CHANGELOG.md

@@ -3,6 +3,7 @@ All notable changes to this project will be documented in this file.
 
 ## [CURRENT] - Development
 ### Features
+- Use stronger ciphers and Disable TLS v1.1 for vsftpd.
 
 ### Bugfixes
 - Create mailhelo.conf if it doesnt exist to prevent a error message during grep.

install/deb/vsftpd/vsftpd.conf

@@ -31,10 +31,10 @@ utf8_filesystem=YES
 ssl_enable=YES
 allow_anon_ssl=NO
 require_ssl_reuse=NO
-ssl_ciphers=HIGH
-ssl_tlsv1=NO
+ssl_ciphers=ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256
 ssl_sslv2=NO
 ssl_sslv3=NO
+ssl_tlsv1=NO
 force_local_data_ssl=NO
 force_local_logins_ssl=NO
 rsa_cert_file=/usr/local/hestia/ssl/certificate.crt

install/upgrade/versions/latest.sh

@@ -14,4 +14,12 @@ $BIN/v-update-web-templates
 echo "[ ! ] Updating default mail domain templates..."
 $BIN/v-update-mail-templates
 echo "[ ! ] Updating default DNS zone templates..."
-$BIN/v-update-dns-templates
+$BIN/v-update-dns-templates
+
+# Enhance Vsftpd security
+if [ "$FTP_SYSTEM" = "vsftpd" ]; then
+    echo "[ ! ] Hardening Vsftpd TLS configuration..."
+    cp -f /etc/vsftpd.conf $HESTIA_BACKUP/conf/
+    cp -f $HESTIA_INSTALL_DIR/vsftpd/vsftpd.conf /etc/
+    chmod 644 /etc/vsftpd.conf
+fi