https://www.liquidweb.com/kb/how-to-install-and-configure-vsftpd-on-centos-7/
https://www.liquidweb.com/kb/configure-vsftpd-ssl/
https://www.digitalocean.com/community/tutorials/how-to-set-up-vsftpd-for-a-user-s-directory-on-ubuntu-16-04
http://www.tuxfixer.com/vsftpd-installation-on-centos-7-with-selinux/

Install CentOS 8 minimal with 2 CPU, 512MB+ RAM, 20GB+ storage, set FQDN, set static IP, enable NTP.

3.) After install if finished reboot → login → perform a “dnf update”.

useradd example_user && passwd example_user
usermod -aG wheel example_user

dnf install vim rsyslog policycoreutils-python-utils
systemctl enable rsyslog
systemctl start rsyslog 

Logout of root and login using sudo user

sudo vim /etc/ssh/sshd_config

then set

PermitRootLogin no

Restart sshd

sudo systemctl restart sshd

sudo useradd sftps
sudo usermod -s /sbin/nologin sftps

Create FTP directory

sudo mkdir -p /opt/public/share
sudo chown root:root /opt/public/share
sudo chown -R sftps:sftps /opt/public/share
sudo chmod 770 /opt/public/share
sudo semanage fcontext -a -t public_content_rw_t /opt/public/share
sudo restorecon -Rvv /opt/public/share

Note: for chroot for SFTP the parent dir must be owned by root, this is for later if adding SFTP also.

Set other selinux options

sudo setsebool -P ftp_home_dir 1
sudo setsebool -P ftpd_full_access 1

And add to sftps group

sudo useradd ftpuser && passwd ftpuser
sudo usermod -aG sftps ftpuser

sudo dnf install vsftpd

Create log file (if it's not there fail2ban won't start, the log file is created automatically on ftp login)

sudo touch /var/log/vsftpd.log

sudo vim /etc/vsftpd/vsftpd.conf

Set the following:

anonymous_enable=NO
local_enable=YES
write_enable=YES
chroot_local_user=YES
allow_writeable_chroot=YES
user_sub_token=$USER
local_root=/opt/public/share
userlist_enable=YES
userlist_file=/etc/vsftpd/user_list
userlist_deny=NO
dual_log_enable=YES

Add the users you want to allow FTP access for

sudo vim /etc/vsftpd/user_list

Remove everything in there then add the users you want to have FTP access.

sudo systemctl enable vsftpd
sudo systemctl restart vsftpd

sudo firewall-cmd --permanent --add-port=21/tcp
sudo firewall-cmd --permanent --add-port=21000-21010/tcp
sudo firewall-cmd --reload

https://forums.centos.org/viewtopic.php?t=43230 https://www.getpagespeed.com/server-setup/ssl-directory https://help.thorntech.com/docs/sftp-gateway-classic/enabling-ftps-using-vsftp/

sudo openssl req -new -newkey rsa:4096 -nodes -keyout site1.domain.com.key -out site1.domain.com.csr

Move the files to your PKI folder

sudo mv site1.domain.com.* /etc/pki/tls/private/

Set permissions on private key

sudo chown root:root /etc/pki/tls/private/site1.domain.com.key
sudo chmod 600 /etc/pki/tls/private/site1.domain.com.key
sudo restorecon -RvF /etc/pki/tls/private/

Submit the CSR to your CA (public or private)

Copy the BASE64 certificate from your CA to your cert folder

sudo vim /etc/pki/tls/certs/site1.domain.com.crt

Create the CA bundle associated with your certificate

sudo vim /etc/pki/tls/certs/site1.domain.com.ca-bundle

Paste the subordinate followed by the root BASE64 certificates

Edit the conf file for VSFTPD

sudo vim /etc/vsftpd/vsftpd.conf

Set the following

ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1_1=YES
ssl_tlsv1_2=YES
ssl_tlsv1=NO
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=YES
ssl_ciphers=HIGH
rsa_cert_file=/etc/pki/tls/certs/site1.domain.com.crt
rsa_private_key_file=/etc/pki/tls/private/site1.domain.com.key
pasv_enable=Yes
pasv_min_port=21000
pasv_max_port=21010

https://www.tecmint.com/dnf-automatic-install-security-updates-automatically-in-centos-8/

sudo dnf install dnf-automatic
sudo vim /etc/dnf/automatic.conf

Set:

upgrade_type = security
download_updates = yes
system_name = (your system name)
emit_via = motd

Enable the auto-update timer

sudo systemctl enable --now dnf-automatic.timer

https://idroot.us/install-fail2ban-centos-8/ https://www.digitalocean.com/community/tutorials/how-to-protect-an-apache-server-with-fail2ban-on-ubuntu-14-04

sudo dnf install epel-release
sudo dnf install fail2ban

sudo vim /etc/fail2ban/jail.d/sshd.local

Add the following:

[sshd]
enabled = true
port    = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s

[selinux-ssh]
enabled  = true
port     = ssh
logpath  = %(auditd_log)s

sudo vim /etc/fail2ban/jail.d/vsftpd.local

Add the following:

[vsftpd]
enabled = true
# or overwrite it in jails.local to be
# logpath = %(syslog_authpriv)s
# if you want to rely on PAM failed login attempts
# vsftpd's failregex should match both of those formats
port     = ftp,ftp-data,ftps,ftps-data
logpath  = %(vsftpd_log)s

sudo systemctl start fail2ban
sudo systemctl enable fail2ban
sudo fail2ban-client status sshd

https://www.atlantic.net/vps-hosting/how-to-create-a-sftp-user-without-shell-access-on-centos-8/
https://unix.stackexchange.com/questions/293756/set-startup-folder-for-sftp-to-be-other-than-home-username-is-throwing-me-permi

Create a new directory for SFTP or use the existing FTP directory if you need more than one access method.

sudo mkdir -p /opt/public/sftp
sudo chown root:root /opt/public
sudo chown -R sftps:sftps /opt/public/sftp
sudo chmod 770 /opt/public/sftp
sudo semanage fcontext -a -t public_content_rw_t /opt/public/sftp
sudo restorecon -Rvv /opt/public/sftp

To help keep things organized we'll create a keypair that is specific to the user and the remote sudo user+host.
https://www.ssh.com/ssh/keygen/

ssh-keygen -C "your_email@example.com" -f ~/.ssh/your_email@example.com-remote_sudo_username_@remote_hostname -t ed25519

Record the private and public keys in a secure document for the server.
Copy the public key to the remote server.

ssh-copy-id -i ~/.ssh/your_email@example.com-remote_sudo_username_@remote_hostname.pub sudo_username@remote_hostname

Login using SSH key

ssh -i deployment_key.txt demo@192.237.248.66

sudo vim /etc/ssh/sshd_config

Add the following:

Match User ftpuser
ForceCommand internal-sftp -d /sftp
PasswordAuthentication yes
ChrootDirectory /opt/public
PermitTunnel no
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no

This will force the listed parameters on the ftpuser, namely that they are allowed sftp access only and that they'll start out in the sftp directory and that they are chrooted to /opt/public. Note, /opt/public must be owned by root:root for chroot to work and the subdirectories need permissions giving access to desired users/groups.

We want to restrict access to our sudo user and sftp users

sudo vim /etc/ssh/sshd_config

Add the following:

AllowUsers sudo_username ftpuser_username

And since theoretically you're going to allow public SFTP access this means your SSH port is open to the public. We've already restricted who can login over ssh/sftp but now we want to enable key login only for the sudo user.

Don't allow members of the wheel group to login with passwords

Match Group wheel
PasswordAuthentication no

And change the default SSH/SFTP port

Port 21011

Tell Selinux of the change

sudo semanage port -a -t ssh_port_t -p tcp 21011

Setup firewall rules

sudo firewall-cmd --permanent --zone=public --add-port=21011/tcp
sudo firewall-cmd --reload

Restart SSHD

sudo systemctl restart sshd
sudo systemctl restart vsftpd