Secured FTP connections

Note: This tutorial is also available in German (Diese Anleitung ist auch in deutscher Sprache verfügbar)

If you like, you can make secure FTP connections for all users

Quote

Files to edit:

• Firewall (I use /etc/arno-iptables-firewall/debconf.cfg)
• /etc/proftpd/proftpd.conf

Level: Easy

[size=medium]Certificate[/size]

• You need a valid certificate, from CAcert.org or a any authority
• You need the certificate file and the private key. Do this on a save place (e.g. /etc/ssl)

[size=medium]ProFTP[/size]

Open:

Code

1. nano /etc/proftpd/proftpd.conf

[size=medium]Configure ports[/size]

Find

Code

1. #PassivePorts 49152 65534

Replace with

Code

1. PassivePorts 49152 65534

[size=medium]Configure TLS[/size]

Find

Code

1. #<IfModule mod_tls.c># TLSEngine on # on for use of TLS# TLSRequired off # require encription on channel data# TLSLog /var/log/proftpd/ftp_ssl.log # where to log to# TLSProtocol SSLv23 # SSLv23 or TLSv1# TLSOptions NoCertRequest NoSessionReuseRequired # either to request the certificate or not# TLSRSACertificateFile /etc/imscp/CERTIFIACE.pem # SSL certfile# TLSRSACertificateKeyFile /etc/imscp/CERTIFIACE.pem # SSL keyfile# TLSVerifyClient off # client verification#</IfModule>

Remove all

Code

1. #

Example

Code

1. <IfModule mod_tls.c> TLSEngine on # on for use of TLS TLSRequired off # require encription on channel data TLSLog /var/log/proftpd/ftp_ssl.log # where to log to TLSProtocol SSLv23 # SSLv23 or TLSv1 TLSOptions NoCertRequest NoSessionReuseRequired # either to request the certificate or not TLSRSACertificateFile /etc/imscp/YOUR_CERT_FILE.pem # SSL certfile TLSRSACertificateKeyFile /etc/imscp/YOUR_CERT_FILE.pem # SSL keyfile TLSVerifyClient off # client verification</IfModule>

At TLSRSACertificateFile and TLSRSACertificateKeyFile you must enter new path to files.
Note: your certificate can also have the extension .crt and .key.

[size=medium]To disable insecure connections in future:[/size]

Find

Code

1. TLSRequired off # require encription on channel data

Replace with

Code

1. TLSRequired on # require encription on channel data

Note: No insecure connections are possible.

[size=medium]Configure firewall port[/size]
If you have a firewall, you must configure the passive port range (e.g. 49152 65534)

Note: the ports must be free. You can also use a port range from 49152 49999. This must be in both config files.)

Example for arno-iptables-firewall:

Open

Code

1. nano /etc/arno-iptables-firewall/debconf.cfg

Find
Note: It's possible that you have any ports in this line, insert the new values in the line.

Code

1. DC_OPEN_TCP=""

Insert on a free place between

Code

1. " "

Example:

Code

1. DC_OPEN_TCP="21 22 80 443 49152-65534"

Save all files.

Restart services

Code

1. /etc/init.d/arno-iptables-firewall restart

Code

1. /etc/init.d/proftpd restart

Display More

[size=medium]Client connection with FileZilla or similar clients[/size]

Example:
Host: IP or Your-Domain.tld
Port: 21
Protocol: FTP - File Transfer Protocol
Encryption: Require explicit FTP over TLS

Have fun with your secured FTP connection

SSL for proftpd is implemented

Quote

Thanks for the howto must I think that Daniel already implemented SSL for proftpd. I've assigned this thread to him.

Hmm, ok, I didn't know

Quote from sci2tech

SSL for proftpd is implemented

Hmm, ok

But I hope, that this tutorial is ok

Sure