Howto setup a proftpd daemon using ssl encryption

FTPS or SFTP

People intend to mix FTPS and SFTP together, but both are actually completely differend.

FTPS is a normal FTP server but using SSL encrytion.
SFTP is a ftp kind of session over SSH (so everything is encrypted just like in SSH).

The advantage of FTPS is that its easyer to setup with chrooted enviroments on a ‘standard’ linux box.
Most linux disto’s don’t have by default the option to setup a chrooted SSH session.

Install proftpd from source

First we are going to download the latest source code which is 1.2.10 at the time of writing.

# cd /usr/src
# wget ftp://ftp.proftpd.org/distrib/source/proftpd-1.2.10.tar.gz
# tar -xvzf proftpd-1.2.10.tar.gz
# cd proftpd-1.2.10

Make sure you have a compiler installed and the openssl packages.
Todo this on a debian based os:

# apt-get install build-essential
# apt-get install libssl-dev

Then compile proftpd with tls support.

# ./configure --with-modules=mod_tls
# make
# make install

Now everything should be installed so its time to test if it works using plain ftp so startup the server using the default config file.

# proftpd -l
Compiled-in modules:
  mod_core.c
  mod_xfer.c
  mod_auth_unix.c
  mod_auth_file.c
  mod_auth.c
  mod_ls.c
  mod_log.c
  mod_site.c
  mod_tls.c
  mod_cap.c
# /usr/local/sbin/proftpd  -c /usr/local/etc/proftpd.conf

If everything is alright proftpd should be started and you should be able to login using any ftp client.

# ftp localhost
Connected to localhost.localdomain.
220 ProFTPD 1.2.10 Server (ProFTPD Default Installation) [127.0.0.1]
Name (localhost:troublenow): troublenow
331 Password required for troublenow.
Password:
230 User troublenow logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
226 Transfer complete.
ftp> quit
221 Goodbye.

Good everything seems to be working so kill the the daemon and lets move on to setup proftpd

# ps waux | grep -i proftpd
nobody   17505  0.0  0.3   3788  1900 ?        Ss   07:19   0:00 proftpd: (accepting connections)
# kill `ps waux | grep -i proftpd | awk {' print $2 '}`
# ps waux | grep -i proftpd
#

Create SSL Keys

Now lets create a self signed certificate and put that in /usr/local/etc/ftpcert/.

# cd /usr/local/etc/
# mkdir ftpcert
# cd ftpcert/
# openssl genrsa 1024 > host.key
# chmod 400 host.key
# openssl req -new -x509 -nodes -sha1 -days 365 -key host.key > host.cert
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []: 
Email Address []: 

Configure Proftpd

I will log everything in /var/log/ftpd so first we will need to create that directory:

# mkdir /var/log/ftpd

Now replace everything in the default /usr/local/etc/proftpd.conf to the new settings:

ServerName                      "test FTP server"
ServerType                      standalone
DefaultServer                   on

Port                            21

Umask                           022

AllowStoreRestart               on
AllowRetrieveRestart            on
AllowForeignAddress             on

LogFormat                       default "%h %l %u %t \"%r\" %s %b"
LogFormat                       auth    "%v [%P] %h %t \"%r\" %s"
LogFormat                       write   "%h %l %u %t \"%r\" %s %b"

DefaultTransferMode             binary
UseFtpUsers                     on

MaxInstances                    30

User                            nobody
Group                           nogroup

DefaultRoot                     ~

AllowOverwrite                  on


PassivePorts                    59000 59999
DefaultRoot                     ~
AllowOverwrite                  on

TransferLog                     /var/log/ftpd/xferlog
ExtendedLog                     /var/log/ftpd/access.log WRITE,READ write
ExtendedLog                     /var/log/ftpd/auth.log AUTH auth
ExtendedLog                     /var/log/ftpd/paranoid.log ALL default



TLSEngine on
TLSLog /var/log/ftpd/tls.log
TLSProtocol SSLv23
TLSRequired on
TLSVerifyClient off
TLSRSACertificateFile /usr/local/etc/ftpcert/host.cert
TLSRSACertificateKeyFile /usr/local/etc/ftpcert/host.key

Now startup proftpd and test the connection the the ftp server using tls (see clients for a supported client)
Clients

FlashFXP
FlashFXP one of the best windows ftp clients.
Related sites

http://www.castaglia.org/proftpd/modules/mod_tls.html
http://www.faqs.org/ftp/internet-drafts/draft-murray-auth-ftp-ssl-15.txt
http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-TLS.html

3

Comments

  1. Morz  August 27, 2011

    Hi. Thanks for this brief article, which contains almost everything that is important, setting um a proftpd with tls.
    Nevertheless it did not work for me. I tested it on two diffent systems, and it goes well until it comes to PASV+TLS. Seems that passive transfer is blocked. I did open the ports and I also tried it completely without any iptables running and connecting from the same localhost. Still no luck. That puzzles me.

    But: I compiled proftpd with the mod_sftp and so the same configuration that you served above, works for connection with SFTP (using SSH port then). While wikipedia (truthfully) tells, that encryption is not part of the SFTP protocol specification, this does not matter, as SFTP is based on SSH, so the traffic is encrypted by underlying SSH (as you said at the begining of this howto).

    So, if someone runs into problems with PASV+TLS functionality, just connect via SFTP/SSH.

    If someone could comment on my experience, providing some background knowledge, I’d be pleased.

    reply
  2. Morz  August 27, 2011

    Ok, I wrote crap up there. I accidentally connected to my openssh service, which provides sftp also… which is nice and works for me. With proftpd (also with vsftpd) the above mentioned problems remain. PASV TLS communication is blocked (listing problem: timeout after dir/LIST command). Even without firewall, what is really strange, isn’t it.

    reply
  3. Mendez Copau  August 27, 2011

    Is your FTP server behind a NAT router/firewall? if so also make sure you port forward the required TCP ports & open them up in the firewall.

    You can set the passive ports as mentioned above in the ProFTP config file with:

    PassivePorts 59000 59999

    I would minimize that a bit so you don’t have to open up a whole range of ports in your NAT, so make it something like:

    PassivePorts 59000 59010

    Forward these 10 ports (59000 to 59010) and you should be able to connect (this will also limit your connections to 10! so if its a high traffic site you need to open-up a bunch more.

    Also if you are behind NAT you should set your masquerade adres:

    MasqueradeAddress xxx.xxx.xxx.xxx

    Set this to the external IP of your WAN connection.

    reply

Add a Comment