FTPS or SFTP
People intend to mix FTPS and SFTP together, but both are actually completely differend.
FTPS is a normal FTP server but using SSL encrytion.
SFTP is a ftp kind of session over SSH (so everything is encrypted just like in SSH).
The advantage of FTPS is that its easyer to setup with chrooted enviroments on a ‘standard’ linux box.
Most linux disto’s don’t have by default the option to setup a chrooted SSH session.
Install proftpd from source
First we are going to download the latest source code which is 1.2.10 at the time of writing.
# cd /usr/src
# wget ftp://ftp.proftpd.org/distrib/source/proftpd-1.2.10.tar.gz
# tar -xvzf proftpd-1.2.10.tar.gz
# cd proftpd-1.2.10
Make sure you have a compiler installed and the openssl packages.
Todo this on a debian based os:
# apt-get install build-essential
# apt-get install libssl-dev
Then compile proftpd with tls support.
# ./configure --with-modules=mod_tls
# make
# make install
Now everything should be installed so its time to test if it works using plain ftp so startup the server using the default config file.
# proftpd -l
Compiled-in modules:
mod_core.c
mod_xfer.c
mod_auth_unix.c
mod_auth_file.c
mod_auth.c
mod_ls.c
mod_log.c
mod_site.c
mod_tls.c
mod_cap.c
# /usr/local/sbin/proftpd -c /usr/local/etc/proftpd.conf
If everything is alright proftpd should be started and you should be able to login using any ftp client.
# ftp localhost
Connected to localhost.localdomain.
220 ProFTPD 1.2.10 Server (ProFTPD Default Installation) [127.0.0.1]
Name (localhost:troublenow): troublenow
331 Password required for troublenow.
Password:
230 User troublenow logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
226 Transfer complete.
ftp> quit
221 Goodbye.
Good everything seems to be working so kill the the daemon and lets move on to setup proftpd
# ps waux | grep -i proftpd
nobody 17505 0.0 0.3 3788 1900 ? Ss 07:19 0:00 proftpd: (accepting connections)
# kill `ps waux | grep -i proftpd | awk {' print $2 '}`
# ps waux | grep -i proftpd
#
Create SSL Keys
Now lets create a self signed certificate and put that in /usr/local/etc/ftpcert/.
# cd /usr/local/etc/
# mkdir ftpcert
# cd ftpcert/
# openssl genrsa 1024 > host.key
# chmod 400 host.key
# openssl req -new -x509 -nodes -sha1 -days 365 -key host.key > host.cert
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:
Configure Proftpd
I will log everything in /var/log/ftpd so first we will need to create that directory:
# mkdir /var/log/ftpd
Now replace everything in the default /usr/local/etc/proftpd.conf to the new settings:
ServerName "test FTP server"
ServerType standalone
DefaultServer on
Port 21
Umask 022
AllowStoreRestart on
AllowRetrieveRestart on
AllowForeignAddress on
LogFormat default "%h %l %u %t \"%r\" %s %b"
LogFormat auth "%v [%P] %h %t \"%r\" %s"
LogFormat write "%h %l %u %t \"%r\" %s %b"
DefaultTransferMode binary
UseFtpUsers on
MaxInstances 30
User nobody
Group nogroup
DefaultRoot ~
AllowOverwrite on
PassivePorts 59000 59999
DefaultRoot ~
AllowOverwrite on
TransferLog /var/log/ftpd/xferlog
ExtendedLog /var/log/ftpd/access.log WRITE,READ write
ExtendedLog /var/log/ftpd/auth.log AUTH auth
ExtendedLog /var/log/ftpd/paranoid.log ALL default
TLSEngine on
TLSLog /var/log/ftpd/tls.log
TLSProtocol SSLv23
TLSRequired on
TLSVerifyClient off
TLSRSACertificateFile /usr/local/etc/ftpcert/host.cert
TLSRSACertificateKeyFile /usr/local/etc/ftpcert/host.key
Now startup proftpd and test the connection the the ftp server using tls (see clients for a supported client)
Clients
FlashFXP
FlashFXP one of the best windows ftp clients.
Related sites
http://www.castaglia.org/proftpd/modules/mod_tls.html
http://www.faqs.org/ftp/internet-drafts/draft-murray-auth-ftp-ssl-15.txt
http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-TLS.html