Howto setup a proftpd daemon using ssl encryption

FTPS or SFTP

People intend to mix FTPS and SFTP together, but both are actually completely differend.

FTPS is a normal FTP server but using SSL encrytion.
SFTP is a ftp kind of session over SSH (so everything is encrypted just like in SSH).

The advantage of FTPS is that its easyer to setup with chrooted enviroments on a ‘standard’ linux box.
Most linux disto’s don’t have by default the option to setup a chrooted SSH session.

Install proftpd from source

First we are going to download the latest source code which is 1.2.10 at the time of writing.

# cd /usr/src
# wget ftp://ftp.proftpd.org/distrib/source/proftpd-1.2.10.tar.gz
# tar -xvzf proftpd-1.2.10.tar.gz
# cd proftpd-1.2.10

Make sure you have a compiler installed and the openssl packages.
Todo this on a debian based os:

# apt-get install build-essential
# apt-get install libssl-dev

Then compile proftpd with tls support.

# ./configure --with-modules=mod_tls
# make
# make install

Now everything should be installed so its time to test if it works using plain ftp so startup the server using the default config file.

# proftpd -l
Compiled-in modules:
  mod_core.c
  mod_xfer.c
  mod_auth_unix.c
  mod_auth_file.c
  mod_auth.c
  mod_ls.c
  mod_log.c
  mod_site.c
  mod_tls.c
  mod_cap.c
# /usr/local/sbin/proftpd  -c /usr/local/etc/proftpd.conf

If everything is alright proftpd should be started and you should be able to login using any ftp client.

# ftp localhost
Connected to localhost.localdomain.
220 ProFTPD 1.2.10 Server (ProFTPD Default Installation) [127.0.0.1]
Name (localhost:troublenow): troublenow
331 Password required for troublenow.
Password:
230 User troublenow logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
226 Transfer complete.
ftp> quit
221 Goodbye.

Good everything seems to be working so kill the the daemon and lets move on to setup proftpd

# ps waux | grep -i proftpd
nobody   17505  0.0  0.3   3788  1900 ?        Ss   07:19   0:00 proftpd: (accepting connections)
# kill `ps waux | grep -i proftpd | awk {' print $2 '}`
# ps waux | grep -i proftpd
#

Create SSL Keys

Now lets create a self signed certificate and put that in /usr/local/etc/ftpcert/.

# cd /usr/local/etc/
# mkdir ftpcert
# cd ftpcert/
# openssl genrsa 1024 > host.key
# chmod 400 host.key
# openssl req -new -x509 -nodes -sha1 -days 365 -key host.key > host.cert
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []: 
Email Address []: 

Configure Proftpd

I will log everything in /var/log/ftpd so first we will need to create that directory:

# mkdir /var/log/ftpd

Now replace everything in the default /usr/local/etc/proftpd.conf to the new settings:

ServerName                      "test FTP server"
ServerType                      standalone
DefaultServer                   on

Port                            21

Umask                           022

AllowStoreRestart               on
AllowRetrieveRestart            on
AllowForeignAddress             on

LogFormat                       default "%h %l %u %t \"%r\" %s %b"
LogFormat                       auth    "%v [%P] %h %t \"%r\" %s"
LogFormat                       write   "%h %l %u %t \"%r\" %s %b"

DefaultTransferMode             binary
UseFtpUsers                     on

MaxInstances                    30

User                            nobody
Group                           nogroup

DefaultRoot                     ~

AllowOverwrite                  on


PassivePorts                    59000 59999
DefaultRoot                     ~
AllowOverwrite                  on

TransferLog                     /var/log/ftpd/xferlog
ExtendedLog                     /var/log/ftpd/access.log WRITE,READ write
ExtendedLog                     /var/log/ftpd/auth.log AUTH auth
ExtendedLog                     /var/log/ftpd/paranoid.log ALL default



TLSEngine on
TLSLog /var/log/ftpd/tls.log
TLSProtocol SSLv23
TLSRequired on
TLSVerifyClient off
TLSRSACertificateFile /usr/local/etc/ftpcert/host.cert
TLSRSACertificateKeyFile /usr/local/etc/ftpcert/host.key

Now startup proftpd and test the connection the the ftp server using tls (see clients for a supported client)
Clients

FlashFXP
FlashFXP one of the best windows ftp clients.
Related sites

http://www.castaglia.org/proftpd/modules/mod_tls.html
http://www.faqs.org/ftp/internet-drafts/draft-murray-auth-ftp-ssl-15.txt
http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-TLS.html

3