Howto setup a proftpd daemon using ssl encryption


People intend to mix FTPS and SFTP together, but both are actually completely differend.

FTPS is a normal FTP server but using SSL encrytion.
SFTP is a ftp kind of session over SSH (so everything is encrypted just like in SSH).

The advantage of FTPS is that its easyer to setup with chrooted enviroments on a ‘standard’ linux box.
Most linux disto’s don’t have by default the option to setup a chrooted SSH session.

Install proftpd from source

First we are going to download the latest source code which is 1.2.10 at the time of writing.

# cd /usr/src
# wget
# tar -xvzf proftpd-1.2.10.tar.gz
# cd proftpd-1.2.10

Make sure you have a compiler installed and the openssl packages.
Todo this on a debian based os:

# apt-get install build-essential
# apt-get install libssl-dev

Then compile proftpd with tls support.

# ./configure --with-modules=mod_tls
# make
# make install

Now everything should be installed so its time to test if it works using plain ftp so startup the server using the default config file.

# proftpd -l
Compiled-in modules:
# /usr/local/sbin/proftpd  -c /usr/local/etc/proftpd.conf

If everything is alright proftpd should be started and you should be able to login using any ftp client.

# ftp localhost
Connected to localhost.localdomain.
220 ProFTPD 1.2.10 Server (ProFTPD Default Installation) []
Name (localhost:troublenow): troublenow
331 Password required for troublenow.
230 User troublenow logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
226 Transfer complete.
ftp> quit
221 Goodbye.

Good everything seems to be working so kill the the daemon and lets move on to setup proftpd

# ps waux | grep -i proftpd
nobody   17505  0.0  0.3   3788  1900 ?        Ss   07:19   0:00 proftpd: (accepting connections)
# kill `ps waux | grep -i proftpd | awk {' print $2 '}`
# ps waux | grep -i proftpd

Create SSL Keys

Now lets create a self signed certificate and put that in /usr/local/etc/ftpcert/.

# cd /usr/local/etc/
# mkdir ftpcert
# cd ftpcert/
# openssl genrsa 1024 > host.key
# chmod 400 host.key
# openssl req -new -x509 -nodes -sha1 -days 365 -key host.key > host.cert
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []: 
Email Address []: 

Configure Proftpd

I will log everything in /var/log/ftpd so first we will need to create that directory:

# mkdir /var/log/ftpd

Now replace everything in the default /usr/local/etc/proftpd.conf to the new settings:

ServerName                      "test FTP server"
ServerType                      standalone
DefaultServer                   on

Port                            21

Umask                           022

AllowStoreRestart               on
AllowRetrieveRestart            on
AllowForeignAddress             on

LogFormat                       default "%h %l %u %t \"%r\" %s %b"
LogFormat                       auth    "%v [%P] %h %t \"%r\" %s"
LogFormat                       write   "%h %l %u %t \"%r\" %s %b"

DefaultTransferMode             binary
UseFtpUsers                     on

MaxInstances                    30

User                            nobody
Group                           nogroup

DefaultRoot                     ~

AllowOverwrite                  on

PassivePorts                    59000 59999
DefaultRoot                     ~
AllowOverwrite                  on

TransferLog                     /var/log/ftpd/xferlog
ExtendedLog                     /var/log/ftpd/access.log WRITE,READ write
ExtendedLog                     /var/log/ftpd/auth.log AUTH auth
ExtendedLog                     /var/log/ftpd/paranoid.log ALL default

TLSEngine on
TLSLog /var/log/ftpd/tls.log
TLSProtocol SSLv23
TLSRequired on
TLSVerifyClient off
TLSRSACertificateFile /usr/local/etc/ftpcert/host.cert
TLSRSACertificateKeyFile /usr/local/etc/ftpcert/host.key

Now startup proftpd and test the connection the the ftp server using tls (see clients for a supported client)

FlashFXP one of the best windows ftp clients.
Related sites