Configure Encrypt ProFTPD Connections

Install and Configure secure  ProFTPD Server Using SSL/TLS

In this article, we will see how to install and configure secure ProFTPD Server using SSL/TLS on Centos7/RHEL7/Fedora22.

ProFTPD is a highly configurable GPL-licensed FTP server software. There are a numbers of plugins available for it, and the creator of it modeled its configuration architecture much like Apache web servers.

There are some advantages of ProFTPD Server;

  • It Supports TCP wrappers based access controls.
  • Highly configurable Software.
  • Anonymous user not able to login on ProFTPD server.
  • Source code is available for administrators and developers to audit.
  • Shadow password suite support, including support for expired accounts.
  • Allows use of .ftpaccess files for per-directory access controls.

There is some disadvantage of ProFTPD Server like, It Uses more memory and Recommended only when additional configuration flexibility is required.

Previously we have seen how to configure vsftpd to use TLS/SSL certificates, refer below link.

Configure vsftpd with SSL/TLS

To Enable the secure FTP communication on ProFTPd Server the steps are:

1) Installation and configuration of the Proftpd Server.

The  repositories of Centos and RHEL doesn’t provide any package or ProFTPD Server. So we are using extra EPEL repositories on our system,using following command.

[root@server1 ~]# wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
--2016-10-16 10:34:05--  https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
Resolving dl.fedoraproject.org (dl.fedoraproject.org)... 209.132.181.24, 209.132.181.27, 209.132.181.25, ...
Connecting to dl.fedoraproject.org (dl.fedoraproject.org)|209.132.181.24|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 14612 (14K) [application/x-rpm]
Saving to: ‘epel-release-latest-7.noarch.rpm’

100%[=====================================================>] 14,612      37.6KB/s   in 0.4s   

2016-10-16 10:34:07 (37.6 KB/s) - ‘epel-release-latest-7.noarch.rpm’ saved [14612/14612]
[root@server1 ~]# rpm -ivh epel-release-latest-7.noarch.rpm 
warning: epel-release-latest-7.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID 352c64e5: NOKEY
Preparing...                          ################################# [100%]
Updating / installing...
   1:epel-release-7-8                 ################################# [100%]
[root@server1 ~]#

Now install the ProFTPD Server on your system,using below command.

#yum install proftpd proftpd-utils -y

[root@server1 ~]# yum install proftpd proftpd-utils
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * epel: epel.excellmedia.net
Resolving Dependencies
--> Running transaction check
---> Package proftpd.x86_64 0:1.3.5b-2.el7 will be installed
. . .

erl-Mail-Sendmail           noarch            0.79-21.el7          epel                29 k

Transaction Summary
=======================================================
Install  2 Packages (+3 Dependent packages)

Total download size: 4.7 M
Installed size: 12 M
Is this ok [y/d/N]: y
Downloading packages:

After installing of ProFTPD Server, Now start and enable the service, refer below command.

[root@server1 ~]# systemctl start proftpd
[root@server1 ~]# netstat -tulpn | grep :21
tcp6       0      0 :::21                   :::*                    LISTEN      3297/proftpd: (acce 
[root@server1 ~]# systemctl status proftpd
● proftpd.service - ProFTPD FTP Server
   Loaded: loaded (/usr/lib/systemd/system/proftpd.service; disabled; vendor preset: disabled)
   Active: active (running) since Sun 2016-10-16 10:48:33 EDT; 18s ago
  Process: 3296 ExecStart=/usr/sbin/proftpd $PROFTPD_OPTIONS (code=exited, status=0/SUCCESS)
 Main PID: 3297 (proftpd)
   CGroup: /system.slice/proftpd.service
           └─3297 proftpd: (accepting connections)

Oct 16 10:48:33 server1.itcare.in systemd[1]: Starting ProFTPD FTP Server...
Oct 16 10:48:33 server1.itcare.in systemd[1]: PID file /run/proftpd/proftpd.pid not readable (yet?) after start.
Oct 16 10:48:33 server1.itcare.in proftpd[3297]: 192.168.1.10 - ProFTPD 1.3.5b (maint) (built Wed Jun 1 2016 09:34:39 UTC) standalone mode STARTUP
Oct 16 10:48:33 server1.itcare.in systemd[1]: Started ProFTPD FTP Server.
Hint: Some lines were ellipsized, use -l to show in full.
[root@server1 ~]# systemctl enable proftpd
Created symlink from /etc/systemd/system/multi-user.target.wants/proftpd.service to /usr/lib/systemd/system/proftpd.service.
[root@server1 ~]#

Allow on firewall of the FTP server.

[root@server1 ~]# firewall-cmd --permanent --add-service=ftp
success
[root@server1 ~]# firewall-cmd --reload
success
[root@server1 ~]#

Connect from client machine and access the files using graphically.

Open the web browser like firefox type the ftp server’s ip address as following and put valid system local accounts credentials.(In our case “gaurav” is the local account of system).

ftppro

Note: Default configuration on Proftpd Server uses valid system local accounts credentials to login and access your account files.

ftppro2

2) Generate self-signed certificates.

First, Check OpenSSL package is installed or not, if not then install using yum command “yum install openssl -y”.

We will create a subdirectory within the SSL directory to store our files.

#mkdir /etc/pki/tls/private

[root@server1 ~]# mkdir /etc/pki/tls/private
[root@server1 ~]#

To create the certificate, we use the following command.

[root@server1 ~]# openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/pki/tls/private/proftpd.pem -out /etc/pki/tls/private/proftpd.pem
Generating a 1024 bit RSA private key
..............................++++++
..++++++
writing new private key to '/etc/pki/tls/private/proftpd.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:Himachal
Locality Name (eg, city) [Default City]:Shimla
Organization Name (eg, company) [Default Company Ltd]:itcare solution
Organizational Unit Name (eg, section) []:IT Troubleshooter
Common Name (eg, your name or your server's hostname) []:server1
Email Address []:root@server1.itcare.in
[root@server1 ~]#

Change the permission of proftpd.pem file.

[root@server1 ~]# chmod 400 /etc/pki/tls/private/proftpd.pem 
[root@server1 ~]# ll /etc/pki/tls/private/proftpd.pem 
-r--------. 1 root root 2043 Oct 16 11:19 /etc/pki/tls/private/proftpd.pem
[root@server1 ~]#

3) Configure the ProFTPD file.

Edit the /etc/proftpd.conf  configuration file and go to bottom of the file, modify the options as shown below. First take the backup of /etc/proftpd.conf file.

[root@server1 ~]# cp -v /etc/proftpd.conf /root/
‘/etc/proftpd.conf’ -> ‘/root/proftpd.conf’
[root@server1 ~]#

#vim /etc/proftpd.conf

### Add to the end of the proftpd.conf file ###
##fix Passive ports ###
PassivePorts              21000 21010
#enable TLS
TLSEngine                 on
TLSRequired               on
TLSProtocol               TLSv1.2
TLSLog                    /var/log/proftpd/tls.log
TLSRSACertificateFile     /etc/pki/tls/private/proftpd.pem
TLSRSACertificateKeyFile  /etc/pki/tls/private/proftpd.pem
~
~
:wq

4)  Allow Passive ports on firewall of the FTP server.

If your Firewall service is running, then allow Passive ports on it.

[root@server1 ~]# firewall-cmd --permanent --add-port=21000-21010/tcp
 success
[root@server1 ~]# firewall-cmd --reload
 success 
[root@server1 ~]#

Connect to the proftpd Server with FileZilla from window or Linux systems(GUI mode).

1) Open the FileZilla program.

In the filezilla interface, you can go to file and click on option to open “Site Manager”(File –> Site Manager..) Click on the “New Site” button in the lower left corner.

On the “Host” field Fill the IP address and select “FTP – File Transfer Protocol” from the Protocol menu. For the Encryption menu, select “Require explicit FTP over TLS”. Select “Ask for password” from the Login menu. On user field fill the FTP user. You can click on “connect” option.

ftpprositemanager

Last step, Accept the certificate to establish the connection.

ftpprocertificate

Now you are connected to your Proftpd Server with SSL/TLS encryption.

ftpproaccess

Hope this post will help Linux/Unix beginners. If you find any difficulties using this article then please do comment your queries, till then connected with us at ittroubleshooter.in .!!!

Leave a Reply

Be the First to Comment!

Notify of
avatar
wpDiscuz