HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (
-   Tips/Tricks/Mods (
-   -   Secure proftp by using tls (

tom 6th November 2006 23:46

Secure proftp by using tls
I'm wondering myself why proftp with tls is not standard in ISPconfig but I'm verry interested how to make the ftp connection secure. All password passwords are sended as plaintext. Right?

Do you now a good howto for making proftp secure by using tls?

tom 7th November 2006 02:01

Ok, I just worked it out:

Make your proftp secure by using tls

# look for compiled moduls:
/usr/sbin/proftpd -l

Compiled-in modules:


# if not --> compile proftp with tls :

./configure --with-modules=mod_tls
make install

# create ssl-certificate

mkdir /etc/ssl_proftp
openssl genrsa 1024 > host.key
chmod 400 host.key
openssl req -new -x509 -nodes -sha1 -days 365 -key host.key > host.cert
# change proftpd.conf tls according to

vi /etc/proftpd.conf

<IfModule mod_tls.c>
TLSEngine on
TLSLog /var/log/proftpd/proftpd_tls.log
TLSProtocol TLSv1
TLSRequired off
TLSVerifyClient off
TLSRSACertificateFile /etc/ssl_proftp/host.cert
TLSRSACertificateKeyFile /etc/ssl_proftp/host.key

# restart proftp
/etc/init.d/proftpd restart

# The ftpclient (with the abillity to use tls) should show that while connecting:

## that’s all :-)
Syntax: TLSRequired on|off|ctrl|data
#Don't use a specific ssl certificate. To start you shold use that
TLSRequired off

# Require SSL/TLS on the control channel, so that passwords are not sent
# in the clear.
TLSRequired ctrl

# Require SSL/TLS on both channels.
TLSRequired on

till 7th November 2006 12:40

Thanks for the Howto. I moved it to the Tips & Tricks forum.

tom.1 6th August 2008 15:09

Make it work with ISPConfig
Since this post regards ISPConfig someone should mention that the
<IfModule mod_tls.c>
should be written into /etc/proftpd_ispconfig.conf

To make it really work you should add
PassivePorts 60000 60100
(or any range you like) before <IfModule mod_tls.c> and open the respective ports in your firewall.

The background is, that the firewall can't inspect the encrypted traffic and therefore can't determine the passive ports the filetransfer will take (and hence can't open them). With the above settings you will force proftpd to take the specified ports which you opened in the firewall.

At least that's the way that finally worked for me.

All times are GMT +2. The time now is 06:05.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.