Setting Up ProFTPd + TLS On Debian Etch

Want to support HowtoForge? Become a subscriber!
 
Submitted by falko (Contact Author) (Forums) on Mon, 2007-12-10 19:17. :: Debian | FTP | Security

Setting Up ProFTPd + TLS On Debian Etch

Version 1.0
Author: Falko Timme <ft [at] falkotimme [dot] com>
Last edited 12/03/2007

FTP is a very insecure protocol because all passwords and all data are transferred in clear text. By using TLS, the whole communication can be encrypted, thus making FTP much more secure. This article explains how to set up ProFTPd with TLS on a Debian Etch server.

I do not issue any guarantee that this will work for you!

 

1 Preliminary Note

In this tutorial I use the hostname server1.example.com with the IP address 192.168.0.100. These settings might differ for you, so you have to replace them where appropriate.

 

2 Installing ProFTPd And OpenSSL

OpenSSL is needed by TLS; to install ProFTPd and OpenSSL, we simply run:

apt-get install proftpd openssl

You will be asked a question:

Run proftpd from inetd or standalone? <-- standalone

Then open /etc/proftpd/proftpd.conf and change UseIPv6 from on to off; otherwise you'll get a warning like this when you start ProFTPd:

Starting ftp server: proftpd - IPv6 getaddrinfo 'server1.example.com' error: Name or service not known

vi /etc/proftpd/proftpd.conf

[...]
UseIPv6                         off
[...]

For security reasons you can also add the following lines to /etc/proftpd/proftpd.conf (thanks to Reinaldo Carvalho; more information can be found here: http://proftpd.org/localsite/Userguide/linked/userguide.html):

vi /etc/proftpd/proftpd.conf

[...]
DefaultRoot ~
IdentLookups off
ServerIdent on "FTP Server ready."
[...]

 

3 Creating The SSL Certificate For TLS

In order to use TLS, we must create an SSL certificate. I create it in /etc/proftpd/ssl, therefore I create that directory first:

mkdir /etc/proftpd/ssl

Afterwards, we can generate the SSL certificate as follows:

openssl req -new -x509 -days 365 -nodes -out /etc/proftpd/ssl/proftpd.cert.pem -keyout /etc/proftpd/ssl/proftpd.key.pem

Country Name (2 letter code) [AU]: <-- Enter your Country Name (e.g., "DE").
State or Province Name (full name) [Some-State]:
<-- Enter your State or Province Name.
Locality Name (eg, city) []:
<-- Enter your City.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
<-- Enter your Organization Name (e.g., the name of your company).
Organizational Unit Name (eg, section) []:
<-- Enter your Organizational Unit Name (e.g. "IT Department").
Common Name (eg, YOUR name) []:
<-- Enter the Fully Qualified Domain Name of the system (e.g. "server1.example.com").
Email Address []:
<-- Enter your Email Address.

 

4 Enabling TLS In ProFTPd

In order to enable TLS in ProFTPd, open /etc/proftpd/proftpd.conf and find the section beginning with <IfModule mod_tls.c>:

vi /etc/proftpd/proftpd.conf

It should look like this:

[...]
<IfModule mod_tls.c>
TLSEngine                  off
</IfModule>
[...]

Modify it as follows:

[...]
<IfModule mod_tls.c>
TLSEngine                  on
TLSLog                     /var/log/proftpd/tls.log
TLSProtocol                SSLv23
TLSOptions                 NoCertRequest
TLSRSACertificateFile      /etc/proftpd/ssl/proftpd.cert.pem
TLSRSACertificateKeyFile   /etc/proftpd/ssl/proftpd.key.pem
TLSVerifyClient            off
TLSRequired                on
</IfModule>
[...]

If you use TLSRequired on, then only TLS connections are allowed (this locks out any users with old FTP clients that don't have TLS support); by commenting out that line or using TLSRequired off both TLS and non-TLS connections are allowed, depending on what the FTP client supports.

Restart ProFTPd afterwards:

/etc/init.d/proftpd restart

That's it. You can now try to connect using your FTP client; however, you should configure your FTP client to use TLS (this is a must if you use TLSRequired on) - see the next chapter how to do this with FileZilla.

If you're having problems with TLS, you can take a look at the TLS log file /var/log/proftpd/tls.log.

 

5 Configuring FileZilla For TLS

In order to use FTP with TLS, you need an FTP client that supports TLS, such as FileZilla.

In FileZilla, open the Server Manager:

Select the server that uses ProFTPd with TLS; in the Server Type drop-down menu, select FTPES instead of normal FTP:

Now you can connect to the server. If you do this for the first time, you must accept the server's new SSL certificate:

If everything goes well, you should now be logged in on the server:

 

6 Links


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by Torsten Zenk (not registered) on Thu, 2010-06-24 14:17.

This is a great tutorial, thank you VERY much.

 One thing to notice if you ever get the

ECONNREFUSED - Connection refused by server

error using filezilla with TLS support

see: http://forum.filezilla-project.org/viewtopic.php?f=1&t=7876
for the missing configuration of the filezilla client


 

Submitted by Jonny (not registered) on Tue, 2009-07-21 13:58.

Thanks, the TLS protocol version lines helped me with connecting to Proftpd using the JScape java applet client.

Submitted by Anonymous (not registered) on Fri, 2009-06-12 21:32.
Ugh, I've tried so many tutorials, and this is yet another that doesn't work. This one does get me a bit further, though... TLS works, but the connection times out when trying to list the remote directory. suggestions?
Submitted by Hunter (not registered) on Mon, 2009-07-20 21:43.

I had the same problem. You need to use a specific range of passive ports, then enable them in your firewall.

Try this:

In proftpd.conf:

PassivePorts                    20000 20050

 

For UFW (Default in Ubuntu):

$ ufw allow proto tcp to any port 20000:20050

$ /etc/init.d/proftpd restart

Submitted by Scott M (not registered) on Fri, 2008-10-17 19:01.
I have to say this is the first and only simple setup guide that actually WORKS. I have been struggling with setting up a complete server and every guide it cryptic and you always have to debug. Thanks for the quick how-to.
Submitted by racahill (registered user) on Thu, 2008-03-06 12:38.

straightforward, easy, genial ;-)

 Thank you.

Submitted by kdclaver (registered user) on Tue, 2007-12-11 14:25.

I have installed proftpd as it describes in this howto. All run well.

I want to congratulate the author.

Thanks more.

 

PS: For the test I used CoreFTP lite.

 

Submitted by usafshah (registered user) on Sun, 2008-04-06 22:17.

very simple and easy to install proftpd .. but there are some issues with regarding router and firewall settings and also modes of proftpd .. like active and passive mode of ftp.. there is more detailed article on such issue ..

http://www.compwrite.com/index.php/2008/04/03/installing-proftpd-on-linux/