Setting Up ProFTPd + TLS On Ubuntu 11.10 (Oneiric Ocelot)

Want to support HowtoForge? Become a subscriber!
 
Submitted by falko (Contact Author) (Forums) on Fri, 2012-03-02 17:21. :: Ubuntu | FTP | Security

Setting Up ProFTPd + TLS On Ubuntu 11.10 (Oneiric Ocelot)

Version 1.0
Author: Falko Timme <ft [at] falkotimme [dot] com>, Christian Schmalfeld <c [dot] schmalfeld [at] projektfarm [dot] de>
Follow me on Twitter
Last edited 11/08/2011

FTP is a very insecure protocol because all passwords and all data are transferred in clear text. By using TLS, the whole communication can be encrypted, thus making FTP much more secure. This article explains how to set up ProFTPd with TLS on an Ubuntu 11.10 server.

I do not issue any guarantee that this will work for you!

 

1 Preliminary Note

In this tutorial I use the hostname server1.example.com with the IP address 192.168.0.23. These settings might differ for you, so you have to replace them where appropriate.

Because we must run all the steps from this tutorial with root privileges, we can either prepend all commands in this tutorial with the string sudo, or we become root right now by typing

sudo su

 

2 Installing ProFTPd And OpenSSL

OpenSSL is needed by TLS; to install ProFTPd and OpenSSL, we simply run:

apt-get install proftpd openssl

You will be asked a question:

Run proftpd: <-- standalone

For security reasons you can add the following lines to /etc/proftpd/proftpd.conf (thanks to Reinaldo Carvalho; more information can be found here: http://proftpd.org/localsite/Userguide/linked/userguide.html):

vi /etc/proftpd/proftpd.conf

[...]
DefaultRoot ~
ServerIdent on "FTP Server ready."
[...]

 

3 Creating The SSL Certificate For TLS

In order to use TLS, we must create an SSL certificate. I create it in /etc/proftpd/ssl, therefore I create that directory first:

mkdir /etc/proftpd/ssl

Afterwards, we can generate the SSL certificate as follows:

openssl req -new -x509 -days 365 -nodes -out /etc/proftpd/ssl/proftpd.cert.pem -keyout /etc/proftpd/ssl/proftpd.key.pem

Country Name (2 letter code) [AU]: <-- Enter your Country Name (e.g., "DE").
State or Province Name (full name) [Some-State]:
<-- Enter your State or Province Name.
Locality Name (eg, city) []:
<-- Enter your City.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
<-- Enter your Organization Name (e.g., the name of your company).
Organizational Unit Name (eg, section) []:
<-- Enter your Organizational Unit Name (e.g. "IT Department").
Common Name (eg, YOUR name) []:
<-- Enter the Fully Qualified Domain Name of the system (e.g. "server1.example.com").
Email Address []:
<-- Enter your Email Address.

 

4 Enabling TLS In ProFTPd

In order to enable TLS in ProFTPd, open /etc/proftpd/proftpd.conf...

vi /etc/proftpd/proftpd.conf

... and uncomment the Include /etc/proftpd/tls.conf line:

[...]
#
# This is used for FTPS connections
#
Include /etc/proftpd/tls.conf
[...]

Then open /etc/proftpd/tls.conf and make it look as follows:

vi /etc/proftpd/tls.conf

<IfModule mod_tls.c>
TLSEngine on
TLSLog /var/log/proftpd/tls.log
TLSProtocol SSLv23
TLSOptions NoCertRequest AllowClientRenegotiations
TLSRSACertificateFile /etc/proftpd/ssl/proftpd.cert.pem
TLSRSACertificateKeyFile /etc/proftpd/ssl/proftpd.key.pem
TLSVerifyClient off
TLSRequired on
</IfModule>

If you use TLSRequired on, then only TLS connections are allowed (this locks out any users with old FTP clients that don't have TLS support); by commenting out that line or using TLSRequired off both TLS and non-TLS connections are allowed, depending on what the FTP client supports.

Restart ProFTPd afterwards:

/etc/init.d/proftpd restart

That's it. You can now try to connect using your FTP client; however, you should configure your FTP client to use TLS (this is a must if you use TLSRequired on) - see the next chapter how to do this with FileZilla.

If you're having problems with TLS, you can take a look at the TLS log file /var/log/proftpd/tls.log.

 

5 Configuring FileZilla For TLS

In order to use FTP with TLS, you need an FTP client that supports TLS, such as FileZilla.

In FileZilla, open the Site Manager:

Select the server that uses ProFTPd with TLS; in the Server Type drop-down menu, select FTPES instead of normal FTP:

Now you can connect to the server. If you do this for the first time, you must accept the server's new SSL certificate:

If everything goes well, you should now be logged in on the server:

 

6 Links


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by JonTheNiceGuy (not registered) on Thu, 2012-03-08 10:28.

So, I've worked on a few projects which mandate the use of FTP/S rather than SFTP, and I'd just like to say, it's a fricking nightmare from the security side of things.

Sure, you get to say "We're secure, because we're using TLS", but the down side to using FTP/S is that the firewall has to open up EVERY SINGLE HIGH PORT WITH A SOURCE OF YOUR FTP/S SERVER.

Here's why. With some protocols, notably FTP, but there are others too, firewalls can read the plain text packets saying where to point the transfer to. It looks (something, offhand) like this PORT A,B,C,D,E,F, where ABCD is the IP address of your machine, and then E.F is a way of calculating the port to use (see http://www.securitypronews.com/it/networksystems/spn-21-20030917UnderstandingtheFTPPORTCommand.html for details).

FTP/S just wraps the whole conversation up in TLS, so we go from having a way of the firewall looking at the conversation and saying "Oh, you're going to use port 12345 for the data connection" and then opening up that port on the firewall to the firewall not being able to read any of the data, and then blocking whatever port it's going to instead.

 Also, if you planned to have your FTP/S server have a NAT address? That's not going to work either - remember the PORT statement before - the firewall will normally re-write the whole string, let's say you have a private IP address of 192.168.1.1 and a public IP address of 12.34.56.78, and the server wants you to use port 12345. The PORT statement will show 192,168,1,1,48,57. The firewall can't re-write your 192,168,1,1 part to 12,34,56,78 let alone work out what port it will re-write to. Some clients will ignore the IP part of the port statement, but you're still stuck on the actual port number.

 I would recommend using SFTP (SSH native file transfer system) using something like the SFTP only wrappers which are publically available.