Proper way to secure pureftpd with SSL

Discussion in 'ISPConfig 3 Priority Support' started by Stelios, Jan 10, 2021.

  1. Stelios

    Stelios Member HowtoForge Supporter

    Hi all,

    I've read many posts about letsencrypt ssl but they all seem to be out of date.
    Would someone please confirm which is the recommended way to secure with SSL (enable TLS) the pureftpd.
    If it matters it is a multi-server setup and I'm interesting in using the default SSL which is working and is under
    /etc/letsencrypt/live/myservername/ to automate the process for future updates.

    Thanks
     
  2. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

  3. Stelios

    Stelios Member HowtoForge Supporter

    Thom, I don't remember the installer asked me anything about ssl and other services. There was only once it was asking about to enable ssl which I select y but the pureftpd hasn't use that ssl.
    This is on a new installation of a new web/ftp server.
     
  4. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Do a force upgrade, choose y for getting a new SSL cert, and then choose y to symlink it to pure-ftpd
    Code:
    ispconfig_update.sh --force
     
  5. Stelios

    Stelios Member HowtoForge Supporter

    Thom, I run the update with force but it doesn't ask me anywhere about SSL or to symlink anything.
    See output below:

    Code:
    >> Update 
    
    Operating System: Debian 10.0 (Buster) or compatible
    
    This application will update ISPConfig 3 on your server.
    
    Shall the script create a ISPConfig backup in /var/backup/ now? (yes,no) [yes]: no
    
    MySQL master server hostname [controlpanel.myserver.com]:
    
    MySQL master server port [3306]:
    
    MySQL master server root username [root]:
    
    MySQL master server root password []: mypass
    
    MySQL master server database name [dbispconfig]:
    
    Checking ISPConfig database .. OK
    Starting incremental database update.
    Loading SQL patch file: /tmp/update_runner.sh.wOlYK2cJgJ/install/sql/incremental/upd_dev_collection.sql
    Reconfigure Permissions in master database? (yes,no) [no]: yes
    
    Service 'mail_server' has been detected (currently disabled) do you want to enable and configure it?  (yes,no) [no]:
    
    Service 'db_server' has been detected (currently disabled) do you want to enable and configure it?  (yes,no) [no]:
    
    Reconfigure Services? (yes,no,selected) [yes]:
    
    Configuring Pureftpd
    Configuring Apache
    Configuring vlogger
    Configuring Apps vhost
    Configuring Jailkit
    Configuring Ubuntu Firewall
    Configuring Database
    Updating ISPConfig
    Certificate exists. Not creating a new one.
    Reconfigure Crontab? (yes,no) [yes]:
    
    Updating Crontab
    Restarting services ...
    Update finished.
    [email protected]:~# 
     
  6. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    I see, this is because a valid cert is in place: "Certificate exists. Not creating a new one."
    You can remove this cert and then let it create a new oen and let the installer symlink it.
     
  7. Stelios

    Stelios Member HowtoForge Supporter

    Which cert? The one under /etc/letsencrypt/live/myhostname ?
     
  8. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Under /usr/local/ispconfig/interface/ssl
     
  9. Stelios

    Stelios Member HowtoForge Supporter

    I removed the cert, run again the update and indeed it asked me for symlink. After restarting pureftpd I still can't use it with TLS, just the plain. Do I need to adjust the settings of pureftpd as well?
     
  10. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Did you change your firewall rules accordingly?
     
  11. Stelios

    Stelios Member HowtoForge Supporter

    There is no firewall on this server yet. The ftp client warns that is not over TLS the connection as the server doesn't support that.
     
  12. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Is TLS enabled in /etc/pure-ftpd/pure-ftpd.conf?
     
  13. Stelios

    Stelios Member HowtoForge Supporter

    I have:
    TLS 1
    CertFile /etc/ssl/private/pure-ftpd.pem

    restarted the service and same, it doesn't use the TLS
     
  14. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Does /etc/ssl/private/pure-ftpd.pem exist?
     
  15. Stelios

    Stelios Member HowtoForge Supporter

    Code:
    [email protected]:/etc/ssl/private# ls -la
    total 16
    drwx--x--- 2 root ssl-cert 4096 Jan 10 18:24 .
    drwxr-xr-x 4 root root     4096 Jan  7 13:02 ..
    -rw-r--r-- 1 root root      424 Jan  7 13:43 dhparam2048.pem
    lrwxrwxrwx 1 root root       15 Jan  7 13:43 pure-ftpd-dhparams.pem -> dhparam2048.pem
    lrwxrwxrwx 1 root root       48 Jan 10 18:24 pure-ftpd.pem -> /usr/local/ispconfig/interface/ssl/ispserver.pem
    lrwxrwxrwx 1 root root       48 Jan  7 13:43 pure-ftpd.pem-20210110182416.bak -> /usr/local/ispconfig/interface/ssl/ispserver.pem
    -rw-r----- 1 root ssl-cert 1704 Jan  7 13:03 ssl-cert-snakeoil.key
    [email protected]:/etc/ssl/private# 
     
  16. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Which client are you using and can you show the used settings?
     
  17. Stelios

    Stelios Member HowtoForge Supporter

    I tried with both filizilla and with webftp that I got in place.
    The filezilla the moment it tried to connect throws a warning that the server does not support TLS and clear text login will be used.
     
  18. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Can you share the settings you used in FileZilla?
     
  19. Stelios

    Stelios Member HowtoForge Supporter

    Thom, the settings I got are fine; the message is very clear:

    Code:
    Response:     220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
    Response:     220-You are user number 1 of 50 allowed.
    Response:     220-Local time is now 12:19. Server port: 21.
    Response:     220-This is a private system - No anonymous login
    Response:     220-IPv6 connections are also welcome on this server.
    Response:     220 You will be disconnected after 15 minutes of inactivity.
    Command:    AUTH TLS
    Response:     500 This security scheme is not implemented
    Command:    AUTH SSL
    Response:     500 This security scheme is not implemented
    Error:            Critical error: Could not connect to server
    and if I choose to auto select authentication instead of forcing TLS as above:

    Code:
    Status:          Resolving address of web4.mydomain.com
    Status:          Connecting to myIP:21...
    Status:          Connection established, waiting for welcome message...
    Status:          Insecure server, it does not support FTP over TLS.
    Status:          Logged in
    Status:          Retrieving directory listing...
    Status:          Directory listing of "/" successful
     
    Last edited: Jan 11, 2021
  20. Stelios

    Stelios Member HowtoForge Supporter

    ok found it after comparing all files from other servers that were working.
    I removed the TLS 1 from pure-ftpd.conf and also the cert file and instead I create a file called TLS with just the number 1 inside under:
    /etc/pure-ftpd/conf

    After that it worked fine.
     

Share This Page