FTP (File Transfer Protocol) is probably the most popular method of uploading files to a server. ProFTPD is a popular and easy configurable FTP server for Linux systems that supports SSL / TLS encryption.
FTP is an insecure protocol because all passwords and all data transferred in clear (as plain text). By using TLS, the whole communication can be encrypted, thus making FTP a safe protocol to transfer files. This article describes how to configure proftpd with TLS in Ubuntu server 15.04.
Prerequisites
- Ubuntu Server 15.04 64bit
- sudo/root privileges
What we will do in this tutorial:
- Install Proftpd and OpenSSL
- Configure Proftpd
- Configure User
- Configure TLS with proftpd
- Testing
Install Proftpd and OpenSSL
Proftpd and OpenSSL are available in the Ubuntu repository and can be installed with the apt command. As usual with install commands, we run the apt command trough sudo to run it with root privileges:
sudo apt-get install -y proftpd openssl
When the installation begins, you will be asked whether to run Proftpd as an inetd or standalone service. Choose the standalone option here and then Ok.
Configure Proftpd
Once Proftpd is installed, you will have to change some configuration files. The Proftpd configuration file is located in the /etc/proftpd/ directory. I'll edit the proftpd.conf file with the nano editor.
cd /etc/proftpd/
nano proftpd.conf
On the line ServerName, change the name to your hostname or domain:
ServerName "myhostname"
Uncomment DefaultRoot:
# Use this to jail all users in their homes DefaultRoot ~
and restart Proftpd:
systemctl restart proftpd
Add an FTP User
There are two common ways to access an FTP server:
1. Anonymous FTP, FTP server provides access to anyone without the need to have a user account and password.
2. Access with username and password, only users that have a user account and password that can access the FTP server.
I will configure option 2 here. Anonymous FTP has been popular at the beginning of the internet era but today there would be so much misuse of anonymous FTP servers that this option is only usable in closed environments like a home or company network.
Before you create a user for Proftpd, please add /bin/false to your /etc/shells file.
echo "/bin/false" >> /etc/shells
and now you will create a user with a home directory where he will get access to by FTP. I will disable shell access for this user by assigning the "/bin/false" shell to him to ensure that he can not login by SSH. My username is named "yuuki", please replace yuuki with your username in the next command.
adduser --home /home/yuuki --shell /bin/false yuuki
The above command will create a new user called yuuki with home directory /home/yuuki/ and without shell access /bin/false.
And now configure Proftpd to allow the user yuuki to access the FTP server.
cd /etc/proftpd/
nano proftpd.conf
add this config to allow user yuuki to login and upload/download file to/from his home directory /home/yuuki :
<Directory /home/yuuki>
Umask 022 022
AllowOverwrite off
<Limit LOGIN>
AllowUser yuuki
DenyALL
</Limit>
<Limit ALL>
Order Allow,Deny
AllowUser yuuki
Deny ALL
</Limit>
<Limit MKD STOR DELE XMKD RNRF RNTO RMD XRMD>
AllowUser yuuki
Deny ALL
</Limit>
</Directory>
and then restart the Proftpd.
systemctl restart proftpd
Until this stage, FTP can already be used without encryption. Now we will make it safe by enabling TLS.
Configure TLS in Proftpd
To use TLS, you have to create an SSL certificate. I will generate the SSL certificate with the OpenSSL command:
openssl req -x509 -newkey rsa:1024 -keyout /etc/ssl/private/proftpd.key -out /etc/ssl/certs/proftpd.crt -nodes -days 365
The command will generate a certificate file proftpd.crt in the /etc/ssl/certs/ directory, and a certificate key file proftpd.key in the /etc/ssl/private/ directory.
Change the file permissions of the certificate files to 600 to disallow access by other users:
chmod 600 /etc/ssl/certs/proftpd.crt
chmod 600 /etc/ssl/private/proftpd.key
Now back to the Proftpd directory and configure Proftpd to use SSL the certificate that you generated.
cd /etc/proftpd/
nano proftpd.conf
Uncomment the tls line:
Include /etc/proftpd/tls.conf
Save it and edit the tls file:
nano tls.conf
Uncomment all these lines:
TLSEngine on TLSLog /var/log/proftpd/tls.log TLSProtocol SSLv23 TLSRSACertificateFile /etc/ssl/certs/proftpd.crt TLSRSACertificateKeyFile /etc/ssl/private/proftpd.key TLSOptions NoCertRequest TLSVerifyClient off TLSRequired on
Save and exit. The last step is to restart the Proftpd server:
systemctl restart proftpd
Testing
To test the configuration, try connect to your FTP server with an FTP client. I'll use FileZilla here. Fill in the server IP, username, password, and port:
Server IP : 192.168.1.108 username : yuuki Password ****** Port : 21
and then click on Quickconnect. You will be asked to confirm the SSL Certificate, just click ok.
Now you have been logged in to the FTP Server with TLS/SSL certificate.