Goline Logo

News

  • Route RPKI validation April 1st, 2022
    RPKI is a security framework by which network owners can validate and secure the critical route updates or Border Gateway Protocol (BGP) announcements between public Internet networks. BGP is essentially the central nervous system of the Internet and one of its fundamental building blocks. The main function of BGP is to facilitate efficient routing between Autonomous Systems (AS), by building and maintaining the Internet routing table. The Internet routing table is effectively the navigation system of the Internet and without it, traffic would be unable to flow between its constituent networks. Unfortunately, routing equipment alone cannot distinguish between legitimate and malicious routing announcements,...
  • RIPE – Atlas Anchor February 17th, 2022
    We have become an even more integral part of the RIPE Atlas project by hosting an anchor, a device that allows for latency analysis of traffic between autonomous systems.https://atlas.ripe.net/probes/7073/RIPE Atlas anchors play an integral role in the RIPE Atlas network by acting both as enhanced RIPE Atlas probes with more measurement capacity, as well as regional measurement targets within the greater RIPE Atlas network. Anchors are able to perform many more measurements than a regular RIPE Atlas probe, and the large amount of data they collect is made available to everyone. In addition, anchors act as powerful targets that can...
  • MANRS June 20th, 2020
    GOLINE firmly believes in initiatives to protect networks, improve security and resilience of the global routing system. Therefore we decided to support the MANRS project and join as participants.Mutually Agreed Norms for Routing Security (MANRS) is a global initiative, supported by the Internet Society, that provides crucial fixes to reduce the most common routing threats. MANRS offers specific actions via four programs for Network Operators, Internet Exchange Points, CDN and Cloud Providers, and Equipment Vendors. Requirements for Participation Please read the full MANRS Actions document before applying. You can become a participant if you meet these requirements: You (or your company) support...

ProFTPd with TLS support on Ubuntu

Paolo Caparrelli Linux 22 June 2022

How to install ProFTPd with TLS support on Ubuntu 15.04

On this page

  1. 1 Preliminary Note
  2. 2 Install ProFTPd and OpenSSL
  3. 3 Create the SSL Certificate for TLS
  4. 4 Enable TLS in ProFTPd
  5. 5 Add an FTP user
  6. 6 Configuring FileZilla for TLS
  7. 7 Links

FTP is a very insecure protocol because all passwords and all data are transferred in clear text. By using TLS, the whole communication can be encrypted, thus making FTP much more secure. This article explains how to set up ProFTPd with TLS on an Ubuntu 15.04 server, how to add an FTP user and to use FileZilla to connect securely with TLS.

1 Preliminary Note

In this tutorial, I will use the hostname server1.example.com with the IP address 192.168.1.100. These settings might differ for you, so you have to replace them where appropriate.

Because we must run all the steps from this tutorial with root privileges, we can either prepend all commands in this tutorial with the string sudo, or we become root right now by typing

sudo su

 

2 Install ProFTPd and OpenSSL

OpenSSL is needed by TLS; to install ProFTPd and OpenSSL, we simply run:

apt-get install proftpd openssl

You will be asked a question:

Run proftpd: <– standalone

For security reasons, you should add the following lines to /etc/proftpd/proftpd.conf:

nano /etc/proftpd/proftpd.conf

[…]
DefaultRoot ~
ServerIdent on "FTP Server ready."
[…]

The first option enables chrooting of FTP users into their home directory and the second option enables a ServerIdent message that does not contain any information about the used FTP server software, version or OS so that an potential attacker dont gets these details on the silver plate.

3 Create the SSL Certificate for TLS

In order to use TLS, we must create an SSL certificate. I create it in /etc/proftpd/ssl, therefore I create that directory first:

mkdir /etc/proftpd/ssl

Afterward, we can generate the SSL certificate as follows:

openssl req -new -x509 -days 365 -nodes -out /etc/proftpd/ssl/proftpd.cert.pem -keyout /etc/proftpd/ssl/proftpd.key.pem

Country Name (2 letter code) [AU]: <– Enter your Country Name (e.g., "DE").
State or Province Name (full name) [Some-State]:<– Enter your State or Province Name.
Locality Name (eg, city) []:<– Enter your City.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:<– Enter your Organization Name (e.g., the name of your company).
Organizational Unit Name (eg, section) []:<– Enter your Organizational Unit Name (e.g. "IT Department").
Common Name (eg, YOUR name) []:<– Enter the Fully Qualified Domain Name of the system (e.g. "server1.example.com").
Email Address []:<– Enter your Email Address.

 and secure the generated certificate files.

chmod 600 /etc/proftpd/ssl/proftpd.*

4 Enable TLS in ProFTPd

In order to enable TLS in ProFTPd, open /etc/proftpd/proftpd.conf…

nano /etc/proftpd/proftpd.conf

… and uncomment the Include /etc/proftpd/tls.conf line:

[…]
#
# This is used for FTPS connections
#
Include /etc/proftpd/tls.conf
[…]

Then open /etc/proftpd/tls.conf and make it look as follows:

nano /etc/proftpd/tls.conf

<IfModule mod_tls.c>
TLSEngine                  on
TLSLog                     /var/log/proftpd/tls.log
TLSProtocol TLSv1.2
TLSCipherSuite AES128+EECDH:AES128+EDH
TLSOptions                 NoCertRequest AllowClientRenegotiations
TLSRSACertificateFile      /etc/proftpd/ssl/proftpd.cert.pem
TLSRSACertificateKeyFile   /etc/proftpd/ssl/proftpd.key.pem
TLSVerifyClient            off
TLSRequired                on
RequireValidShell          no
</IfModule>

If you use TLSRequired on, then only TLS connections are allowed (this locks out any users with old FTP clients that don't have TLS support); by commenting out that line or using TLSRequired off both TLS and non-TLS connections are allowed, depending on what the FTP client supports.

Restart ProFTPd afterward:

systemctl restart proftpd.service

That's it. You can now try to connect using your FTP client; however, you should configure your FTP client to use TLS (this is a must if you use TLSRequired on) – see the next chapter how to do this with FileZilla.

If you're having problems with TLS, you can take a look at the TLS log file /var/log/proftpd/tls.log.

 

5 Add an FTP user

The ProFTPD configuration used in thus tutorial authenticates users against the Linux system user database (/etc/passwd and /etc/shadow). In this step, I will add a user "tom" to be used for FTP login only.

useradd –shell /bin/false tom

This will add the user "tom" with the shell /bin/false. This shell ensures that he can login by FTP but not by SSH. The home directory of a user is /home/[USERNAME] by default, in our case /home/tom. ProFTPD is configured to jail the user to his home directory, so he can not access system files outside of /home/tom. If you like to set a different home directory, use the command below:

useradd –home /srv/tomftp –create-home –shell /bin/false tom

This command sets a different home directory, in case of this example the directory /srv/tomftp for the user.

The next step is to set a password for the user tom, execute the passwd command:

passwd tom

And enter the new password twice, when requested.

0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x