How to Install Proftpd with TLS on Ubuntu 15.04

FTP (File Transfer Protocol) is probably the most popular method of uploading files to a server. ProFTPD is a popular and easy configurable FTP server for Linux systems that supports SSL / TLS encryption.

FTP is an insecure protocol because all passwords and all data transferred in clear (as plain text). By using TLS, the whole communication can be encrypted, thus making FTP a safe protocol to transfer files. This article describes how to configure proftpd with TLS in Ubuntu server 15.04.

Prerequisites

  1. Ubuntu Server 15.04 64bit
  2. sudo/root privileges

What we will do in this tutorial:

  1. Install Proftpd and OpenSSL
  2. Configure Proftpd
  3. Configure User
  4. Configure TLS with proftpd
  5. Testing

Install Proftpd and OpenSSL

Proftpd and OpenSSL are available in the Ubuntu repository and can be installed with the apt command. As usual with install commands, we run the apt command trough sudo to run it with root privileges:

sudo apt-get install -y proftpd openssl

When the installation begins, you will be asked whether to run Proftpd as an inetd or standalone service. Choose the standalone option here and then Ok.

Configure Proftpd

Once Proftpd is installed, you will have to change some configuration files. The Proftpd configuration file is located in the /etc/proftpd/ directory. I'll edit the proftpd.conf file with the nano editor.

cd /etc/proftpd/
nano proftpd.conf

On the line ServerName, change the name to your hostname or domain:

ServerName                      "myhostname"

Uncomment DefaultRoot:

# Use this to jail all users in their homes
DefaultRoot   		~

and restart Proftpd:

systemctl restart proftpd

Add an FTP User

There are two common ways to access an FTP server:

1. Anonymous FTP, FTP server provides access to anyone without the need to have a user account and password.
2. Access with username and password, only users that have a user account and password that can access the FTP server.

I will configure option 2 here. Anonymous FTP has been popular at the beginning of the internet era but today there would be so much misuse of anonymous FTP servers that this option is only usable in closed environments like a home or company network.

Before you create a user for Proftpd, please add /bin/false to your /etc/shells file.

echo "/bin/false" >> /etc/shells

and now you will create a user with a home directory where he will get access to by FTP. I will disable shell access for this user by assigning the "/bin/false" shell to him to ensure that he can not login by SSH. My username is named "yuuki", please replace yuuki with your username in the next command.

adduser --home /home/yuuki --shell /bin/false yuuki

The above command will create a new user called yuuki with home directory /home/yuuki/ and without shell access /bin/false.

And now configure Proftpd to allow the user yuuki to access the FTP server.

cd /etc/proftpd/
nano proftpd.conf

add this config to allow user yuuki to login and upload/download file to/from his home directory /home/yuuki :

<Directory /home/yuuki>
Umask 022 022
AllowOverwrite off
     <Limit LOGIN>
        AllowUser yuuki
        DenyALL
     </Limit>
     <Limit ALL>
        Order Allow,Deny
        AllowUser yuuki
        Deny ALL
    </Limit>
    <Limit MKD STOR DELE XMKD RNRF RNTO RMD XRMD>
    AllowUser yuuki
    Deny ALL
    </Limit>
</Directory>

and then restart the Proftpd.

systemctl restart proftpd

Until this stage, FTP can already be used without encryption. Now we will make it safe by enabling TLS.

Configure TLS in Proftpd

To use TLS, you have to create an SSL certificate. I will generate the SSL certificate with the OpenSSL command:

openssl req -x509 -newkey rsa:1024 -keyout /etc/ssl/private/proftpd.key -out /etc/ssl/certs/proftpd.crt  -nodes -days 365

The command will generate a certificate file proftpd.crt in the /etc/ssl/certs/ directory, and a certificate key file proftpd.key in the /etc/ssl/private/ directory.

Change the file permissions of the certificate files to 600 to disallow access by other users:

chmod 600 /etc/ssl/certs/proftpd.crt
chmod 600 /etc/ssl/private/proftpd.key

Now back to the Proftpd directory and configure Proftpd to use SSL the certificate that you generated.

cd /etc/proftpd/
nano proftpd.conf

Uncomment the tls line:

Include /etc/proftpd/tls.conf

Save it and edit the tls file:

nano tls.conf

Uncomment all these lines:

TLSEngine                               on
TLSLog                                  /var/log/proftpd/tls.log
TLSProtocol                             SSLv23

TLSRSACertificateFile                   /etc/ssl/certs/proftpd.crt
TLSRSACertificateKeyFile                /etc/ssl/private/proftpd.key

TLSOptions                              NoCertRequest

TLSVerifyClient                         off

TLSRequired                             on

Save and exit. The last step is to restart the Proftpd server:

systemctl restart proftpd

Testing

To test the configuration, try connect to your FTP server with an FTP client. I'll use FileZilla here. Fill in the server IP, username, password, and port:

Server IP : 192.168.1.108
username : yuuki
Password ******
Port : 21

and then click on Quickconnect. You will be asked to confirm the SSL Certificate, just click ok.



Now you have been logged in to the FTP Server with TLS/SSL certificate.

Share this page:

0 Comment(s)