Few days ago we showed you how to install ProFTPD on Ubuntu 17.04 | 17.10. Today’s post is going to show students and new users how to configure ProFTPD to transfer files securely between the FTP client and the FTP server using SSL/TLS certificates.
ProFTPD is easy to setup and configure. You can get it stalled and going in minutes. However, if you want to protect sensitive information being transferred between the FTP client and server, you may want to enable SSL/TLS protocols.
When you enable SSL/TLS, your data will travel encrypted and authenticated. Even when the data is intercepted, the interceptors may still not be able to view of read the content. This is what SSL/TLS provides.
If you need to configure ProFTPD to communicate over SSL/TLS, follow the steps below.
Before continue with generating a SSL/TLS certificate, please make sure that you’ve read our previous post on installing ProFTPD. Read the post below before continuing with configuring ProFTPD with SSL/TLS.
Click the link below to read this post first, before going any further:
Now you can continue with obtaining a SSL/TLS certificate.
Step 1: Configure ProFTPD to use SSL/TLS
To protect the ProFTPD server and transfer data over SSL/TLS, you must obtain a SSL/TLS certificate. You can get a trusted certificate from a certificate authority or create a self-signed one.
The self-signed certificate may only be used internally. You can use it externally, but your customers won’t feel safe when connecting to your servers using self-signed certificates.
To create a self-signed certificate valid for one year, run the commands below.
sudo bash cd /etc/ssl/private openssl req -x509 -nodes -newkey rsa:2048 -keyout proftpdServerkey.pem -out proftpdCertificate.pem -days 365
After running the commands above, you should be prompted to incorporate other details into the certificate. Use the Guide below to answer the questions.
writing new private key to 'proftpdServerkey.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:New York Locality Name (eg, city) :Brooklyn Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Lab Organizational Unit Name (eg, section) :Lab Common Name (e.g. server FQDN or YOUR name) :proftpdserver.com Email Address :
After that, a new server private key (proftpdServer.key) and server certificates (proftpdCertificate) should be created and stored in the /etc/ssl/private directory.
Step 2: Configure ProFTPD with SSL/TLS
Now that you’ve obtained a SSL/TLS certificate, run the commands below to open ProFTPD default tls configuration file.
sudo nano /etc/proftpd/tls.conf
Then add the highlighted lines in the file and save.
# # Proftpd sample configuration for FTPS connections. # # Note that FTPS impose some limitations in NAT traversing. # See http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-TLS.html # for more information. # TLSEngine on TLSLog /var/log/proftpd/tls.log TLSProtocol TLSv1.2 # # Server SSL certificate. You can generate a self-signed certificate using # a command like: # # openssl req -x509 -newkey rsa:1024 \ # -keyout /etc/ssl/private/proftpd.key -out /etc/ssl/certs/proftpd.crt \ # -nodes -days 365 # # The proftpd.key file must be readable by root only. The other file can be # readable by anyone. # # chmod 0600 /etc/ssl/private/proftpd.key # chmod 0640 /etc/ssl/private/proftpd.key # TLSRSACertificateFile /etc/ssl/private/proftpdCertificate.pem TLSRSACertificateKeyFile /etc/ssl/private/proftpdServerkey.pem # # CA the server trusts... #TLSCACertificateFile /etc/ssl/certs/CA.pem # ...or avoid CA cert and be verbose #TLSOptions NoCertRequest EnableDiags # ... or the same with relaxed session use for some clients (e.g. FireFtp) #TLSOptions NoCertRequest EnableDiags NoSessionReuseRequired # # # Per default drop connection if client tries to start a renegotiate # This is a fix for CVE-2009-3555 but could break some clients. # #TLSOptions AllowClientRenegotiations # # Authenticate clients that want to use FTP over TLS? # #TLSVerifyClient off # # Are clients required to use FTP over TLS when talking to this server? # TLSRequired on # #
Save the file when you’re done.
Then open ProFTPD default configuration file and comment out this line to include the tls.conf configurations.
sudo nano /etc/proftpd/proftpd.conf
Comment out the highlighted line in the file and save.
# # This is used for FTPS connections # Include /etc/proftpd/tls.conf
Save the /etc/proftpd/proftpd.conf file and close out.
Step 3: Restart ProFTPD
After configuring the server, run the commands below to restart the service.
sudo systemctl restart proftpd
After that, open your favorite FTP client and connect with the settings in the image below:
Connect and you should get a prompt to trust the certificate.
Access should be granted after.
You may also like the post below: