Monday, 23 January 2012

proftpd - Adding FTPS Support (mod_tls module)

This guide assumes you have proftpd installed with OpenSSL libs. If not, follow this guide

Firstly, I will quickly say....

FTPS or SFTP

People intend to mix FTPS and SFTP together, but both are actually completely differend.

FTPS is a normal FTP server but using SSL encrytion.
SFTP is a ftp kind of session over SSH (so everything is encrypted just like in SSH).


Notes
Users Guide: http://proftpd.org/localsite/Userguide/linked/userguide.html

Steps

*** Ensure mod_tls module is available within your proftpd installation.
*** Ensure you are a root user


1. Open proftpd.conf and add an include to a config file we are going to create (tls.conf). Add the following line below...
Code Snippet
  1. Include         /etc/proftpd/tls.conf
End of Code Snippet

2. Now use vi to create the config file in the specified location...
Code Snippet
  1. vi /etc/proftpd/tls.conf
End of Code Snippet

3. Enter the following information into the file (How to use vi)

Code Snippet
  1. <IfModule mod_tls.c>
  2.  
  3.         TLSEngine                               on
  4.         TLSLog                                  /var/log/proftpd/tls.log
  5.         TLSProtocol                             SSLv23
  6.         TLSRSACertificateFile                   /etc/proftpd/ssl/proftpd.cert.pem
  7.         TLSRSACertificateKeyFile                /etc/proftpd/ssl/proftpd.key.pem
  8.        
  9.         #
  10.         # Avoid CA cert and allow client renegotiation (to overcome 1.3.2c bug 3324)
  11.         #TLSOptions                             NoCertRequest AllowClientRenegotiation
  12.         #
  13.         # Authenticate clients that want to use FTP over TLS?
  14.         #
  15.        
  16.         TLSVerifyClient                         off
  17.        
  18.         #
  19.         # Are clients required to use FTP over TLS when talking to this server?
  20.         #
  21.        
  22.         TLSRequired                             on
  23.        
  24.         #
  25.         # Allow SSL/TLS renegotiations when the client requests them, but
  26.         # do not force the renegotations.  Some clients do not support
  27.         # SSL/TLS renegotiations; when mod_tls forces a renegotiation, these
  28.         # clients will close the data connection, or there will be a timeout
  29.         # on an idle data connection.
  30.         #
  31.        
  32.         TLSRenegotiate                          required off
  33.        
End of Code Snippet

4. Generate certificate using OpenSSL
Code Snippet
  1. openssl req -new -x509 -days 365 -nodes -out /etc/proftpd/ssl/proftpd.cert.pem -keyout /etc/proftpd/ssl/proftpd.key.pem
End of Code Snippet

5. Save and close the file.

6. Now restart proftpd for the changes to take effect.
Code Snippet
  1. /etc/init.d/proftpd restart
End of Code Snippet

7. Test FTPS connectivity with the server. See below...
Note: if there are any issues with the connection process, check the log file within the tls.conf file we created: /var/log/proftpd/tls.log


Testing FTPS with lftp

1. Execute following command
Code Snippet
  1. lftp -u USERNAMEHERE -e 'set ftp:ssl-force true,ftp:ssl-protect-data true' SERVERNAMEHERE
End of Code Snippet

2. Enter password for user.

3. Perform a simple command...
Code Snippet
  1. ls -l
End of Code Snippet

No comments: