FTP is considered as very insecure protocol because all data transferred using this protocol is passed between client and server in clear text and can be hacked by someone listening on your line. But you can easily encrypt the whole communication by enabling/forcing TLS and make FTP much more secure. This article explains how to set up ProFTPd with TLS on an Ubuntu server.
Install software
- We will use the ProFTPd server
- OpenSSL library is needed for enabling TLS
- We will run FTP service not as standalone service, but it will be started using xinetd every time a request for FTP is received on the server
sudo apt-get install proftpd openssl xinetd
Setting up your ProFTPd installation is not part of this article so we skip directly to setting the TLS
OpenSSL certificate
To create your own certificate that will be used by your secured FTP server, call the following command
sudo openssl req -new -x509 -days 365 -nodes -out /etc/ssl/private/proftpd.crt -keyout /etc/ssl/keys/proftpd.pem
…where all used parameters can be found in manual pages of openssl. The most important are
- days – number of days when the certificate is valid. After the validity period the certificate must be re-newed or recreated
- out – private key of the server (must be kept in a secure directory on the server)
- keyout – public key of the server
Enable TLS in ProFTPd
At first we enable reading from TLS configuration file by ucommenting it’s include call in /etc/proftpd/proftpd.conf
sudo nano /etc/proftpd/proftpd.conf
…enable TLS by uncommenting the following line
[...]
#
# This is used for FTPS connections
#
Include /etc/proftpd/tls.conf
[...]
Now we modify the /etc/proftpd/tls.conf file to correspond to our certificate files paths
<IfModule mod_tls.c>
TLSEngine on
TLSLog /var/log/proftpd/tls.log
TLSProtocol SSLv23
TLSOptions NoCertRequest AllowClientRenegotiations
TLSRSACertificateFile /etc/ssl/private/proftpd.crt
TLSRSACertificateKeyFile /etc/ssl/keys/proftpd.pem
TLSVerifyClient off
TLSRequired on
</IfModule>
ProFTPd in xinetd
You have to create new config file in /etc/xinetd.d/ftp
service ftp
{
disable = no
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/proftpd
server_args = -c /etc/proftpd/proftpd.conf
}
Restart xinetd by
sudo service xinetd restart
…and now you should be able to access your FTP using secured connection. Because we used TLSRequired on directive in /etc/proftpd/tls.conf, no one will be able to access your FTP usin unsecured connection from now on. But if you need to allow both connection types (secured and insecured), just comment the line out.