Secured FTP – ProFTP + TLS in Ubuntu

FTP is considered as very insecure protocol because all data transferred using this protocol is passed between client and server in clear text and can be hacked by someone listening on your line. But you can easily encrypt the whole communication by enabling/forcing TLS and make FTP much more secure. This article explains how to set up ProFTPd with TLS on an Ubuntu server.

Install software

  • We will use the ProFTPd server
  • OpenSSL library is needed for enabling TLS
  • We will run FTP service not as standalone service, but it will be started using xinetd every time a request for FTP is received on the server
sudo apt-get install proftpd openssl xinetd

Setting up your ProFTPd installation is not part of this article so we skip directly to setting the TLS

OpenSSL certificate

To create your own certificate that will be used by your secured FTP server, call the following command

sudo openssl req -new -x509 -days 365 -nodes -out /etc/ssl/private/proftpd.crt -keyout /etc/ssl/keys/proftpd.pem

…where all used parameters can be found in manual pages of openssl. The most important are

  • days – number of days when the certificate is valid. After the validity period the certificate must be re-newed or recreated
  • out – private key of the server (must be kept in a secure directory on the server)
  • keyout – public key  of the server

Enable TLS in ProFTPd

At first we enable reading from TLS configuration file by ucommenting it’s include call in /etc/proftpd/proftpd.conf

sudo nano /etc/proftpd/proftpd.conf

…enable TLS by uncommenting the following line

[...]
# 
# This is used for FTPS connections
#
Include /etc/proftpd/tls.conf
[...]

Now we modify the /etc/proftpd/tls.conf file to correspond to our certificate files paths

<IfModule mod_tls.c>
  TLSEngine                  on
  TLSLog                     /var/log/proftpd/tls.log
  TLSProtocol                SSLv23
  TLSOptions                 NoCertRequest AllowClientRenegotiations
  TLSRSACertificateFile      /etc/ssl/private/proftpd.crt
  TLSRSACertificateKeyFile   /etc/ssl/keys/proftpd.pem
  TLSVerifyClient            off
  TLSRequired                on
</IfModule>

ProFTPd in xinetd

You have to create new config file in /etc/xinetd.d/ftp

service ftp
{
  disable     = no
  flags       = REUSE
  socket_type = stream
  wait        = no
  user        = root
  server      = /usr/sbin/proftpd
  server_args = -c /etc/proftpd/proftpd.conf
}

Restart xinetd by

sudo service xinetd restart

…and now you should be able to access your FTP using secured connection. Because we used TLSRequired on directive in /etc/proftpd/tls.conf, no one will be able to access your FTP usin unsecured connection from now on. But if you need to allow both connection types (secured and insecured), just comment the line out.

Leave a Reply