How to install ProFTPd with TLS support on Debian Jessie

This tutorial shows how to install and use FTP with ProFTPd securely. FTP without TLS is an insecure protocol because all passwords and all data are transferred in clear text. By using TLS, the whole communication can be encrypted, thus making FTP much more secure. This article explains how to set up ProFTPd with TLS on an Debian Jessie server, how to add an FTP user and to use FileZilla to connect securely with TLS.

OpenSSL is needed by TLS; to install ProFTPd and OpenSSL, we simply run:

apt-get -y install proftpd openssl vim

You will be asked a question:

Run proftpd: ←- standalone

For security reasons, you should add the following lines to /etc/proftpd/proftpd.conf:

vim /etc/proftpd/proftpd.conf
[...]
# Includes DSO modules
Include /etc/proftpd/modules.conf

# Set off to disable IPv6 support which is annoying on IPv4 only boxes.
UseIPv6                         off
# If set on you can experience a longer connection delay in many cases.
IdentLookups                    off
UseReverseDNS                   off

ServerName                      "sftp.douglasqsantos.com.br"
ServerType                      standalone
ServerIdent                     on "FTP Server ready."
DeferWelcome                    off
[...]
# Message that will show when try to login
DisplayConnect                  /etc/issue.net
# Message that will show when logged in
DisplayLogin                    /etc/motd
DisplayChdir                    .message true
ListOptions                     "-l"

DenyFilter                      \*.*/

# Use this to jail all users in their homes
DefaultRoot                     ~

# Users require a valid shell listed in /etc/shells to login.
# Use this directive to release that constrain.
RequireValidShell               off

# Port 21 is the standard FTP port.
Port                            21

# In some cases you have to specify passive ports range to by-pass
# firewall limitations. Ephemeral ports can be used for that, but
# feel free to use a more narrow range.
PassivePorts                    12000 12100
[...]

Now we need to change the system banners to show the appropriate information about our server.

Let's change the motd that will be showed after the user is logged in.

vim /etc/motd
############################################################################################################
# ALERT! You are entering into a secured area!                                                             #
# Your IP, Login Time, Username has been noted and has been sent to the server administrator!              #
# This service is restricted to authorized users only. All activities on this system are logged.           #
# Unauthorized access will be fully investigated and reported to the appropriate law enforcement agencies. #
############################################################################################################

Let's change the issue.net that will be showed in the log in time.

vim /etc/issue.net
###############################################################
#  Welcome to DQS                                             #
#  All connections are monitored and recorded                 #
#  Disconnect IMMEDIATELY if you are not an authorized user!  #
###############################################################

In order to use TLS, we must create an SSL certificate. I create it in /etc/proftpd/ssl, therefore I create that directory first:

mkdir /etc/proftpd/ssl

Afterward, we can generate the SSL certificate as follows:

openssl req -new -x509 -days 365 -nodes -out /etc/proftpd/ssl/proftpd.cert.pem -keyout /etc/proftpd/ssl/proftpd.key.pem

Country Name (2 letter code) [AU]: #<-- Enter your Country Name (e.g., "DE").
State or Province Name (full name) [Some-State]: #<-- Enter your State or Province Name.
Locality Name (eg, city) []: #<-- Enter your City.
Organization Name (eg, company) [Internet Widgits Pty Ltd]: #<-- Enter your Organization Name (e.g., the name of your company).
Organizational Unit Name (eg, section) []: #-- Enter your Organizational Unit Name (e.g. "IT Department").
Common Name (eg, YOUR name) []: #<-- Enter the Fully Qualified Domain Name of the system (e.g. "sftp.douglasqsantos.com.br").
Email Address []: #<-- Enter your Email Address.

Now we need to change the certificates permission

chmod 600 /etc/proftpd/ssl/proftpd.*

In order to enable TLS in ProFTPd, open /etc/proftpd/proftpd.conf and uncomment the Include /etc/proftpd/tls.conf line

vim /etc/proftpd/proftpd.conf
#
# This is used for FTPS connections
#
Include /etc/proftpd/tls.conf

Then open /etc/proftpd/tls.conf and make it look as follows:

vim /etc/proftpd/tls.conf
<IfModule mod_tls.c>
TLSEngine                  on
TLSLog                     /var/log/proftpd/tls.log
TLSProtocol TLSv1.2
TLSCipherSuite AES128+EECDH:AES128+EDH
TLSOptions                 NoCertRequest AllowClientRenegotiations
TLSRSACertificateFile      /etc/proftpd/ssl/proftpd.cert.pem
TLSRSACertificateKeyFile   /etc/proftpd/ssl/proftpd.key.pem
TLSVerifyClient            off
TLSRequired                off
RequireValidShell          no
</IfModule>

If you use TLSRequired on, then only TLS connections are allowed (this locks out any users with old FTP clients that don't have TLS support); by commenting out that line or using TLSRequired off both TLS and non-TLS connections are allowed, depending on what the FTP client supports.

Restart ProFTPd afterward:

systemctl restart proftpd

That's it. You can now try to connect using your FTP client; however, you should configure your FTP client to use TLS (this is a must if you use TLSRequired on) - see ahead how to do this with FileZilla.

If you're having problems with TLS, you can take a look at the TLS log file /var/log/proftpd/tls.log.

The ProFTPD configuration used in thus tutorial authenticates users against the Linux system user database (/etc/passwd and /etc/shadow). In this step, I will add a user “tom” to be used for FTP login only.

useradd -m -s /bin/false tom

This will add the user “tom” with the shell /bin/false. This shell ensures that he can login by FTP but not by SSH. The home directory of a user is /home/[USERNAME] by default, in our case /home/tom. ProFTPD is configured to jail the user to his home directory, so he can not access system files outside of /home/tom. If you like to set a different home directory, use the command below:

useradd -d /srv/tomftp -m -s /bin/false tom

This command sets a different home directory, in case of this example the directory /srv/tomftp for the user.

The next step is to set a password for the user tom, execute the passwd command:

passwd tom

In order to use FTP with TLS, you need an FTP client that supports TLS, such as FileZilla.

In FileZilla, open the Site Manager:

Select the server that uses ProFTPd with TLS; Select FTP as protocol and Require explicit TLS over FTP.

Now you can connect to the server, FileZilla will ask for a password.

If you do this for the first time, you must accept the server's new SSL certificate:

If everything goes well, you should now be logged in on the server:

REFERENCES