Differences

This shows you the differences between two versions of the page.

Link to this comparison view

how_to_install_proftpd_with_tls_support_on_debian_jessie_en [2017/09/05 12:18] (current)
Line 1: Line 1:
 +====== How to install ProFTPd with TLS support on Debian Jessie ======
  
 +This tutorial shows how to install and use FTP with ProFTPd securely. FTP without TLS is an insecure protocol because all passwords and all data are transferred in clear text. By using TLS, the whole communication can be encrypted, thus making FTP much more secure. This article explains how to set up ProFTPd with TLS on an Debian Jessie server, how to add an FTP user and to use FileZilla to connect securely with TLS.
 +
 +===== Install ProFTPd and OpenSSL =====
 +
 +OpenSSL is needed by TLS; to install ProFTPd and OpenSSL, we simply run:
 +<sxh bash>
 +apt-get -y install proftpd openssl vim
 +</​sxh>​
 +
 +You will be asked a question:
 +
 +Run proftpd: **<-- standalone**
 +
 +For security reasons, you should add the following lines to /​etc/​proftpd/​proftpd.conf:​
 +
 +<sxh bash>
 +vim /​etc/​proftpd/​proftpd.conf
 +[...]
 +# Includes DSO modules
 +Include /​etc/​proftpd/​modules.conf
 +
 +# Set off to disable IPv6 support which is annoying on IPv4 only boxes.
 +UseIPv6 ​                        off
 +# If set on you can experience a longer connection delay in many cases.
 +IdentLookups ​                   off
 +UseReverseDNS ​                  off
 +
 +ServerName ​                     "​sftp.douglasqsantos.com.br"​
 +ServerType ​                     standalone
 +ServerIdent ​                    on "FTP Server ready."​
 +DeferWelcome ​                   off
 +[...]
 +# Message that will show when try to login
 +DisplayConnect ​                 /​etc/​issue.net
 +# Message that will show when logged in
 +DisplayLogin ​                   /etc/motd
 +DisplayChdir ​                   .message true
 +ListOptions ​                    "​-l"​
 +
 +DenyFilter ​                     \*.*/
 +
 +# Use this to jail all users in their homes
 +DefaultRoot ​                    ~
 +
 +# Users require a valid shell listed in /etc/shells to login.
 +# Use this directive to release that constrain.
 +RequireValidShell ​              off
 +
 +# Port 21 is the standard FTP port.
 +Port                            21
 +
 +# In some cases you have to specify passive ports range to by-pass
 +# firewall limitations. Ephemeral ports can be used for that, but
 +# feel free to use a more narrow range.
 +PassivePorts ​                   12000 12100
 +[...]
 +</​sxh>​
 +
 +Now we need to change the system banners to show the appropriate information about our server.
 +
 +Let's change the motd that will be showed after the user is logged in.
 +<sxh bash>
 +vim /etc/motd
 +############################################################################################################​
 +# ALERT! You are entering into a secured area!                                                             #
 +# Your IP, Login Time, Username has been noted and has been sent to the server administrator! ​             #
 +# This service is restricted to authorized users only. All activities on this system are logged. ​          #
 +# Unauthorized access will be fully investigated and reported to the appropriate law enforcement agencies. #
 +############################################################################################################​
 +</​sxh>​
 +
 +Let's change the issue.net that will be showed in the log in time.
 +<sxh bash>
 +vim /​etc/​issue.net
 +###############################################################​
 +#  Welcome to DQS                                             #
 +#  All connections are monitored and recorded ​                #
 +#  Disconnect IMMEDIATELY if you are not an authorized user!  #
 +###############################################################​
 +</​sxh>​
 +===== Create the SSL Certificate for TLS =====
 +
 +In order to use TLS, we must create an SSL certificate. I create it in /​etc/​proftpd/​ssl,​ therefore I create that directory first:
 +<sxh bash>
 +mkdir /​etc/​proftpd/​ssl
 +</​sxh>​
 +
 +Afterward, we can generate the SSL certificate as follows:
 +<sxh bash>
 +openssl req -new -x509 -days 365 -nodes -out /​etc/​proftpd/​ssl/​proftpd.cert.pem -keyout /​etc/​proftpd/​ssl/​proftpd.key.pem
 +
 +Country Name (2 letter code) [AU]: #<-- Enter your Country Name (e.g., "​DE"​).
 +State or Province Name (full name) [Some-State]:​ #<-- Enter your State or Province Name.
 +Locality Name (eg, city) []: #<-- Enter your City.
 +Organization Name (eg, company) [Internet Widgits Pty Ltd]: #<-- Enter your Organization Name (e.g., the name of your company).
 +Organizational Unit Name (eg, section) []: #-- Enter your Organizational Unit Name (e.g. "IT Department"​).
 +Common Name (eg, YOUR name) []: #<-- Enter the Fully Qualified Domain Name of the system (e.g. "​sftp.douglasqsantos.com.br"​).
 +Email Address []: #<-- Enter your Email Address.
 +</​sxh>​
 +
 +Now we need to change the certificates permission ​
 +<sxh bash>
 +chmod 600 /​etc/​proftpd/​ssl/​proftpd.*
 +</​sxh>​
 +
 +===== Enable TLS in ProFTPd =====
 +
 +In order to enable TLS in ProFTPd, open /​etc/​proftpd/​proftpd.conf and uncomment the Include /​etc/​proftpd/​tls.conf line
 +<sxh bash>
 +vim /​etc/​proftpd/​proftpd.conf
 +#
 +# This is used for FTPS connections
 +#
 +Include /​etc/​proftpd/​tls.conf
 +</​sxh>​
 +
 +Then open /​etc/​proftpd/​tls.conf and make it look as follows:
 +<sxh bash>
 +vim /​etc/​proftpd/​tls.conf
 +<​IfModule mod_tls.c>​
 +TLSEngine ​                 on
 +TLSLog ​                    /​var/​log/​proftpd/​tls.log
 +TLSProtocol TLSv1.2
 +TLSCipherSuite AES128+EECDH:​AES128+EDH
 +TLSOptions ​                ​NoCertRequest AllowClientRenegotiations
 +TLSRSACertificateFile ​     /​etc/​proftpd/​ssl/​proftpd.cert.pem
 +TLSRSACertificateKeyFile ​  /​etc/​proftpd/​ssl/​proftpd.key.pem
 +TLSVerifyClient ​           off
 +TLSRequired ​               off
 +RequireValidShell ​         no
 +</​IfModule>​
 +</​sxh>​
 +
 +If you use TLSRequired on, then only TLS connections are allowed (this locks out any users with old FTP clients that don't have TLS support); by commenting out that line or using TLSRequired off both TLS and non-TLS connections are allowed, depending on what the FTP client supports.
 +
 +Restart ProFTPd afterward:
 +<sxh bash>
 +systemctl restart proftpd
 +</​sxh>​
 +
 +That's it. You can now try to connect using your FTP client; however, you should configure your FTP client to use TLS (this is a must if you use TLSRequired on) - see ahead how to do this with FileZilla.
 +
 +If you're having problems with TLS, you can take a look at the TLS log file /​var/​log/​proftpd/​tls.log.
 +
 +===== Add an FTP user =====
 +
 +The ProFTPD configuration used in thus tutorial authenticates users against the Linux system user database (/​etc/​passwd and /​etc/​shadow). In this step, I will add a user "​tom"​ to be used for FTP login only.
 +<sxh bash>
 +useradd -m -s /bin/false tom
 +</​sxh>​
 +
 +This will add the user "​tom"​ with the shell /bin/false. This shell ensures that he can login by FTP but not by SSH. The home directory of a user is /​home/​[USERNAME] by default, in our case /home/tom. ProFTPD is configured to jail the user to his home directory, so he can not access system files outside of /home/tom. If you like to set a different home directory, use the command below:
 +
 +<sxh bash>
 +useradd -d /srv/tomftp -m -s /bin/false tom
 +</​sxh>​
 +
 +This command sets a different home directory, in case of this example the directory /srv/tomftp for the user.
 +
 +The next step is to set a password for the user tom, execute the passwd command:
 +<sxh bash>
 +passwd tom
 +</​sxh>​
 +
 +===== Configuring FileZilla for TLS =====
 +
 +In order to use FTP with TLS, you need an FTP client that supports TLS, such as [[http://​filezilla-project.org/​|FileZilla]].
 +
 +In FileZilla, open the Site Manager:
 +
 +{{:​filezilla_1.png?​500|}}
 +
 +Select the server that uses ProFTPd with TLS; Select FTP as protocol and Require explicit TLS over FTP.
 +
 +{{:​FileZilla_user_dialog.png?​500|}}
 +
 +Now you can connect to the server, FileZilla will ask for a password.
 +
 +{{:​FileZilla_enter_password.png?​300|}}
 +
 +If you do this for the first time, you must accept the server'​s new SSL certificate:​
 +
 +{{:​FileZilla_Unknown_certificate.png?​500|}}
 +
 +If everything goes well, you should now be logged in on the server:
 +
 +{{:​FileZilla_logged_in.png?​600|}}
 +====== REFERENCES ======
 +  - https://​www.howtoforge.com/​tutorial/​install-proftpd-with-tls-on-ubuntu-16-04/​
 +  - ProFTPd: http://​www.proftpd.org/​
 +  - FileZilla: http://​filezilla-project.org/​
 +  - Debian: http://​www.debian.org/​
 +  - https://​www.howtoforge.com/​community/​threads/​ftp-login-very-slow.6447/​ -> Disable DNS Reverse