Client Area

 Client Area

Install Proftpd with TLS on Ubuntu 16.04 LTS

Proftpd Tls Ubuntu

Sections

    Install Proftpd

    Update your packages repository list and install proftpd server

    apt-get update && apt-get -y install proftpd openssl
    

    During the proftpd installation, choose standalone mode.

    Then edit proftpd configuration file :

    nano /etc/proftpd/proftpd.conf
    

    And remove the # at the beginning of the following lines

    DefaultRoot                     ~
    RequireValidShell               off
    

    Because the most part of our ftp clients prefer to use passive connections, you need to uncommand the line beginning with #PassivePorts and specify passive ports range you want to use :

    PassivePorts                  49000 50000
    

    In this example, we will use ports 49000 to 50000

    This way, we can allow incoming connections on this ports range with UFW :

    ufw allow 49000:50000/tcp
    

    Restart proftpd server to apply the configuration

    service proftpd restart
    

    Create the SSL Certificate

    At first, we have to create a folder to store ou SSL certificate. In our example, we will use /etc/proftpd/ssl :

    mkdir /etc/proftpd/ssl
    

    Then, we can generate the certificate with openssl :

    openssl req -new -x509 -days 365 -nodes -out /etc/proftpd/ssl/proftpd.cert.pem -keyout /etc/proftpd/ssl/proftpd.key.pem
    

    The process will look like :

    root@vps~# openssl req -new -x509 -days 365 -nodes -out /etc/proftpd/ssl/proftpd.cert.pem -keyout /etc/proftpd/ssl/proftpd.key.pem
    Generating a 2048 bit RSA private key
    .................+++
    ..............+++
    writing new private key to '/etc/proftpd/ssl/proftpd.key.pem'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:FR
    State or Province Name (full name) [Some-State]:-
    Locality Name (eg, city) []: Paris
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:   VirtuBox
    Organizational Unit Name (eg, section) []:IT
    Common Name (e.g. server FQDN or YOUR name) []:server.virtubox.net
    Email Address []:admin@virtubox.net
    

    Secure the generated certificate :

    chmod 600 /etc/proftpd/ssl/proftpd.*
    

    Enable TLS with Proftpd

    Edit /etc/proftpd/proftpd.conf another time, and to uncomment the line :

    Include /etc/proftpd/tls.conf
    

    Then edit the file /etc/proftpd/tls.conf and make it looks like :

    <IfModule mod_tls.c>
    TLSEngine                  on
    TLSLog                     /var/log/proftpd/tls.log
    TLSProtocol TLSv1.2
    TLSCipherSuite AES128+EECDH:AES128+EDH
    TLSOptions                 NoCertRequest AllowClientRenegotiations NoSessionReuseRequired
    TLSRSACertificateFile      /etc/proftpd/ssl/proftpd.cert.pem
    TLSRSACertificateKeyFile   /etc/proftpd/ssl/proftpd.key.pem
    TLSVerifyClient            off
    TLSRequired                off
    RequireValidShell          no
    </IfModule>
    

    To apply the new configuration, restart proftpd service :

    service proftpd restart
    

    Add a new ftp user

    To add a user, it require to define his home folder, which is the website folder you want to use, and to include our ftp user in group www-data. Just replace the folder and your-ftp-user in the following command

    adduser --home /var/www/votredomaine.tld/ --shell /bin/false --ingroup www-data your-ftp-user
    

    The last step is to add group permissions on your website folder

    chmod -R g+rw /var/www/domainname
    

    You can now login with your favorite ftp client, and your new user will only be able to access to his home folder.

    in EasyEngineLinux

    Feedback