¶ FTP Server: Configuring ProFTPD with SSL/TLS
Enhancing the security of your ProFTPD server can be achieved by enabling SSL/TLS for secure FTP connections. Follow these steps to set up SSL/TLS on ProFTPD.
¶ Step 1: Create Self-Signed Certificates
-
Navigate to the certificates directory:
cd /etc/pki/tls/certs -
Generate a self-signed certificate:
openssl req -x509 -nodes -newkey rsa:2048 -keyout proftpd.pem -out proftpd.pem -days 3650 -
Follow the on-screen prompts to enter your country code, state, city, company, department, server's FQDN, and admin email.
-
Set appropriate permissions for the certificate:
chmod 600 proftpd.pem
¶ Step 2: Configure ProFTPD for SSL/TLS
-
Edit the ProFTPD sysconfig file to add TLS option:
vi /etc/sysconfig/proftpd # Add this line PROFTPD_OPTIONS="-DTLS" -
Configure the TLS settings in ProFTPD:
vi /etc/proftpd/mod_tls.conf # Add the following configuration <IfModule mod_tls.c> TLSEngine on TLSRequired on TLSRSACertificateFile /etc/pki/tls/certs/proftpd.pem TLSRSACertificateKeyFile /etc/pki/tls/certs/proftpd.pem TLSCipherSuite PROFILE=SYSTEM TLSOptions NoSessionReuseRequired TLSLog /var/log/proftpd/tls.log <IfModule mod_tls_shmcache.c> TLSSessionCache shm:/file=/run/proftpd/sesscache </IfModule> </IfModule> -
Restart ProFTPD to apply the changes:
systemctl restart proftpd
¶ Step 3: Configure Firewalld for Passive Ports
-
Set fixed passive ports in ProFTPD configuration:
vi /etc/proftpd.conf # Add these lines PassivePorts 60000 60100 -
Restart ProFTPD:
systemctl restart proftpd -
Allow the specified port range in Firewalld:
firewall-cmd --add-port=60000-60100/tcp firewall-cmd --runtime-to-permanent
¶ FTP Client Configuration
¶ CentOS
-
Install and configure FTP Client for FTPS connection:
vi ~/.lftprc # Add these lines set ftp:ssl-auth TLS set ftp:ssl-force true set ftp:ssl-protect-list yes set ftp:ssl-protect-data yes set ftp:ssl-protect-fxp yes set ssl:verify-certificate no -
Connect to the FTP server using FTPS:
lftp -u cent www.srv.world
¶ Windows (FileZilla)
- Open FileZilla and navigate to File > Site Manager.
- Click the New site button and input connection information. Select Use explicit FTP over TLS for encryption.
- If using a self-signed certificate, a warning may appear; it's expected and safe to proceed.
- Once configured correctly, you'll be able to connect to the FTP server using FTPS.
By following these steps, you will have successfully enabled SSL/TLS on your ProFTPD server and configured your FTP clients on CentOS and Windows to securely connect using FTPS.