ProFTPd is a popular FTP server that can be configured to use the SFTP protocol, a secure FTP alternative, instead of FTP. This article will show you how to configure ProFTPd to use this protocol to avoid the insecurity of FTP.
We will show you how to configure this on an Ubuntu 16.04, but most distributions should operate in a similar way.
Installation
The ProFTPd software is in Ubuntu’s default repositories. We can install it by typing:
$ sudo apt update
$ sudo apt install proftpd
ProFTPD can be run either as a service from inetd, or as a standalone server. Each choice has its own benefits. With only a few FTP connections per day, it is probably better to run ProFTPD from inetd inorder to save resources. On the other hand, with higher traffic, ProFTPD should run as a standalone server to avoid spawning a new process for each incoming connection. Choose “stand alone” when prompted during installation.
Configurations
After the installation is done, you have to configure the server. The configurations are present in proftpd.conf
$ sudo nano /etc/proftpd/proftpd.conf
Change the following attributes to the values given below.
- UseIPv6 off
- ServerName “MyFTPDServer”
- DefaultRoot /var/www/
- Port 990
- PassivePorts 1024 1048
- MasqueradeAddress xxx.xxx.xxx.xxx <- Your Elastic IP
- RequireValidShell on
- AuthOrder mod_auth_pam.c* mod_auth_unix.c
Save the file and restart the service.
$ sudo service proftp restart
Creating users
Default user of proftpd will be created automatically. But it is better to create another user to share among your developers.
Create a user and assign a password with these commands
$ sudo adduser ftpusername
$ sudo passwd ftpusername
Restrict the access of this user to /var/www/ only the access of this user to
$ sudo usermod -m -d /var/www/ ftpusername
Add the user to www-data group, so that users can update the files. If users are able to access folder, but can not make any changes, give this command.
$ sudo chown -R ftpusername:www-data /var/www/
You may use any FTP software, such as Filezilla or WinSCP, to connect
Enabling TLS in ProFTPD
To run the ProFTPD on TLS authentication mode, you have to generate a key. You can generate a key from the command below.
$ sudo openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/ssl/private/proftpdserverkey.pem -out /etc/ssl/certs/proftpdcertificate.pem -days 3650
TLS configurations are present in tls.conf file. You have to enable this in the proftpd.conf file.
- Include /etc/proftpd/tls.conf
Open up the tls.conf to modify some configurations.up the tls.conf to modify
$ sudo nano /etc/proftpd/tls.conf
This file should contain the following configurations.
- TLSRSACertificateFile /etc/ssl/certs/proftpdcertificate.pem
- TLSRSACertificateKeyFile /etc/ssl/private/proftpdserverkey.pem
- TLSEngine on
- TLSLog /var/log/proftpd/tls.log
- TLSProtocol SSLv3 TLSv1
- TLSRequired off
- TLSOptions NoCertRequest EnableDiags NoSessionReuseRequired
- TLSVerifyClient off
- TLSRenegotiate none
Save the file and restart the service.
$ sudo service proftp restart
AWS security group
From your AWS console, add the ports that you have configured in the Inbound rules list. You may want to restrict the IPs from which these ports are added. In this article, we have mentioned 990 and 1024-1048 ports. You can give other ports as per your choice/requirement.