Configuring proftpd with mod_tls (ftpes) and/or mod_sftp

January 24, 2016 Roberto Puzzanghera0 comments

This is how I have setup mod_tls (ftpes) and mod_sftp inside proftpd. Finally I managed to make them live together in two separate daemons.

First of all, here is a speed test (ftpes seems to be a bit faster in upload mode):

ftpes
upload: about 22.4 K/s
download: more than 800 K/s

sftp
upload about 18.2 K/s
download: more than 800 K/s

Compiling

I compiled as follows:

./configure \
        --prefix=/usr/local \
        --without-pam --disable-auth-pam \
        --enable-openssl \
        --enable-ctrls \
        --with-modules=mod_ratio:mod_readme:mod_sftp:mod_tls:mod_ban:mod_ctrls_admin

make
make install

Creating the ssl certificate

mkdir -p /usr/local/etc/ssl/certs

openssl req \
        -new \
        -x509 \
        -days 1095 \
        -nodes \
        -config /etc/ssl/openssl.cnf \
        -out /usr/local/etc/ssl/certs/proftpd.pem \
        -keyout /usr/local/etc/ssl/certs/proftpd.pem

Configuring

file ftpes.conf

# common stuff goes here
Include /usr/local/etc/proftpd/proftpd.conf
Port 21

<IfModule mod_tls.c>
TLSEngine on
PassivePorts 49152 65535
MasqueradeAddress <your-ip>
TLSLog /var/log/proftpd/tls.log

# Support both SSLv3 and TLSv1
# Set the TLSProtocol to one of the following
# SSLv23 - Use SSL3 for ctrl and TLS1 for data channels (works with most clients)
# SSLv3 - Use only SSL3
# TLSv1 - Use only TLS1
TLSProtocol SSLv23

# Are clients required to use FTP over TLS when talking to this server?
# off - clients can connect using insecure FTP or secure FTP/SSL
# ctrl - encrypt only the ctrl channel using FTP/SSL
# data - encrypt only the data channel using FTP/SSL (not recommended)
# on - encrypt both the ctrl and data channels using FTP/SSL
TLSRequired ctrl+!data

# Server's certificate
TLSRSACertificateFile /usr/local/etc/ssl/certs/proftpd.pem
TLSRSACertificateKeyFile /usr/local/etc/ssl/certs/proftpd.pem

TLSVerifyClient off
TLSRenegotiate none
TLSOptions NoSessionReuseRequired
</IfModule>

file sftp.conf

# common stuff
Include /usr/local/etc/proftpd/proftpd.conf

<IfModule mod_sftp.c>
# Configure the server to listen on the normal SSH2 port, port 22
Port 22

SFTPEngine on
SFTPLog /var/log/proftpd/sftp.log

# Configure both the RSA and DSA host keys, using the same host key
# files that OpenSSH uses.
SFTPHostKey /etc/ssh/ssh_host_rsa_key
SFTPHostKey /etc/ssh/ssh_host_dsa_key

# Enable compression
SFTPCompression delayed

# Allow the same number of authentication attempts as OpenSSH.
#
# It is recommended that you explicitly configure MaxLoginAttempts
# for your SSH2/SFTP instance to be higher than the normal
# MaxLoginAttempts value for FTP, as there are more ways to authenticate
# using SSH2.
MaxLoginAttempts 6

SFTPClientMatch .*ClientSftp sftpProtocolVersion 3
</IfModule>

file proftpd.conf

ServerName "ProFTPD (Slackware)"
ServerType standalone
UseReverseDNS off
DeferWelcome off
AllowStoreRestart on

DefaultRoot ~/www

Port 21
Umask 022
MaxInstances 30
User ftp
Group ftp
TimeoutIdle 0
SystemLog /var/log/proftpd/proftpd.log
#TransferLog /var/log/proftpd/xferlog

<Global>
<Directory /*>
AllowOverwrite on
</Directory>
</Global>

Startup script

Adjust this to your needs:

#!/bin/sh
#
# /usr/local/bin/proftpctl
#

start() {
        /usr/local/sbin/proftpd -c /usr/local/etc/proftpd/ftpes.conf
        /usr/local/sbin/proftpd -c /usr/local/etc/proftpd/sftp.conf
        echo "Server started."
}

stop() {
        /bin/killall proftpd
        echo "Server stopped."
}

restart() {
        stop
sleep 3
        start
#/bin/killall -HUP proftpd
        echo "Server restarted."
}

case "$1" in
'start')
  start
  ;;
'stop')
  stop
  ;;
'restart')
  restart
  ;;
*)
  echo "usage $0 start|stop|restart"
esac

You can start the server calling the statup script (place it wherever you want, /usr/local/bin is a good choice):

proftpdctl start

At this point you should have two daemons running:

> ps axf

21855 ?        Ss     0:00 proftpd: (accepting connections)
21882 ?        Ss     0:01 proftpd: (accepting connections)

Mounting remotely with curlftpfs

If you want to edit your scripts by means of a remote connection, you may want to use curlftpfs to mount the remote folder locally, encrypting the connection with TLS  in this way:

curlftpfs -v \
        -o ssl_control \
        -o no_verify_peer \
        -o uid=1000 \
        -o gid=100 \
        -o umask=022 \
        ftp://ftp.mydomain.xyz/ \
        /locale/mnt/folder/

This command requires that your ftp account was saved in your ~/.netrc file in this way:

> more ~/.netrc

machine ftp.mydomain.xyz
        login 
        password 

Take a look to the curlftpfs' man page for details on http://linux.die.net/man/1/curlftpfs.

Edit: I installed curlftpfs v. 0.9.1, since v. 0.9.2 was giving me problems when saving.

Troubleshooting

Add a comment