Configuring proftpd with mod_tls (ftpes) and/or mod_sftp

This is how I have setup mod_tls (ftpes) and mod_sftp inside proftpd. Finally I managed to make them live together in two separate daemons.

First of all, here is a speed test (ftpes seems to be a bit faster in upload mode):

ftpes
upload: about 22.4 K/s
download: more than 800 K/s

sftp
upload about 18.2 K/s
download: more than 800 K/s

Compiling

I compiled as follows:

./configure \
        --prefix=/usr/local \
        --without-pam --disable-auth-pam \
        --enable-openssl \
        --enable-ctrls \
        --with-modules=mod_ratio:mod_readme:mod_sftp:mod_tls:mod_ban:mod_ctrls_admin

make
make install

Creating the ssl certificate

mkdir -p /usr/local/etc/ssl/certs

openssl req \
        -new \
        -x509 \
        -days 1095 \
        -nodes \
        -config /etc/ssl/openssl.cnf \
        -out /usr/local/etc/ssl/certs/proftpd.pem \
        -keyout /usr/local/etc/ssl/certs/proftpd.pem

Configuring

file ftpes.conf

# common stuff goes here
Include /usr/local/etc/proftpd/proftpd.conf
Port 21

<IfModule mod_tls.c>
    TLSEngine on
    PassivePorts 49152 65535
    MasqueradeAddress <your-ip>
    TLSLog /var/log/proftpd/tls.log

    # Support both SSLv3 and TLSv1
    # Set the TLSProtocol to one of the following
    # SSLv23 - Use SSL3 for ctrl and TLS1 for data channels (works with most clients)
    # SSLv3  - Use only SSL3
    # TLSv1  - Use only TLS1
    TLSProtocol SSLv23

    # Are clients required to use FTP over TLS when talking to this server?
    # off  - clients can connect using insecure FTP or secure FTP/SSL
    # ctrl - encrypt only the ctrl channel using FTP/SSL
    # data - encrypt only the data channel using FTP/SSL (not recommended)
    # on   - encrypt both the ctrl and data channels using FTP/SSL
    TLSRequired ctrl+!data

    # Server's certificate
    TLSRSACertificateFile /usr/local/etc/ssl/certs/proftpd.pem
    TLSRSACertificateKeyFile /usr/local/etc/ssl/certs/proftpd.pem

    TLSVerifyClient off
    TLSRenegotiate none
    TLSOptions NoSessionReuseRequired
</IfModule>

file sftp.conf

# common stuff
Include /usr/local/etc/proftpd/proftpd.conf

<IfModule mod_sftp.c>
        # Configure the server to listen on the normal SSH2 port, port 22
        Port 22

        SFTPEngine on
        SFTPLog /var/log/proftpd/sftp.log

        # Configure both the RSA and DSA host keys, using the same host key
        # files that OpenSSH uses.
        SFTPHostKey /etc/ssh/ssh_host_rsa_key
        SFTPHostKey /etc/ssh/ssh_host_dsa_key

        # Enable compression
        SFTPCompression delayed

        # Allow the same number of authentication attempts as OpenSSH.
        #
        # It is recommended that you explicitly configure MaxLoginAttempts
        # for your SSH2/SFTP instance to be higher than the normal
        # MaxLoginAttempts value for FTP, as there are more ways to authenticate
        # using SSH2.
        MaxLoginAttempts 6

        SFTPClientMatch .*ClientSftp sftpProtocolVersion 3
</IfModule>

file proftpd.conf

ServerName                      "ProFTPD (Slackware)"
ServerType                      standalone
UseReverseDNS                   off
DeferWelcome                    off
AllowStoreRestart               on

DefaultRoot ~/www

Port                            21
Umask                           022
MaxInstances                    30
User                            ftp
Group                           ftp
TimeoutIdle                     0
SystemLog                       /var/log/proftpd/proftpd.log
#TransferLog                     /var/log/proftpd/xferlog

<Global>
        <Directory /*>
                  AllowOverwrite                on
        </Directory>
</Global>

Startup script

Adjust this to your needs:

#!/bin/sh
#
# /usr/local/bin/proftpctl
#

start() {
        /usr/local/sbin/proftpd -c /usr/local/etc/proftpd/ftpes.conf
        /usr/local/sbin/proftpd -c /usr/local/etc/proftpd/sftp.conf
        echo "Server started."
}

stop() {
        /bin/killall proftpd
        echo "Server stopped."
}

restart() {
        stop
sleep 3
        start
#/bin/killall -HUP proftpd
        echo "Server restarted."
}

case "$1" in
'start')
  start
  ;;
'stop')
  stop
  ;;
'restart')
  restart
  ;;
*)
  echo "usage $0 start|stop|restart"
esac

You can start the server calling the statup script (place it wherever you want, /usr/local/bin is a good choice):

proftpdctl start

At this point you should have two daemons running:

> ps axf

21855 ?        Ss     0:00 proftpd: (accepting connections)
21882 ?        Ss     0:01 proftpd: (accepting connections)

Mounting remotely with curlftpfs

If you want to edit your scripts by means of a remote connection, you may want to use curlftpfs to mount the remote folder locally, encrypting the connection with TLS  in this way:

curlftpfs -v \
        -o ssl_control \
        -o no_verify_peer \
        -o uid=1000 \
        -o gid=100 \
        -o umask=022 \
        ftp://ftp.mydomain.xyz/ \
        /locale/mnt/folder/

This command requires that your ftp account was saved in your ~/.netrc file in this way:

> more ~/.netrc

machine ftp.mydomain.xyz
        login <your-userid>
        password <your-pwd>

Take a look to the curlftpfs' man page for details on http://linux.die.net/man/1/curlftpfs.

Edit: I installed curlftpfs v. 0.9.1, since v. 0.9.2 was giving me problems when saving.

Troubleshooting