Configuring proftpd with mod_tls (ftpes) and/or mod_sftp

January 24, 2016 by Roberto Puzzanghera 0 comments

This is how I have setup mod_tls (ftpes) and mod_sftp inside proftpd. Finally I managed to make them live together in two separate daemons.

First of all, here is a speed test (ftpes seems to be a bit faster in upload mode):

ftpes
upload: about 22.4 K/s
download: more than 800 K/s

sftp
upload about 18.2 K/s
download: more than 800 K/s

Compiling

I compiled as follows:

./configure \
        --prefix=/usr/local \
        --without-pam --disable-auth-pam \
        --enable-openssl \
        --enable-ctrls \
        --with-modules=mod_ratio:mod_readme:mod_sftp:mod_tls:mod_ban:mod_ctrls_admin

make
make install

Creating the ssl certificate

mkdir -p /usr/local/etc/ssl/certs

openssl req \
        -new \
        -x509 \
        -days 1095 \
        -nodes \
        -config /etc/ssl/openssl.cnf \
        -out /usr/local/etc/ssl/certs/proftpd.pem \
        -keyout /usr/local/etc/ssl/certs/proftpd.pem

Configuring

file ftpes.conf

# common stuff goes here
Include /usr/local/etc/proftpd/proftpd.conf
Port 21

<IfModule mod_tls.c>
 TLSEngine on
 PassivePorts 49152 65535
 MasqueradeAddress <your-ip>
 TLSLog /var/log/proftpd/tls.log

 # Support both SSLv3 and TLSv1
 # Set the TLSProtocol to one of the following
 # SSLv23 - Use SSL3 for ctrl and TLS1 for data channels (works with most clients)
 # SSLv3 - Use only SSL3
 # TLSv1 - Use only TLS1
 TLSProtocol TLSv1

 # Are clients required to use FTP over TLS when talking to this server?
 # off - clients can connect using insecure FTP or secure FTP/SSL
 # ctrl - encrypt only the ctrl channel using FTP/SSL
 # data - encrypt only the data channel using FTP/SSL (not recommended)
 # on - encrypt both the ctrl and data channels using FTP/SSL
 TLSRequired ctrl+!data

 # Server's certificate
 TLSRSACertificateFile /usr/local/etc/ssl/certs/proftpd.pem
 TLSRSACertificateKeyFile /usr/local/etc/ssl/certs/proftpd.pem

 TLSVerifyClient off
 TLSRenegotiate none
 TLSOptions NoSessionReuseRequired
</IfModule>

file sftp.conf

# common stuff
Include /usr/local/etc/proftpd/proftpd.conf

<IfModule mod_sftp.c>
 # Configure the server to listen on the normal SSH2 port, port 22
 Port 22

 SFTPEngine on
 SFTPLog /var/log/proftpd/sftp.log

 # Configure both the RSA and DSA host keys, using the same host key
 # files that OpenSSH uses.
 SFTPHostKey /etc/ssh/ssh_host_rsa_key
 SFTPHostKey /etc/ssh/ssh_host_dsa_key

 # Enable compression
 SFTPCompression delayed

 # Allow the same number of authentication attempts as OpenSSH.
 #
 # It is recommended that you explicitly configure MaxLoginAttempts
 # for your SSH2/SFTP instance to be higher than the normal
 # MaxLoginAttempts value for FTP, as there are more ways to authenticate
 # using SSH2.
 MaxLoginAttempts 6

 SFTPClientMatch .*ClientSftp sftpProtocolVersion 3
</IfModule>

file proftpd.conf

ServerName "ProFTPD (Slackware)"
ServerType standalone
UseReverseDNS off
DeferWelcome off
AllowStoreRestart on

DefaultRoot ~/www

Port 21
Umask 022
MaxInstances 30
User ftp
Group ftp
TimeoutIdle 0
SystemLog /var/log/proftpd/proftpd.log
#TransferLog /var/log/proftpd/xfer.log

<Global>
 <Directory /*>
 AllowOverwrite on
 </Directory>
</Global>

Startup script

Adjust this to your needs:

#!/bin/sh
#
# /usr/local/bin/proftpctl
#

start() {
        /usr/local/sbin/proftpd -c /usr/local/etc/proftpd/ftpes.conf
        /usr/local/sbin/proftpd -c /usr/local/etc/proftpd/sftp.conf
        echo "Server started."
}

stop() {
        /bin/killall proftpd
        echo "Server stopped."
}

restart() {
        stop
sleep 3
        start
#/bin/killall -HUP proftpd
        echo "Server restarted."
}

case "$1" in
'start')
  start
  ;;
'stop')
  stop
  ;;
'restart')
  restart
  ;;
*)
  echo "usage $0 start|stop|restart"
esac

You can start the server calling the statup script (place it wherever you want, /usr/local/bin is a good choice):

proftpdctl start

At this point you should have two daemons running:

> ps axf

21855 ?        Ss     0:00 proftpd: (accepting connections)
21882 ?        Ss     0:01 proftpd: (accepting connections)

Mounting remotely with curlftpfs

If you want to edit your scripts by means of a remote connection, you may want to use curlftpfs to mount the remote folder locally, encrypting the connection with TLS  in this way:

curlftpfs -v \
        -o ssl_control \
        -o no_verify_hostname \
        -o no_verify_peer \
        -o uid=1000 \
        -o gid=100 \
        -o umask=022 \
        ftp://ftp.mydomain.xyz/ \
        /local/mnt/folder/

This command requires that your ftp account was saved in your ~/.netrc file in this way:

> more ~/.netrc

machine ftp.mydomain.xyz
login myuser
password mypass

Take a look to the curlftpfs' man page for details on http://linux.die.net/man/1/curlftpfs.

Troubleshooting

Add a comment