Configuring proftpd with mod_tls (ftpes) and/or mod_sftp

• proftpd home page
• List of directives
• version used: 1.3.6

This is how I have setup mod_tls (ftpes) and mod_sftp inside proftpd. Finally I managed to make them live together in two separate daemons.

First of all, here is a speed test (ftpes seems to be a bit faster in upload mode):

ftpes
upload: about 22.4 K/s
download: more than 800 K/s

sftp
upload about 18.2 K/s
download: more than 800 K/s

Compiling

I compiled as follows:

./configure \
        --prefix=/usr/local \
        --without-pam --disable-auth-pam \
        --enable-openssl \
        --enable-ctrls \
        --with-modules=mod_ratio:mod_readme:mod_sftp:mod_tls:mod_ban:mod_ctrls_admin

make
make install

Creating the ssl certificate

mkdir -p /usr/local/etc/ssl/certs

openssl req \
        -new \
        -x509 \
        -days 1095 \
        -nodes \
        -config /etc/ssl/openssl.cnf \
        -out /usr/local/etc/ssl/certs/proftpd.pem \
        -keyout /usr/local/etc/ssl/certs/proftpd.pem

Configuring

file ftpes.conf

# common stuff goes here
Include /usr/local/etc/proftpd/proftpd.conf
Port 21

<IfModule mod_tls.c>
 TLSEngine on
 PassivePorts 49152 65535
 MasqueradeAddress <your-ip>
 TLSLog /var/log/proftpd/tls.log

 # Support both SSLv3 and TLSv1
 # Set the TLSProtocol to one of the following
 # SSLv23 - Use SSL3 for ctrl and TLS1 for data channels (works with most clients)
 # SSLv3 - Use only SSL3
 # TLSv1 - Use only TLS1
 TLSProtocol TLSv1

 # Are clients required to use FTP over TLS when talking to this server?
 # off - clients can connect using insecure FTP or secure FTP/SSL
 # ctrl - encrypt only the ctrl channel using FTP/SSL
 # data - encrypt only the data channel using FTP/SSL (not recommended)
 # on - encrypt both the ctrl and data channels using FTP/SSL
 TLSRequired ctrl+!data

 # Server's certificate
 TLSRSACertificateFile /usr/local/etc/ssl/certs/proftpd.pem
 TLSRSACertificateKeyFile /usr/local/etc/ssl/certs/proftpd.pem

 TLSVerifyClient off
 TLSRenegotiate none
 TLSOptions NoSessionReuseRequired
</IfModule>

file sftp.conf

# common stuff
Include /usr/local/etc/proftpd/proftpd.conf

<IfModule mod_sftp.c>
 # Configure the server to listen on the normal SSH2 port, port 22
 Port 22

 SFTPEngine on
 SFTPLog /var/log/proftpd/sftp.log

 # Configure both the RSA and DSA host keys, using the same host key
 # files that OpenSSH uses.
 SFTPHostKey /etc/ssh/ssh_host_rsa_key
 SFTPHostKey /etc/ssh/ssh_host_dsa_key

 # Enable compression
 SFTPCompression delayed

 # Allow the same number of authentication attempts as OpenSSH.
 #
 # It is recommended that you explicitly configure MaxLoginAttempts
 # for your SSH2/SFTP instance to be higher than the normal
 # MaxLoginAttempts value for FTP, as there are more ways to authenticate
 # using SSH2.
 MaxLoginAttempts 6

 SFTPClientMatch .*ClientSftp sftpProtocolVersion 3
</IfModule>

file proftpd.conf

ServerName "ProFTPD (Slackware)"
ServerType standalone
UseReverseDNS off
DeferWelcome off
AllowStoreRestart on

DefaultRoot ~/www

Port 21
Umask 022
MaxInstances 30
User ftp
Group ftp
TimeoutIdle 0
SystemLog /var/log/proftpd/proftpd.log
#TransferLog /var/log/proftpd/xfer.log

<Global>
 <Directory /*>
 AllowOverwrite on
 </Directory>
</Global>

Startup script

Adjust this to your needs:

#!/bin/sh
#
# /usr/local/bin/proftpctl
#

start() {
        /usr/local/sbin/proftpd -c /usr/local/etc/proftpd/ftpes.conf
        /usr/local/sbin/proftpd -c /usr/local/etc/proftpd/sftp.conf
        echo "Server started."
}

stop() {
        /bin/killall proftpd
        echo "Server stopped."
}

restart() {
        stop
sleep 3
        start
#/bin/killall -HUP proftpd
        echo "Server restarted."
}

case "$1" in
'start')
  start
  ;;
'stop')
  stop
  ;;
'restart')
  restart
  ;;
*)
  echo "usage $0 start|stop|restart"
esac

You can start the server calling the statup script (place it wherever you want, /usr/local/bin is a good choice):

proftpdctl start

At this point you should have two daemons running:

> ps axf

21855 ?        Ss     0:00 proftpd: (accepting connections)
21882 ?        Ss     0:01 proftpd: (accepting connections)

Mounting remotely with curlftpfs

If you want to edit your scripts by means of a remote connection, you may want to use curlftpfs to mount the remote folder locally, encrypting the connection with TLS  in this way:

curlftpfs -v \
        -o ssl_control \
        -o no_verify_hostname \
        -o no_verify_peer \
        -o uid=1000 \
        -o gid=100 \
        -o umask=022 \
        ftp://ftp.mydomain.xyz/ \
        /local/mnt/folder/

This command requires that your ftp account was saved in your ~/.netrc file in this way:

> more ~/.netrc

machine ftp.mydomain.xyz
login myuser
password mypass

Take a look to the curlftpfs' man page for details on http://linux.die.net/man/1/curlftpfs.

Troubleshooting

• Start from here: http://proftpd.open-source-solution.org/docs/howto/TLS.html

Add a comment

Name

e-mail (optional, it will never be shared)

Your web site

Subject

Comment

Notify me via email when new comments to this page are posted.

All comments Only replies to this thread

Submit