Setup secure ProFTPd
Fri, 06/12/2009 - 14:42 — sandipFtp can be secured using ftps to connect. Below outlines a configuration to support such a setup using TLS/SSL.
I usually use the epel repository to install proftpd:
yum --enablerepo=epel install proftpd
Configure for tls/ssl connection:
<IfModule mod_tls.c>
TLSEngine & nbsp; & nbsp; & nbsp; & nbsp; on
TLSRequired   ;   ;   ;   ; off
TLSRSACertificateFile & nbsp; & nbsp; /etc/pki/tls/proftpd/server.ce rt.pem
TLSRSACertificateKeyFile&nbs p; &nbs p; /etc/pki/tls/proftpd/server.ke y.pem
TLSVerifyClient & nbsp; & nbsp; & nbsp; off
TLSRenegotiate &n bsp; &n bsp; &n bsp; required off
TLSLog &nbs p; &nbs p; &nbs p; &nbs p; &nbs p; /var/log/proftpd/tls.log
</IfModule>
chroot and bindsocket to listen to single IP:
SocketBindTight & nbsp; & nbsp; & nbsp; on
DefaultRoot   ;   ;   ;   ; ~
Setup passive ftp ports:
</Global>
...
...
PassivePorts 50000 51000
</Global>
Create the certs:
mkdir -p /etc/pki/tls/proftpd
cd /etc/pki/tls/proftpd
openssl req -new -x509 -days 9999 -nodes -out server.cert.pem -keyout server.key.pem
Create /etc/pam.d/ftp so PAM can authenticate for proftpd:
#%PAM-1.0
auth required &nbs p; pam_unix.so & nbsp; nullok
account required &nbs p; pam_unix.so
session required &nbs p; pam_unix.so
Add "/bin/false" to "/etc/shells" file and use it as the shell type when creating new users:
useradd -s /bin/false <ftp_user>
- sandip's blog
- Login or register to post comments