FTP is a very insecure protocol because all passwords and all data are transferred in clear text. By using TLS, the whole communication can be encrypted, thus making FTP much more secure. This article explains how to set up ProFTPd with TLS on a Debian Etch server.
Install ProFTPd And OpenSSL
#apt-get install proftpd openssl
You will be asked a question:
Run proftpd from inetd or standalone? <-- standalone
This will complete the installation.
Configuring proftpd
Now you need to open /etc/proftpd/proftpd.conf and change UseIPv6 from on to off; otherwise you’ll get a warning like this when you start ProFTPd
#vi /etc/proftpd/proftpd.conf
UseIPv6 off
For security reasons you can add the following lines to /etc/proftpd.conf
DefaultRoot ~
IdentLookups off
and restart Proftpd using the following command
#/etc/init.d/proftpd restart
Creating The SSL Certificate For TLS
In order to use TLS, we must create an SSL certificate. I create it in /etc/proftpd/ssl, therefore I create that directory first:
#mkdir /etc/proftpd/ssl
Afterwards, we can generate the SSL certificate as follows:
#openssl req -new -x509 -days 365 -nodes -out /etc/proftpd/ssl/proftpd.cert.pem -keyout /etc/proftpd/ssl/proftpd.key.pem
Country Name (2 letter code) [AU]: <-- Enter your Country Name (e.g., "GB").
State or Province Name (full name) [Some-State]: <-- Enter your State or Province Name.
Locality Name (eg, city) []: <-- Enter your City.
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Enter your Organization Name (e.g., the name of your company).
Organizational Unit Name (eg, section) []: <-- Enter your Organizational Unit Name (e.g. "IT Department").
Common Name (eg, YOUR name) []: <-- Enter the Fully Qualified Domain Name of the system (e.g. "test.example.com").
Email Address []: <-- Enter your Email Address.
Enabling TLS In ProFTPd
In order to enable TLS in ProFTPd, open /etc/proftpd/proftpd.conf and find the section beginning with
<code><IfModule mod_tls.c></code>
vi /etc/proftpd/proftpd.conf
It should look like this:
TLSEngine off
<code></IfModule></code>
Modify it as follows
TLSEngine on
TLSLog /var/log/proftpd/tls.log
TLSProtocol SSLv23
TLSOptions NoCertRequest
TLSRSACertificateFile /etc/proftpd/ssl/proftpd.cert.pem
TLSRSACertificateKeyFile /etc/proftpd/ssl/proftpd.key.pem
TLSVerifyClient off
TLSRequired on
Restart ProFTPd using the following command
/etc/init.d/proftpd restart
If you’re having problems with TLS, you can take a look at the TLS log file /var/log/proftpd/tls.log.