Howto secure proftpd with SSL/TLS
Posted: Fri Apr 05, 2019 9:36 am
HI,
I want to secure my proftpd server.
I followed several similar tutorial, such as https://websiteforstudents.com/configur ... -04-17-10/
The point is the TLS connexion doesn't works. During connexion, I still have a warning about the not securised connexion.
And the log a empty.
Here my /etc/proftpd/proftpd.conf :
And my /etc/proftpd/tls.conf :
I want to secure my proftpd server.
I followed several similar tutorial, such as https://websiteforstudents.com/configur ... -04-17-10/
The point is the TLS connexion doesn't works. During connexion, I still have a warning about the not securised connexion.
And the log a empty.
Here my /etc/proftpd/proftpd.conf :
Code: Select all
ServerName "FTP"
ServerIdent on "FTP Server ready."
ServerAdmin root@localhost
DefaultServer on
DefaultRoot ~ !adm
<IfModule mod_vroot.c>
VRootEngine on
VRootAlias /etc/security/pam_env.conf etc/security/pam_env.conf
</IfModule>
SystemLog /var/log/proftpd.log
AuthPAMConfig proftpd
AuthOrder mod_auth_pam.c* mod_auth_unix.c
UseReverseDNS off
User proftpd
Group nogroup
MaxInstances 20
UseSendfile off
LogFormat default "%h %l %u %t \"%r\" %s %b"
LogFormat auth "%v [%P] %h %t \"%r\" %s"
ListOptions -a
RequireValidShell off
PassivePorts 12000 12100
<Global>
Umask 002
IdentLookups off
AllowOverwrite yes
<Limit ALL SITE_CHMOD>
AllowAll
</Limit>
</Global>
#
# This is used for FTPS connections
#
Include /etc/proftpd/tls.conf
Code: Select all
#
# Proftpd sample configuration for FTPS connections.
#
# Note that FTPS impose some limitations in NAT traversing.
# See http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-TLS.html
# for more information.
#
<IfModule mod_tls.c>
TLSEngine on
TLSLog /var/log/proftpd/tls.log
#TLSProtocol SSLv23
TLSProtocol TLSv1.2
#
# Server SSL certificate. You can generate a self-signed certificate using
# a command like:
#
# openssl req -x509 -newkey rsa:1024 \
# -keyout /etc/ssl/private/proftpd.key -out /etc/ssl/certs/proftpd.crt \
# -nodes -days 365
#
# The proftpd.key file must be readable by root only. The other file can be
# readable by anyone.
#
# chmod 0600 /etc/ssl/private/proftpd.key
# chmod 0640 /etc/ssl/private/proftpd.key
#
#TLSRSACertificateFile /etc/ssl/certs/proftpd.crt
#TLSRSACertificateKeyFile /etc/ssl/private/proftpd.key
TLSRSACertificateFile /etc/ssl/private/proftpdCertificate.pem
TLSRSACertificateKeyFile /etc/ssl/private/proftpdServerkey.pem
TLSCipherSuite AES128+EECDH:AES128+EDH
TLSOptions NoCertRequest AllowClientRenegotiations
TLSVerifyClient off
RequireValidShell no
#
# CA the server trusts...
#TLSCACertificateFile /etc/ssl/certs/CA.pem
# ...or avoid CA cert and be verbose
#TLSOptions NoCertRequest EnableDiags
# ... or the same with relaxed session use for some clients (e.g. FireFtp)
#TLSOptions NoCertRequest EnableDiags NoSessionReuseRequired
#
#
# Per default drop connection if client tries to start a renegotiate
# This is a fix for CVE-2009-3555 but could break some clients.
#
#TLSOptions AllowClientRenegotiations
#
# Authenticate clients that want to use FTP over TLS?
#
#TLSVerifyClient off
#
# Are clients required to use FTP over TLS when talking to this server?
#
TLSRequired on
#
# Allow SSL/TLS renegotiations when the client requests them, but
# do not force the renegotations. Some clients do not support
# SSL/TLS renegotiations; when mod_tls forces a renegotiation, these
# clients will close the data connection, or there will be a timeout
# on an idle data connection.
#
#TLSRenegotiate required off
</IfModule>