passive

Setup secure ProFTPd

Ftp can be secured using ftps to connect. Below outlines a configuration to support such a setup using TLS/SSL.

I usually use the epel repository to install proftpd:

yum --enablerepo=epel install proftpd

Configure for tls/ssl connection:


<IfModule mod_tls.c>
TLSEngine                       on
TLSRequired                     off
TLSRSACertificateFile           /etc/pki/tls/proftpd/server.cert.pem
TLSRSACertificateKeyFile        /etc/pki/tls/proftpd/server.key.pem
TLSVerifyClient                 off
TLSRenegotiate                  required off
TLSLog                          /var/log/proftpd/tls.log
</IfModule>

chroot and bindsocket to listen to single IP:


SocketBindTight                 on
DefaultRoot                     ~

Setup passive ftp ports:

</Global>
...
...
PassivePorts 50000 51000
</Global>

Create the certs:

mkdir -p /etc/pki/tls/proftpd
cd /etc/pki/tls/proftpd
openssl req -new -x509 -days 9999 -nodes -out server.cert.pem -keyout server.key.pem

Create /etc/pam.d/ftp so PAM can authenticate for proftpd:

#%PAM-1.0
auth    required        pam_unix.so     nullok
account required        pam_unix.so
session required        pam_unix.so

Add "/bin/false" to "/etc/shells" file and use it as the shell type when creating new users:

useradd -s /bin/false <ftp_user>

Syndicate content
Comment