Setup secure ProFTPd

Ftp can be secured using ftps to connect. Below outlines a configuration to support such a setup using TLS/SSL.

I usually use the epel repository to install proftpd:

yum --enablerepo=epel install proftpd

Configure for tls/ssl connection:

<IfModule mod_tls.c>
TLSEngine                       on
TLSRequired                     off
TLSRSACertificateFile           /etc/pki/tls/proftpd/server.cert.pem
TLSRSACertificateKeyFile        /etc/pki/tls/proftpd/server.key.pem
TLSVerifyClient                 off
TLSRenegotiate                  required off
TLSLog                          /var/log/proftpd/tls.log

chroot and bindsocket to listen to single IP:

SocketBindTight                 on
DefaultRoot                     ~

Setup passive ftp ports:

PassivePorts 50000 51000

Create the certs:

mkdir -p /etc/pki/tls/proftpd
cd /etc/pki/tls/proftpd
openssl req -new -x509 -days 9999 -nodes -out server.cert.pem -keyout server.key.pem

Create /etc/pam.d/ftp so PAM can authenticate for proftpd:

auth    required     nullok
account required
session required

Add "/bin/false" to "/etc/shells" file and use it as the shell type when creating new users:

useradd -s /bin/false <ftp_user>

Configure passive ports range for ProFTPd

Usually, if a client is behind firewall, they can only trasfer files via a passive ftp connection.

Edit /etc/proftpd.conf and specify the passive ports range. Place it in the 'Global' container:

# Use the IANA registered ephemeral port range
PassivePorts 49152 65534


Load the ip_conntrack_ftp module and iptables rules, so the ports automatically open to the connected client:

# /sbin/modprobe ip_conntrack_ftp
#  lsmod | grep conntrack_ftp
ip_conntrack_ftp       41489  0
ip_conntrack           91237  4 xt_state,xt_conntrack,ip_conntrack_ftp,ip_conntrack_irc

Add the below iptables rules:

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

If the server is beind NAT, ip_nat_ftp module also should be loaded:

# /sbin/modprobe ip_nat_ftp

Force ProFTPD to listen on only one IP

It's not quite as clean as the socket binding under Apache but the principle works something like this.

  1. In Standalone mode, to listen on the primary IP of a host use the SocketBindTight directive.

    In "/etc/proftpd.conf":

    SocketBindTight                 on
  2. To listen on a interfaces which are not the primary host interface, use the SocketBindTight directive, place your server configuration in a block and use "Port 0" for the main host configuration and and "Port 21" inside the VirtualHost block.

    Port                            0
    SocketBindTight                 on
            Port 21
            DefaultRoot             ~
            AllowOverwrite          on
            Umask                   002

Analyzing proftpd xferlog file

Recently I've had to research on some missing files of a website.

When looking through the proftpd xferlog files, it was clear that the files were deleted by a user having ftp access.

The xferlog file is usually located at "/var/log/xferlog". However, since this was a plesk server, it was located at:

A quick grep produced the files that were deleted out and could easily be recovered from a previous backup. Also, discovered the time and offending IP address of the person that did the deletes.

Full listing:

$ grep "_ d" /path/to/xferlog

Listing of just the deleted files:

$ awk '/_ d/ {print $9}' /path/to/xferlog

Below are some additional notes on xferlog anlysis:

Syndicate content