https://hostpresto.com/community/tutorials/how-to-install-and-secure-proftpd-server-on-centos-7/
How to Install and Secure ProFTPD Server on CentOS 7
12th July 2016 3,490k
ProFTPD is a very popular and secure open source FTP server. File Transfer Protocol (FTP) is the most popular way of uploading files to a server. ProFTPD comes with a lot of features which are not present in other FTP servers. It is highly configurable and the configuration of ProFTPD is performed in a single main configuration file. FTP services gives you ability to quickly upload and download the content to your web servers, you can also manage files and folders on your server using FTP. FTP data transmission are not secured as the traffic is not encrypted, all the data which is incoming or outgoing is in clear text format. ProFTPD provides you ability to secure your FTP connection using SSL/TLS. ProFTPD is used by many popular websites like SourceForge, Samba, Harvard etc.
In this tutorial we will learn to install ProFTPD server on CentOS 7.x, we will also learn to secure the traffic using SSL/TLS and enabling anonymous users in server.
The only requirement to install ProFTPD is that you should have VPS or Dedicated server with CentOS 7.x installed. In addition to that you will also need to have root access to your server. In this tutorial we will be using root
user account to execute the commands, if you are not logged in as root user then use sudo
command before all the commands that we are going to run, or you can also use su
command to login to root
user account.
Installation
The ProFTPD package is not included in the default YUM repository of CentOS, hence you will need to add EPEL (Extra Package for Enterprise Linux) repository to your server. Execute the following command to do so.
rpm -iUvh https://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-7.noarch.rpmNow EPEL repository is added to your server, execute the following command to update existing packages.
yum -y update
Now install ProFTPD using the following command.
yum -y install proftpd proftpd-utils
Once installed you can start ProFTPD immediately using the following command.
systemctl start proftpd.service
To automatically start the service at boot time, run the following command.
systemctl enable proftpd.service
Now you will have to add an entry to your firewall rules so that, firewall can allow FTP connections to remote host. Run the following command to do the same.
firewall-cmd --add-service=ftp --permanent
Now restart your firewall using the following command.
firewall-cmd --reload
To use FTP to transfer the files, we will have to create a new user as root
login is disabled by default in FTP. To create a new user run the following command.
useradd ftpadmin -s /sbin/nologin -d /ftp
This will create a user ftpadmin
who will not be able to login using SSH, as we have supplied -s /sbin/nologin
argument. Home directory of ftpadmin
will be /ftp
. Now change the password of your new user using the following command.
passwd ftpadmin
Next change the permissions of /ftp
directory so that every user can add, modify or delete the content using the following command.
chmod 777 /ftp
Now you can check if your FTP is running either by going to the browser and browsing the following URL.
For example if IP address of your server is 192.168.0.100, then you will browse, ftp://192.168.0.100
You will see a prompt to enter username and password. It shows that FTP server has been successfully deployed to your server. Login using your newly created user account.
As we have no files in our /ftp
directory, there are no files listed. You can also check it through the terminal of your server. Enter the following command.
ftp localhost
You will be asked to enter the username, login using your newly created username, you will be successfully logged in. You will be shown something similar to this.
[root@vps ~]# ftp localhost
Trying ::1...
Connected to localhost (::1).
220 FTP Server ready.
Name (localhost:root): ftpadmin
331 Password required for ftpadmin
Password:
230 User ftpadmin logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
Once you are in ftp
session, you can run help command to see the commands you can use. To exit from ftp you can enter exit
command.
Securing ProFTPD
As we know, the FTP protocol is an insecure protocol and all the data which we send or receive including username and passwords are in clear text format. If a hacker tries to intercept the data, he can easily find out the username and password used for authentication purpose. Hence it is recommended to secure our FTP server using SSL/TLS. Once our FTP server is using SSL/TLS, all the transaction will be encrypted with public key. If a hacker tries to intercept the data, the data will not be of any use to him as he will need the private key to decrypt the data which is stored in server only.
Edit the main configuration file of ProFTPD using your favorite text editor, in this tutorial we will be using nano
, you can use whichever you want. If you don't have nano
installed, you can run yum install nano
command to install nano
on your system.
nano /etc/proftpd.conf
Scroll down below to find these lines.
# Cause every FTP user except adm to be chrooted into their home directory
DefaultRoot ~ !adm
Append the following line just below the above configuration.
PassivePorts 10000 11000
Thus your configuration should look like as shown below.
# Cause every FTP user except adm to be chrooted into their home directory DefaultRoot ~ !adm PassivePorts 10000 11000
Now scroll down further to find these lines.
# TLS (http://www.castaglia.org/proftpd/modules/mod_tls.html)
TLSEngine on
TLSRequired on
TLSRSACertificateFile /etc/pki/tls/certs/proftpd.pem
TLSRSACertificateKeyFile /etc/pki/tls/certs/proftpd.pem
TLSCipherSuite ALL:!ADH:!DES
TLSOptions NoCertRequest
TLSVerifyClient off
TLSRenegotiate ctrl 3600 data 512000 required off timeout 300
TLSLog /var/log/proftpd/tls.logTLSSessionCache shm:/file=/var/run/proftpd/sesscache
Comment Out some lines using #
at the start of the line to make the configuration look like as shown below.
# TLS (http://www.castaglia.org/proftpd/modules/mod_tls.html)
#
TLSEngine on
TLSRequired on
TLSRSACertificateFile /etc/pki/tls/certs/proftpd.pem
TLSRSACertificateKeyFile /etc/pki/tls/certs/proftpd.pem
TLSCipherSuite ALL:!ADH:!DES
TLSOptions NoCertRequest
TLSVerifyClient off
TLSRenegotiate ctrl 3600 data 512000 required off timeout 300
TLSLog /var/log/proftpd/tls.log
#
TLSSessionCache shm:/file=/var/run/proftpd/sesscache
#
#
Save the file and exit the editor. Now as we have added port range 10000
to 11000
as passive ports to accept FTP connections. We will have to add the firewall rule to bypass these ports. Run the following commands to do the same.
firewall-cmd --add-port=10000-11000/tcp --permanent firewall-cmd --reload
You can the status of ports using the following command.
firewall-cmd --list-ports
You should see following output.
10000-11000/tcp
Now we will have to create SSL certificates. If you do not have openssl
installed you can install it using the following command.
yum -y install openssl
Now run the following command to create certificate and key files.
openssl req -x509 -nodes -newkey rsa:1024 -keyout /etc/pki/tls/certs/proftpd.pem -out /etc/pki/tls/certs/proftpd.pem -nodes -days 365
Now you will be asked some information which is to be added into your CSR (Code Signing Request). You will be asked your country name in two letters, for example consider IN
for India. Then you will be asked about the state or province. Then you will be asked about your city and organization. Finally common name of your server and your email address. If you want to leave some detail blank use full stop of period ( . ) sign. You can also enter the default values just by pressing enter. Example output is given below.
Generating a 1024 bit RSA private key
....++++++
.......................................++++++
writing new private key to '/etc/pki/tls/certs/proftpd.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:Rajasthan
Locality Name (eg, city) [Default City]:Biakner
Organization Name (eg, company) [Default Company Ltd]:My Company
Organizational Unit Name (eg, section) []:.
Common Name (eg, your name or your server's hostname) []:vps.liptanbiswas.com
Email Address []:me@liptanbiswas.com
This will generate the key file and certificates and will save then in /etc/pki/tls/certs/
directory. Now restart your ProFTPD server using the following command.
systemctl restart proftpd.service
You can now check if SSL/TLS has been enabled on your FTP server by executing the following command on terminal.
ftp localhost
You will see that FTP server is connected, try logging in with the same user we created above, you will see following output.
Trying ::1...
Connected to localhost (::1).
220 FTP Server ready.
Name (localhost:root): ftpadmin
550 SSL/TLS required on the control channel
Login failed.
Remote system type is UNIX.
Using binary mode to transfer files.
This happened because the ftp
client on terminal does not support FTP connections over SSL/TLS, but the server refused to connect without SSL/TLS.
You can use FileZilla FTP client to access your server now, as it supports FTP over TLS. Open your FileZilla client and enter the IP address, username and password in Quick Connect bar. You can leave port number blank as we are using default port 21
.
Now click on the Quickconnect button. FileZilla will try to connect to FTP server and you will see a warning showing your certificate details.
Select Always trust certificate in future sessions checkbox and click the OK button. You will be successfully logged into your FTP account.
Enabling Anonymous FTP Access
If you enable anonymous FTP access to your server, then anyone can access your server without providing a username or password. This is useful when you are sharing public files through your server. Anonymous users normally have only read privilege on server, so that they can login to server and download the files.
To enable anonymous access, again open the configuration file through your favorite editor.
nano /etc/proftpd.conf
Now scroll down to the end of the file and append these lines at the end.
User ftp
Group ftp
AccessGrantMsg "Anonymous login ok, restrictions apply."UserAlias anonymous ftp
DirFakeUser on ftp
DirFakeGroup on ftp
MaxClients 10 "Sorry, max %m users -- try again later"DenyAll
Save the file and exit from the editor. Now restart ProFTPD service again.
systemctl restart proftpd.service
Now open FileZilla again and this time only enter your IP address in Quick Connect bar, leave username and password field empty. Click on the Quickconnect button and FileZilla will automatically fill anonymous
username for you.
If you had not selected Always trust certificate in future sessions checkbox in previous session, you will be asked again about the authenticity of the certificate, otherwise it will directly log you into the server.