https://hostpresto.com/community/tutorials/how-to-install-and-secure-proftpd-server-on-centos-7/



How to Install and Secure ProFTPD Server on CentOS 7

12th July 2016 3,490k


ProFTPD is a very popular and secure open source FTP server. File Transfer Protocol (FTP) is the most popular way of uploading files to a server. ProFTPD comes with a lot of features which are not present in other FTP servers. It is highly configurable and the configuration of ProFTPD is performed in a single main configuration file. FTP services gives you ability to quickly upload and download the content to your web servers, you can also manage files and folders on your server using FTP. FTP data transmission are not secured as the traffic is not encrypted, all the data which is incoming or outgoing is in clear text format. ProFTPD provides you ability to secure your FTP connection using SSL/TLS. ProFTPD is used by many popular websites like SourceForge, Samba, Harvard etc.

In this tutorial we will learn to install ProFTPD server on CentOS 7.x, we will also learn to secure the traffic using SSL/TLS and enabling anonymous users in server.

The only requirement to install ProFTPD is that you should have VPS or Dedicated server with CentOS 7.x installed. In addition to that you will also need to have root access to your server. In this tutorial we will be using root user account to execute the commands, if you are not logged in as root user then use sudo command before all the commands that we are going to run, or you can also use su command to login to root user account.

Installation

The ProFTPD package is not included in the default YUM repository of CentOS, hence you will need to add EPEL (Extra Package for Enterprise Linux) repository to your server. Execute the following command to do so.

rpm -iUvh https://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-7.noarch.rpmNow EPEL repository is added to your server, execute the following command to update existing packages.

    yum -y update

Now install ProFTPD using the following command.

yum -y install proftpd proftpd-utils

Once installed you can start ProFTPD immediately using the following command.

systemctl start proftpd.service

To automatically start the service at boot time, run the following command.

systemctl enable proftpd.service

Now you will have to add an entry to your firewall rules so that, firewall can allow FTP connections to remote host. Run the following command to do the same.

firewall-cmd --add-service=ftp --permanent

Now restart your firewall using the following command.

firewall-cmd --reload

To use FTP to transfer the files, we will have to create a new user as root login is disabled by default in FTP. To create a new user run the following command.

useradd ftpadmin -s /sbin/nologin -d /ftp

This will create a user ftpadmin who will not be able to login using SSH, as we have supplied -s /sbin/nologin argument. Home directory of ftpadmin will be /ftp. Now change the password of your new user using the following command.

passwd ftpadmin

Next change the permissions of /ftp directory so that every user can add, modify or delete the content using the following command.

chmod 777 /ftp

Now you can check if your FTP is running either by going to the browser and browsing the following URL.

ftp://Your-Server-IP

For example if IP address of your server is 192.168.0.100, then you will browse, ftp://192.168.0.100

You will see a prompt to enter username and password. It shows that FTP server has been successfully deployed to your server. Login using your newly created user account.

As we have no files in our /ftp directory, there are no files listed. You can also check it through the terminal of your server. Enter the following command.

ftp localhost

You will be asked to enter the username, login using your newly created username, you will be successfully logged in. You will be shown something similar to this.

[root@vps ~]# ftp localhost

    Trying ::1...
    Connected to localhost (::1).
    220 FTP Server ready.
    Name (localhost:root): ftpadmin
    331 Password required for ftpadmin
    Password:
    230 User ftpadmin logged in
    Remote system type is UNIX.
    Using binary mode to transfer files.
    ftp>

Once you are in ftp session, you can run help command to see the commands you can use. To exit from ftp you can enter exit command.

Securing ProFTPD

As we know, the FTP protocol is an insecure protocol and all the data which we send or receive including username and passwords are in clear text format. If a hacker tries to intercept the data, he can easily find out the username and password used for authentication purpose. Hence it is recommended to secure our FTP server using SSL/TLS. Once our FTP server is using SSL/TLS, all the transaction will be encrypted with public key. If a hacker tries to intercept the data, the data will not be of any use to him as he will need the private key to decrypt the data which is stored in server only.

Edit the main configuration file of ProFTPD using your favorite text editor, in this tutorial we will be using nano, you can use whichever you want. If you don't have nano installed, you can run yum install nano command to install nano on your system.

nano /etc/proftpd.conf

Scroll down below to find these lines.

# Cause every FTP user except adm to be chrooted into their home directory

DefaultRoot                     ~ !adm

Append the following line just below the above configuration.

PassivePorts 10000 11000

Thus your configuration should look like as shown below.

# Cause every FTP user except adm to be chrooted into their home directory  DefaultRoot                     ~ !adm  PassivePorts 10000 11000

Now scroll down further to find these lines.

# TLS (http://www.castaglia.org/proftpd/modules/mod_tls.html)

      TLSEngine                 on
      TLSRequired               on
      TLSRSACertificateFile     /etc/pki/tls/certs/proftpd.pem
      TLSRSACertificateKeyFile  /etc/pki/tls/certs/proftpd.pem
      TLSCipherSuite            ALL:!ADH:!DES
      TLSOptions                NoCertRequest
      TLSVerifyClient           off
      TLSRenegotiate           ctrl 3600 data 512000 required off timeout 300
      TLSLog                    /var/log/proftpd/tls.logTLSSessionCache         shm:/file=/var/run/proftpd/sesscache

Comment Out some lines using # at the start of the line to make the configuration look like as shown below.

# TLS (http://www.castaglia.org/proftpd/modules/mod_tls.html)

    #
      TLSEngine                 on
      TLSRequired               on
      TLSRSACertificateFile     /etc/pki/tls/certs/proftpd.pem
      TLSRSACertificateKeyFile  /etc/pki/tls/certs/proftpd.pem
      TLSCipherSuite            ALL:!ADH:!DES
      TLSOptions                NoCertRequest
      TLSVerifyClient           off
      TLSRenegotiate           ctrl 3600 data 512000 required off timeout 300
      TLSLog                    /var/log/proftpd/tls.log
    
       TLSSessionCache         shm:/file=/var/run/proftpd/sesscache
    
    #

Save the file and exit the editor. Now as we have added port range 10000 to 11000 as passive ports to accept FTP connections. We will have to add the firewall rule to bypass these ports. Run the following commands to do the same.

firewall-cmd --add-port=10000-11000/tcp --permanent  firewall-cmd --reload

You can the status of ports using the following command.

firewall-cmd --list-ports

You should see following output.

10000-11000/tcp

Now we will have to create SSL certificates. If you do not have openssl installed you can install it using the following command.

yum -y install openssl

Now run the following command to create certificate and key files.

openssl req -x509 -nodes -newkey rsa:1024 -keyout /etc/pki/tls/certs/proftpd.pem -out /etc/pki/tls/certs/proftpd.pem -nodes -days 365

Now you will be asked some information which is to be added into your CSR (Code Signing Request). You will be asked your country name in two letters, for example consider IN for India. Then you will be asked about the state or province. Then you will be asked about your city and organization. Finally common name of your server and your email address. If you want to leave some detail blank use full stop of period ( . ) sign. You can also enter the default values just by pressing enter. Example output is given below.

    Generating a 1024 bit RSA private key
    ....++++++
    .......................................++++++
    writing new private key to '/etc/pki/tls/certs/proftpd.pem'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:IN
    State or Province Name (full name) []:Rajasthan
    Locality Name (eg, city) [Default City]:Biakner
    Organization Name (eg, company) [Default Company Ltd]:My Company
    Organizational Unit Name (eg, section) []:.
    Common Name (eg, your name or your server's hostname) []:vps.liptanbiswas.com
    Email Address []:me@liptanbiswas.com

This will generate the key file and certificates and will save then in /etc/pki/tls/certs/ directory. Now restart your ProFTPD server using the following command.

systemctl restart proftpd.service

You can now check if SSL/TLS has been enabled on your FTP server by executing the following command on terminal.

ftp localhost

You will see that FTP server is connected, try logging in with the same user we created above, you will see following output.

Trying ::1...

    Connected to localhost (::1).
    220 FTP Server ready.
    Name (localhost:root): ftpadmin
    550 SSL/TLS required on the control channel
    Login failed.
    Remote system type is UNIX.
    Using binary mode to transfer files.

This happened because the ftp client on terminal does not support FTP connections over SSL/TLS, but the server refused to connect without SSL/TLS.

You can use FileZilla FTP client to access your server now, as it supports FTP over TLS. Open your FileZilla client and enter the IP address, username and password in Quick Connect bar. You can leave port number blank as we are using default port 21.

Now click on the Quickconnect button. FileZilla will try to connect to FTP server and you will see a warning showing your certificate details.

Select Always trust certificate in future sessions checkbox and click the OK button. You will be successfully logged into your FTP account.

Enabling Anonymous FTP Access

If you enable anonymous FTP access to your server, then anyone can access your server without providing a username or password. This is useful when you are sharing public files through your server. Anonymous users normally have only read privilege on server, so that they can login to server and download the files.

To enable anonymous access, again open the configuration file through your favorite editor.

nano /etc/proftpd.conf

Now scroll down to the end of the file and append these lines at the end.

    User ftp
      Group ftp
      AccessGrantMsg   "Anonymous login ok, restrictions apply."UserAlias anonymous ftp
    DirFakeUser       on ftp
    DirFakeGroup on ftp
    MaxClients 10 "Sorry, max %m users -- try again later"DenyAll

Save the file and exit from the editor. Now restart ProFTPD service again.

systemctl restart proftpd.service

Now open FileZilla again and this time only enter your IP address in Quick Connect bar, leave username and password field empty. Click on the Quickconnect button and FileZilla will automatically fill anonymous username for you.

If you had not selected Always trust certificate in future sessions checkbox in previous session, you will be asked again about the authenticity of the certificate, otherwise it will directly log you into the server.