Secure ProFTPD Connections Using TLS/SSL Protocol on RHEL/CentOS 7

By its nature FTP protocol was designed as an insecure protocol and all data and passwords are transferred in plain text, making the job of a third party very easy to intercept all FTP client-server transactions, especially usernames and passwords used in authentication process.

Enable SSL on Proftpd in CentOS

Enable SSL on Proftpd in RHEL/CentOS

Requirements

  1. Installing ProFTPD Server on RHEL/CentOS 7
  2. Enable Anonymous Account for Proftpd Server in RHEL/CentOS 7

This tutorial will guide you on how you can secure and encrypt FTP communication on ProFTPd Server in CentOS/RHEL 7, using TLS (Transport Layer Security) with Explicit FTPS extension (think at FTPS as what HTTPS is for HTTP Protocol).

Step 1: Create Proftpd TLS Module Configuration File

1. As discussed in previous Proftpd tutorial concerning Anonymous account, this guide will also use the same approach on managing Proftpd future configurations files as modules, with the help of enabled_mod and disabled_mod directories, which will host all server’s extended capabilities.

So, create a new file with your favourite text editor named tls.conf in disabled_mod Proftpd path and add the following directives.

# nano /etc/proftpd/disabled_mod/tls.conf

Add following TLS file configuration excerpt.

<IfModule mod_tls.c>
TLSEngine                               on
TLSLog                                  /var/log/proftpd/tls.log
TLSProtocol                             SSLv23
 
TLSRSACertificateFile                   /etc/ssl/certs/proftpd.crt
TLSRSACertificateKeyFile                /etc/ssl/private/proftpd.key

#TLSCACertificateFile                                     /etc/ssl/certs/CA.pem
TLSOptions                      NoCertRequest EnableDiags NoSessionReuseRequired
TLSVerifyClient                         off
TLSRequired                             on
TLSRenegotiate                          required on
</IfModule>
Create Proftpd TLS Configuration

Create TLS Configuration

2. If you use browsers or FTP Clients that doesn’t support TLS connections, comment the line TLSRequired on in order to allow TLS and non-TLS connections the same time and avoid the error message as in the screenshot below.

Allow Secure Proftpd Connections

Allow TLS Connections

Step 2: Create SSL Certificate Files for TLS

3. After you have created the TLS module configuration file. that will enable FTP over TLS on Proftpd, you need to generate SSL Certificate and Key in order to use secure communication over ProFTPD Server with the help of OpenSSL package.

# yum install openssl

You can use a single long command to generate SSL Certificate and Key pairs, but to simplify things you can create a simple bash script that will generate SSL pairs with your desired name and assign the correct permissions for Key file.

Create a bash file named proftpd_gen_ssl on /usr/local/bin/ or on any other executable system path (defined by $PATH variable).

# nano /usr/local/bin/proftpd_gen_ssl

Add the following content to it.

#!/bin/bash
echo -e "\nPlease enter a name for your SSL Certificate and Key pairs:"
read name
 openssl req -x509 -newkey rsa:1024 \
          -keyout /etc/ssl/private/$name.key -out /etc/ssl/certs/$name.crt \
          -nodes -days 365\

 chmod 0600 /etc/ssl/private/$name.key
Create Proftpd SSL Certificate

Create SSL Certificate

4. After you have created the above file, assign it with execution permissions, assure that /etc/ssl/private directory exist and run the script to create SSL Certificate and Key pairs.

# chmod +x /usr/local/bin/proftpd_gen_ssl
# mkdir -p /etc/ssl/private
# proftpd_gen_ssl
Create Proftpd SSL Certificate and Key

Create Proftpd SSL Certificate and Key

Supply the SSL Certificate with the required prompted information which is self-explanatory, but pay attention to Common Name to match your host Fully Qualified Domain NameFQDN.

Step 3: Enable TLS on ProFTPD Server

5. As the TLS Configuration file created earlier already points to the right SSL Certificate and Key file the only thing remaining is to activate TLS module by creating a symbolic link of tls.conf file to enabled-mod directory and restart ProFTPD daemon to apply changes.

# ln -s /etc/proftpd/disabled_mod/tls.conf  /etc/proftpd/enabled_mod/
# systemctl restart proftpd
Enable TLS on Proftpd

Enable TLS on Proftpd

6. To disable TLS module just remove tls.conf symlink from enabled_mod directory and restart ProFTPD server to apply changes.

# rm /etc/proftpd/enabled_mod/tls.conf
# systemctl restart proftpd

Step 4: Open Firewall to allow FTP over TLS Communication

7. In order for clients to access ProFTPD and secure transfer files in Passive Mode you must open the entire port range between 1024 and 65534 on RHEL/CentOS Firewall, using the following commands.

# firewall-cmd --add-port=1024-65534/tcp  
# firewall-cmd --add-port=1024-65534/tcp --permanent
# firewall-cmd --list-ports
# firewall-cmd --list-services
# firewall-cmd --reload
Allow Proftpd Secure Connections

Allow Proftpd Secure Connections

That’s it. Now your system is ready to accept FTP communication over TLS from a Client side.

Step 5: Access ProFTPD over TLS from Clients

8. Web browsers usually have no built-in support for FTP over TLS protocol, so all transaction are delivered over non-encrypted FTP. One of the most excellent FTP Clients is FileZilla, which is entirely Open Source and can run on almost all major Operating Systems.

To access FTP over TLS from FileZilla open Site Manager, choose FTP on Protocol and Require explicit FTP over TLS on Encryption drop-down menu, select you Logon Type as Normal, enter your FTP credentials and hit Connect to communicate with the server.

Access ProFTPD over TLS

Access ProFTPD over TLS

9. If it’s the first time you connect to ProFTPD Server a pop-up with the new Certificate should appear, check the box that says Always trust certificate for future sessions and hit on OK to accept Certificate and authenticate to ProFTPD server.

Accept ProFTPD Certificate

Accept ProFTPD Certificate

Proftpd Secure Directory Listing

Proftpd Secure Directory Listing

If you are planning to use other clients than FileZilla to securely access FTP resources make sure that they support FTP over TLS protocol. Some good examples for FTP clients that can speak FTPS are WinSCP for Windows Platforms and gFTP or LFTP (command line) for NIX.

If You Appreciate What We Do Here On TecMint, You Should Consider:

TecMint is the fastest growing and most trusted community site for any kind of Linux Articles, Guides and Books on the web. Millions of people visit TecMint! to search or browse the thousands of published articles available FREELY to all.

If you like what you are reading, please consider buying us a coffee ( or 2 ) as a token of appreciation.

Support Us

We are thankful for your never ending support.

Matei Cezar

I'am a computer addicted guy, a fan of open source and linux based system software, have about 4 years experience with Linux distributions desktop, servers and bash scripting.

Your name can also be listed here. Got a tip? Submit it here to become an TecMint author.

RedHat RHCE and RHCSA Certification Book
Linux Foundation LFCS and LFCE Certification Preparation Guide

You may also like...

3 Responses

  1. helwie ahmad says:

    Why after install proftpd i not found folder enable_mod and disable_mod and link for tutorial with title enabling anonymous redirect to link install proftpd? is still work? thanks

  2. Ali says:

    Use this guidelines but unable to connect outside my home modem. LAN connection is fine. Have any idea what port needed to forward. iptables is disabled and SE linux as well. Please advise.

  3. Carlos says:

    It works like a charm :)

Got something to say? Join the discussion.

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.