Home » Linux » How To » Configure ProFTP with SSL/TLS

Configure ProFTP with SSL/TLS

ProFTP is widely used FTP server among linux servers. ProFTP is used with several industry level control panel like cPanel, Plesk. In this tutorial I will show you, how to configure ProFTP with SSL/TLS and other security aspect.

My test server

 Server : CentOS 7
 ProFTP : 1.3.5

Step 1 : Install additional repository

CentOS base repository does not contain ProFTP. Enable epel repository to download and install ProFTP.

 # yum install epel-release
 # yum install proftpd

Step 2 : Prepare Certificate

proftpd package does not create additional proftpd configuration directory

 # mkdir /etc/proftpd.d/

Generate key and certificate, which will be used for sftp or ftp over SSL/TLS connection

 # openssl req -new -x509 -days 3650 -nodes -out /etc/proftpd.d/proftpd.cert.pem -keyout /etc/proftpd.d/proftpd.key.pem
 Generating a 2048 bit RSA private key
 writing new private key to '/etc/proftpd.d/proftpd.key.pem'
 You are about to be asked to enter information that will be incorporated
 into your certificate request.
 What you are about to enter is what is called a Distinguished Name or a DN.
 There are quite a few fields but you can leave some blank
 For some fields there will be a default value,
 If you enter '.', the field will be left blank.
 Country Name (2 letter code) [XX]:IN
 State or Province Name (full name) []:WB
 Locality Name (eg, city) [Default City]:Kolkata
 Organization Name (eg, company) [Default Company Ltd]:Omegalab
 Organizational Unit Name (eg, section) []:IT
 Common Name (eg, your name or your server's hostname) []:pydl.unixhops.com
 Email Address []:xyz@unixhops.com

Step 3 : Prepare configuration

Add the following configuration to /etc/proftpd.conf

 ServerName "ProFTP"
 ServerType standalone
 DefaultServer on
 DefaultRoot ~
 AllowOverwrite on
  <IfModule mod_tls.c>
    TLSEngine on
    TLSRequired off
    TLSLog /var/log/plesk/ftp_tls.log
    TLSRSACertificateFile /etc/proftpd.d/proftpd.cert.pem
    TLSRSACertificateKeyFile /etc/proftpd.d/proftpd.key.pem
    TLSVerifyClient off
    TLSRenegotiate none
    TLSOptions NoSessionReuseRequired
 DefaultTransferMode binary
 UseFtpUsers on
 TimesGMT off
 SetEnv TZ :/etc/localtime
 Port 21
 Umask 022
 MaxInstances 30
 ScoreboardFile /var/run/proftpd.scoreboard
 TransferLog /var/log/proftpd/xferlog
 AuthPAM on
 AuthPAMConfig proftpd
 IdentLookups off
 UseReverseDNS off
 AuthGroupFile /etc/group
 RequireValidShell off
 Include /etc/proftpd.d/*.conf

Step 4 : Create user with no shell

It is always recommended to use no shell user, create no shell user for ftp authendication

 # useradd --shell /bin/false testnoshell
 # passwd testnoshell

Step 5 : Access FTP

Now try to access the ftp with the created user

proftp ssl filezilla


Note : If your server is under NAT, add the following lines to the /etc/proftpd.conf

PassivePorts 49152 65534

And open the port range 49152-65534 from firewall/router.

Well, that’s all.

If you like this tutorial, comment your valuable feedback.

Check Also

Password less SSH authentication

Password less SSH authentication is one of the best security practices to avoid any password …

Leave a Reply

Your email address will not be published. Required fields are marked *