FTP Server : ProFTPD over SSL/TLS2021/08/06 |
Enable SSL/TLS for ProFTPD to use secure FTP connections.
|
|
[1] | Create self-signed certificates. However if you use valid certificates like from Let's Encrypt or others, you don't need to create this one. |
[root@www ~]# cd /etc/pki/tls/certs [root@www certs]# openssl req -x509 -nodes -newkey rsa:2048 -keyout proftpd.pem -out proftpd.pem -days 3650 Generating a RSA private key .....+++++ ................+++++ writing new private key to 'proftpd.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:JP # country code State or Province Name (full name) []:Hiroshima # State Locality Name (eg, city) [Default City]:Hiroshima # city Organization Name (eg, company) [Default Company Ltd]:GTS # company Organizational Unit Name (eg, section) []:Server World # department Common Name (eg, your name or your server's hostname) []:www.srv.world # server's FQDN Email Address []:root@srv.world # admin's email[root@www certs]# chmod 600 proftpd.pem |
[2] | Configure ProFTPD. Configure basic settings before it, refer to here. |
[root@www ~]#
vi /etc/sysconfig/proftpd # add TLS option PROFTPD_OPTIONS=" -DTLS "
[root@www ~]#
vi /etc/proftpd/mod_tls.conf <IfModule mod_tls.c> TLSEngine on # change if require TLS TLSRequired on # comment out #TLSCertificateChainFile /etc/pki/tls/certs/proftpd-chain.pem # change to your certificate TLSRSACertificateFile /etc/pki/tls/certs/proftpd.pem TLSRSACertificateKeyFile /etc/pki/tls/certs/proftpd.pem TLSCipherSuite PROFILE=SYSTEM # Relax the requirement that the SSL session be re-used for data transfers TLSOptions NoSessionReuseRequired TLSLog /var/log/proftpd/tls.log <IfModule mod_tls_shmcache.c> TLSSessionCache shm:/file=/run/proftpd/sesscache </IfModule> </IfModule>[root@www ~]# systemctl restart proftpd |
[3] | If Firewalld is running, allow passive ports. |
[root@www ~]#
vi /etc/proftpd.conf # add to the end # fix passive ports with any range you like PassivePorts 60000 60100
[root@www ~]#
systemctl restart proftpd
# allow fixed passive ports [root@www ~]# firewall-cmd --add-port=60000-60100/tcp success [root@www ~]# firewall-cmd --runtime-to-permanent success |
FTP Client : Rocky Linux
|
Configure FTP Client to use FTPS connection on Rocky Linux.
|
|
[4] | Install FTP Client first, and then, configure like follows. |
[redhat@dlp ~]$
vi ~/.lftprc
# create new set ftp:ssl-auth TLS set ftp:ssl-force true set ftp:ssl-protect-list yes set ftp:ssl-protect-data yes set ftp:ssl-protect-fxp yes set ssl:verify-certificate no lftp -u rocky www.srv.world Password: lftp rocky@www.srv.world:~> |
FTP Client : Windows
|
[5] | For example of FileZilla on Windows, Open [File] - [Site Manager]. |
[6] | Click the [New site] button and input connection infomation like follows, for encryption field, select [explicit FTP over TLS]. |
[7] | User's Password is required. Input it. |
[8] | If you set self-signed certificate, following warning is shown, it's no ploblem. Go next. |
[9] | If settings are OK, it's possible to connect to FTP server with FTPS like follows. |
Sponsored Link |