AlmaLinux 9
Sponsored Link

FTP Server : ProFTPD over SSL/TLS2023/03/07

 
Enable SSL/TLS for ProFTPD to use secure FTP connections.
[1] Create self-signed certificates.
However, if you use valid certificates like from Let's Encrypt or others, you don't need to create this one.
[root@www ~]#
cd /etc/pki/tls/certs

[root@www certs]#
openssl req -x509 -nodes -newkey rsa:2048 -keyout proftpd.pem -out proftpd.pem -days 3650

Generating a RSA private key
.....+++++
................+++++
writing new private key to 'proftpd.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP                                    # country code
State or Province Name (full name) []:Hiroshima                         # State
Locality Name (eg, city) [Default City]:Hiroshima                       # city
Organization Name (eg, company) [Default Company Ltd]:GTS               # company
Organizational Unit Name (eg, section) []:Server World                  # department
Common Name (eg, your name or your server's hostname) []:www.srv.world  # server's FQDN
Email Address []:root@srv.world                                         # admin's email

[root@www certs]#
chmod 600 proftpd.pem

[2] Configure ProFTPD. Configure basic settings before it, refer to here.
[root@www ~]#
vi /etc/sysconfig/proftpd
# add TLS option

PROFTPD_OPTIONS="
-DTLS
"
[root@www ~]#
vi /etc/proftpd/mod_tls.conf
<IfModule mod_tls.c>
  TLSEngine                     on
  # change if require TLS
  TLSRequired                   on
  # comment out
  #TLSCertificateChainFile       /etc/pki/tls/certs/proftpd-chain.pem
  # change to your certificate
  TLSRSACertificateFile         /etc/pki/tls/certs/proftpd.pem
  TLSRSACertificateKeyFile      /etc/pki/tls/certs/proftpd.pem
  TLSCipherSuite                PROFILE=SYSTEM
  # Relax the requirement that the SSL session be re-used for data transfers
  TLSOptions                    NoSessionReuseRequired
  TLSLog                        /var/log/proftpd/tls.log
  <IfModule mod_tls_shmcache.c>
    TLSSessionCache             shm:/file=/run/proftpd/sesscache
  </IfModule>
</IfModule>

[root@www ~]#
systemctl restart proftpd

[3] If Firewalld is running, set fixed passive ports and allow them.
[root@www ~]#
vi /etc/proftpd.conf
# add to the end
# fix passive ports with any range you like

PassivePorts                     60000 60100

[root@www ~]#
systemctl restart proftpd
# allow fixed passive ports

[root@www ~]#
firewall-cmd --add-port=60000-60100/tcp

success
[root@www ~]#
firewall-cmd --runtime-to-permanent

success
FTP Client : AlmaLinux
 
Configure FTP Client to use FTPS connection on AlmaLinux.
[4] Install FTP Client first, and next, configure like follows.
[redhat@dlp ~]$
vi ~/.lftprc
# create new

set ftp:ssl-auth TLS
set ftp:ssl-force true
set ftp:ssl-protect-list yes
set ftp:ssl-protect-data yes
set ftp:ssl-protect-fxp yes
set ssl:verify-certificate no
[redhat@dlp ~]$
lftp -u alma www.srv.world

Password:
lftp alma@www.srv.world:~>
FTP Client : Windows
[5] For example of FileZilla on Windows, Open [File] - [Site Manager].
[6] Click the [New site] button and input connection infomation like follows, for encryption field, select [Use explicit FTP over TLS].
[7] If you set self-signed certificate, following warning is shown, it's no ploblem. Go next.
[8] If settings are OK, it's possible to connect to FTP server with FTPS like follows.
Matched Content