In this howto I am going to explain the steps involved in the configuration of SSL based FTP Server, which will enable users to securely access the FTP service through SSL.

Let’s breakdown what we will achieve at the end of this howoto.

• We will use chroot method so ftp users does not access anything outside of their home folder.
• All other services like (TELNET, SSH) will be blocked for ftp users.
• Virtual Domains support.
• Anonymous Support

Let’s install proftpd from /usr/ports/ftp/proftpd. Note: In the options menu you must select OPENSSL

cd /usr/ports/ftp/proftpd/
make install clean 

After the installation we need to generate our SSL certificate. Let’s create our SSL-Certificates.

We need to create directory proftpdkeys under /usr/local/etc/ in this directory we will place our SSL certificates.

mkdir /usr/local/etc/proftpdkeys
cd /usr/local/etc/proftpdkeys/
openssl genrsa 1024 > host.key
chmod 400 host.key
openssl req -new -x509 -nodes -sha1 -days 365 -key host.key > host.cert 

The last command will ask you a lot of questions: Country Name, State, City, and so on. You need to anser those question as per your envionment.

After creating the SSL certificates we need to edit proftpd.conf file under /usr/local/etc/

vi /usr/local/proftpd/etc/proftpd.conf

ServerName	      "ftp.techbabu.com"
ServerType		standalone
PassivePorts		30000 30150
DefaultServer	      on
IdentLookups	       off
UseReverseDNS     off
Port			      21
Umask		           022
MaxInstances	      30
User			      ftp
Group	                    ftp
DefaultRoot		~
SystemLog		/var/log/proftpd.log
TransferLog		/var/log/xferlog
RequireValidShell    off 

TLSEngine on
TLSLog /var/log/proftpd_tls.log
TLSProtocol SSLv23
TLSRequired on
TLSOptions NoCertRequest
TLSVerifyClient off
TLSRenegotiate required off
TLSRSACertificateFile /usr/local/etc/proftpdkeys/host.cert
TLSRSACertificateKeyFile /usr/local/etc/proftpdkeys/host.key
 

AllowUser techbabu
DenyAll
 

< Directory />
   AllowOverwrite        on
< /Directory> 

  DenyAll
 

That is we have configured proftpd.conf, I want to describe here that what I have define in above configuration.

• First I have define my ftp server name “ftp.techbabu.com”
• I want start my FTP server as a stand alone process that’s why I ServerType directive configured as standalone. For more information regarding ServerType please read this
• PassivePorts restricts the range of ports from which the server will select when sent the PASV command from a client. The server will randomly choose a number from within the specified range until an open port is found. Should no open ports be found within the given range, the server will default to a normal kernel-assigned port, and a message logged. I have defined (30000 30150). passive port range. Passive Ports very useful when the server has running firewall.
• I want to run ftp daemon under ftp user so I have defined ftp as a User, Group
• The DefaultRoot directive controls the default root directory assigned to a user upon login. If DefaultRoot is set to a directory other than “/”, a chroot operation is performed immediately after a client authenticates. This can be used to effectively isolate the client from a portion of the host system filespace. The specified root directory must begin with a / or can be the magic character ‘~’; meaning that the client is chroot jailed into their home directory.
• The RequireValidShell directive configures the server, virtual host or anonymous login to allow or deny logins which do not have a shell binary listed in system’s shell file. By default, proftpd disallows logins if the user’s default shell is not listed in system’s shell file. If system’s shell file cannot be found, all default shells are assumed to be valid.
• In the limit LOGIN directive I have define user techbabu which means only user techbabu will be authorized to connect ftp server. You can define many users as you want.

I think above is enough to understand about the configuration of proftpd. Now we need to create a user ftp. So we can start ftp daemon under ftp user.

pw useradd ftp -g ftp -d /home/ftp -m -s /sbin/nologin 

In the above command I have created a user ftp and assigned ftp as primary group, the user’s home directory will be /home/ftp. I also assigned nologin as a default shell which means the ftp user is not allowed to access other services like (telnet, ssh) etc…..

Now everything is configured and our secure ftp server is ready. We need to enable proftpd in /etc/rc.conf so ftp server automatically start whenever system boot.

proftpd_enable="YES" 

Let’s start our ftp server

/usr/local/etc/rc.d/proftpd start 

We need to create another user techbabu which We defined Allowed User section in proftpd.conf.

pw useradd techbabu -g ftp -d /home/techbabu -m -s /sbin/nologin 

This is the same as ftp user. The techbabu user’s primary group is ftp & home directory is /home/techbabu. Once again I have assigned /sbin/nologin as a default shell which means the user is not allowed to access system other services like (telnet, ssh)

Congratulation you have successfully installed a very secure ftp server. As you know we have configured SSL based ftp server, so we will not be able to connect this server using normal FTP client, for this purpose I recommended using lftp and FireFTP as client. Because both of these FTP clients support SSL encryption.

Our setup is ready you can connect your ftp server (ftp.techbabu.com) throgh lftp or FireFTP client. Choice is your.

Anonymous Setup

You can allow anonymous FTP access to all who are wishing to download or upload files to your web site. But in this setup We will not allow anonymous users to upload files. In ProFTPD anonymous setup is very easy here is configuration you need to add in /usr/local/etc/proftpd.conf

< Anonymous /home/ftp>
  RequireValidShell    off
  User                    ftp
  Group                  ftp
  UserAlias              anonymous ftp
  MaxClients            10 

   AllowUser ftp
   DenyAll
 

  DisplayLogin          welcome.msg
  DisplayChdir          .message 

    DenyAll
  
< /Anonymous>

Above configuration is clear

• In the Anonymous directive, I have defined /home/ftp directory for anonymous users.
• Only FTP and it’s alias anonymous is allowed to connect with ftp server.
• In the limit WRITE directive, I have defined DenyAll so anonymous users can only download files from /home/ftp folder.

You must restart ftp server whenever you change anything in ftp configuration. Let’s restart ftp server.

 /usr/local/etc/rc.d/proftpd restart 

Virtual Host Setup

As mentioned earlier We will also configure our ftp for VirtualHosting. For virtual host setup you need to add these lines in proftpd.conf file.

< VirtualHost 172.17.1.254>
ServerName             "ftp.virtualdomain.com"
PassivePorts            30151 30160
AuthPam                 off
Port                        26
RequireValidShell      off
DefaultRoot ~ 

  AllowUser virtualuser
  DenyAll
 

< Anonymous /home/virtualuser>
  User                    ftp
  Group                  ftp
  UserAlias              anonymous ftp
  MaxClients            10
  RequireValidShell    off 

   AllowUser ftp
   DenyAll
 

  DisplayLogin          welcome.msg
  DisplayChdir          .message 

    DenyAll
  
< /Anonymous> 

< /VirtualHost>

Here is the details what I have defined in above configuration

• In VirtualHost directive I have defined my public ip address for “ftp.virtualdomain.com”
• Then in the next ServerName & PassivePorts have been defined.
• I have only one Public ip address. That’s why we cannot run virtualdomain on 21 port. So I have assigned port 26 for virtualdomain
• In AllowUser section I have defined virtualuser. So you have to create virtualuser.
• Anonymous support also enable in last section.

That’s all we have configured everything, I hope you’ll like this howto. Your comments on this article will be appreciated.