Gain more security with your open source FTP server with the help of OpenSSL and TLS.
Your business might have users who depend on using FTP to transfer files to and from a data center server. If that's the case, you want to make sure that your FTP server is as secure as possible. When SFTP isn't an option, another way of creating a secure FTP instance is with the help of TLS.
I want to walk you through the process of securing the ProFTP server with TLS. All you need is an instance of Ubuntu Server 18.04 and a user account with sudo privileges.
SEE: Windows 10 security: A guide for business leaders (Tech Pro Research)
The first thing to do is install ProFTP. ProFTP is an outstanding FTP server, which offers plenty of features and is reliable for business usage. In order to install ProFTP, follow these steps:
- Open a terminal window (or log into your Ubuntu server).
- Install ProFTP with the command sudo apt-get install proftpd -y.
- Allow the installation to complete.
Once the installation finishes, start and enable the service with the following two commands:
sudo systemctl start proftpd sudo systemctl enable proftpd
The next step is installing OpenSSL (if it's not already installed). To do this, go back to your terminal window and issue the command:
sudo apt-get install openssl -y
Once OpenSSL is installed, generate the necessary SSL certificates for ProFTP with the following command:
sudo openssl req -x509 -newkey rsa:1024 -keyout /etc/ssl/private/proftpd.key -out /etc/ssl/certs/proftpd.crt -nodes -days 365
Make sure to answer all of the questions for your certificate. Once that task completes, give the newly generated key the proper permissions with the following commands:
sudo chmod 600 /etc/ssl/private/proftpd.key sudo chmod 600 /etc/ssl/certs/proftpd.crt
Now, we need to configure ProFTP to make use of our new SSL certificates. Open the ProFTP configuration file with the command:
sudo nano /etc/proftpd/proftpd.conf
Look for the line #Include /etc/proftpd/tls.conf (around line 140) and remove the # character. Save and close that file. Next, issue the command:
sudo nano /etc/proftpd/tls.conf
Uncomment the following lines (remove the # character):
TLSRSACertificateFile /etc/ssl/certs/proftpd.crt TLSRSACertificateKeyFile /etc/ssl/private/proftpd.key TLSEngine on TLSLog /var/log/proftpd/tls.log TLSProtocol SSLv23 TLSRequired on TLSVerifyClient off TLSOptions NoCertRequest EnableDiags NoSessionReuseRequired
Note: The above lines are scattered throughout the configuration file, so make sure to look closely. Once you make the necessary changes, save and close that file. Restart the ProFTP server with the command:
sudo systemctl restart proftpd
Create a new user
Now we need to create a specific ProFTP user. To do this issue the command:
sudo adduser ftpuser
Note: You can name the FTP user whatever you like.
Once you add the user, you can now access the ProFTP server, using encryption. How you make that connection depends upon the FTP client you use. Just make sure you connect with the new user and make sure the connection encryption type is FTP over TLS (Figure A).
If you already have users on the remote server, those users can log into the FTP server using their previously created credentials. In other words, you don't need to create a new user.
And that's all there to securing your ProFTP server with TLS encryption. Make sure to add as many users as needed and inform them how to connect with the new TLS protocol.
- How to safely test bash scripts with multipass (TechRepublic)
- Want less spam? Learn how to integrate Spamassassin with Postfix Mail Server (TechRepublic)
- How to install CA certificates in Ubuntu server (TechRepublic)
- How to modify systemd-boot on Linux (TechRepublic)
- A lesson in risk: Your business is a ship not an aircraft (ZDNet)
- How to become a cybersecurity pro: A cheat sheet (TechRepublic)
- 10 dangerous app vulnerabilities to watch out for (TechRepublic download)
- Online security 101: Tips for protecting your privacy from hackers and spies (ZDNet)
- The best password managers of 2019 (CNET)
- Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)