How to install Proftpd with ssl enabled on CentOS 7 Linux

October 23, 2019October 23, 2019

as you may know, proftpd is greatest ftp server on linux. today we want to show you how to install Proftpd with ssl enabled on CentOS 7 Linux.

ftp nature is insecure and to add extra layer of security, we should enable ftps and sftp protocol and transfer our files over these secure protocol.

Here is our environment:

OS: Centos 7 linux on Vmware
Selinux: enforcing

1- Install prerequisites

proftpd is available in epel repository. so we will install it:

# yum install epel-release

it’s a good idea to update our packages:

# yum update

2- Configure SElinux

to improve security, it’s better to configure SElinux to enable required permission for proftpd, instead of disabling it. so run the following line:

setsebool -P allow_ftpd_anon_write=1
setsebool -P allow_ftpd_full_access=1
setsebool -P allow_ftpd_use_cifs=1
setsebool -P allow_ftpd_use_nfs=1
setsebool -P ftp_home_dir=1
setsebool -P ftpd_connect_all_unreserved=1
setsebool -P ftpd_connect_db=1
setsebool -P ftpd_is_daemon=1
setsebool -P ftpd_disable_trans=1

3- Install proftpd and configure

just issue the following command to install proftpd:

# yum install proftpd

now it’s time to configure proftpd. open /etc/proftpd.conf:

# vim /etc/proftpd.conf

uncomment these lines:

# LoadModule mod_sftp.c
# LoadModule mod_sftp_pam.c

then add these lines to the end of file:

<IfModule mod_sftp.c>
SFTPEngine ON
SFTPAuthMethods password
SFTPLog /var/log/sftp.log
Port 21
SFTPHostKey /etc/ssh/ssh_host_rsa_key
SFTPLog /var/log/proftpd/sftp.log
SFTPCompression delayed
</IfModule>

find and uncomment these lines as shown below:

<IfDefine TLS>
TLSEngine on
TLSRequired on
TLSRSACertificateFile /etc/pki/tls/certs/proftpd.pem
TLSRSACertificateKeyFile /etc/pki/tls/certs/proftpd.pem
TLSCipherSuite ALL:!ADH:!DES
TLSOptions NoCertRequest
TLSVerifyClient off
TLSRenegotiate ctrl 3600 data 512000 required off timeout 300
TLSLog /var/log/proftpd/tls.log
<IfModule mod_tls_shmcache.c>
TLSSessionCache shm:/file=/var/run/proftpd/sesscache
</IfModule>
</IfDefine>

then issue the following command to generate SSL certificate:

# openssl req -x509 -nodes -newkey rsa:1024 -keyout /etc/pki/tls/certs/proftpd.pem -out /etc/pki/tls/certs/proftpd.pem

and then change permission of certificates to proper one:

# chmod 0440 /etc/pki/tls/certs/proftpd.pem
# chmod 0400 /etc/ssh/ssh_host_rsa_key

4- Configure authentication

by default, proftpd uses /etc/passwd file to authenticate users. so add required users to your server. in addition, it supports LDAP and RADIUS protocol for authentication, but details of setting up these protocols is beyond of our article.

5- Configure firewall

run these commands:

# firewall-cmd --zone=public --add-service=ftp --permanent

6- Start proftpd

# systemctl enable proftpd
# systemctl start proftpd