Introduction
Normal FTP isn't very secure when it comes to transmitting username/password over the internet because all information is sent over the network without encryption. You could however enable ProFTPd's TLS module. This will allow you to log in with encrypted username/password. There are a few steps involved in enabling FTPES.
Getting to work
First of all we will have to create a directory to store SSL certificates.
mkdir /etc/openssl cd /etc/openssl
Normally you would prepare a Certificate Signing Request (CSR) and send that to a Certificate Authority (CA) like VeriSign, Thawte or Comodo. The CA will return a signed certificate after checking your identity. For our FTP server however we will use a self-signed certificate. In order to do this we will need to create a script that can sign requests.
touch sign.sh chmod u+x sign.sh mcedit sign.sh
Paste this code into the file:
#!/bin/sh## sign.sh -- Sign an SSL Certificate Request (CSR)
## Copyright (c) 1998-2001 Ralf S. Engelschall, All Rights Reserved. # argument line handling
CSR=$1
if [ $# -ne 1 ]; then
echo "Usage: sign.sign <whatever>.csr"; exit 1
fi
if [ ! -f $CSR ]; then
echo "CSR not found: $CSR"; exit 1
fi
case $CSR in
*.csr ) CERT="`echo $CSR | sed -e 's/\.csr/.crt/'`" ;;
* ) CERT="$CSR.crt" ;;
esac # make sure environment exists
if [ ! -d ca.db.certs ]; then
mkdir ca.db.certs
fi
if [ ! -f ca.db.serial ]; then
echo '01' >ca.db.serial
fi
if [ ! -f ca.db.index ]; then
cp /dev/null ca.db.index
fi # create an own SSLeay config
cat >ca.config <<EOT
[ ca ]
default_ca = CA_own
[ CA_own ]
dir = .
certs = \$dir
new_certs_dir = \$dir/ca.db.certs
database = \$dir/ca.db.index
serial = \$dir/ca.db.serial
RANDFILE = \$dir/ca.db.rand
certificate = \$dir/ca.crt
private_key = \$dir/ca.key
unique_subject = no
# default key expiry set to 5 years but can be changed
default_days = 1825
default_crl_days = 30
default_md = md5
preserve = no
policy = policy_anything
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
EOT # sign the certificate
echo "CA signing: $CSR -> $CERT:"
openssl ca -config ca.config -out $CERT -infiles $CSR
echo "CA verifying: $CERT <-> CA cert"
openssl verify -CAfile ca.crt $CERT # cleanup after SSLeay
rm -f ca.config
rm -f ca.db.serial.old
rm -f ca.db.index.old # die gracefully
exit 0
After making the preperations it's time to start generating certificates. We will start with a self-signed CA certificate.
openssl genrsa -des3 -out ca.key 1024 openssl rsa -in ca.key -out ca.key
Use your FQDN for Common Name (ie. my.host.com), NOT "localhost"!
openssl req -new -x509 -days 1825 -key ca.key -out ca.crt
Next we will need a private key and a CSR.
openssl genrsa -des3 -out server.key 1024 openssl rsa -in server.key -out server.key
Use "localhost" for Common Name! You can leave blank the 'extra' attributes:
openssl req -new -key server.key -out server.csr
Now that we have the Request file we can sign it.
./sign.sh server.csr
Insert this block into /etc/proftpd/proftpd.conf to enable the TLS engine with our newly created certificates.
<IfModule mod_tls.c>TLSEngine on
TLSLog /var/log/proftpd.tls.log
# Server's certificate
TLSRSACertificateFile /etc/openssl/server.crt
TLSRSACertificateKeyFile /etc/openssl/server.key
# CA the server trusts
TLSCACertificateFile /etc/openssl/ca.crt # Enable this option to force secure connections only #TLSRequired on
</IfModule>
You can force people to use secure FTP with the TLSRequired option.
Now as always we need to reload the server.
/etc/init.d/proftpd restart
When that's done you should be able to connect to the FTP server using FTPES (FTP over explicit TLS/SSL). ProFTP's mod_tls does not support implicit FTPS over port 990.
Client software
If you are still looking for a good FTP client you should have a look at FileZilla. It supports FTP, FTPS, FTPES and even SFTP (file transfer over SSL). It's really easy to use and it's free.
