If you want to secure your proFTPD server to use TLS, follow these steps :
- Edit the file proftpd.conf
vi /etc/proftpd/proftpd.conf - If don’t need IPv6, disable it :
UseIPv6 off - Force listening on one specific IP address and a specific port
DefaultAddress 10.20.30.40 SocketBindTight on Port 2121
- Include the TLS config file :
Include /etc/proftpd/tls.conf - Restrict the access to a specific IP address
<Limit LOGIN> Order allow,deny Allow from 11.21.31.41 Deny from all </Limit> - Save and close the file proftpd.conf
- Edit the file tls.conf to set the TLS parameters
vi /etc/proftpd/tls.conf - Replace the content with these lines. For the certificate part, you can use letsencrypt services to get a free certificate
<IfModule mod_tls.c> TLSEngine on TLSLog /var/log/proftpd/tls.log TLSProtocol TLSv1.2 TLSRSACertificateFile /etc/letsencrypt/live/your_site/cert.pem TLSRSACertificateKeyFile /etc/letsencrypt/live/your_site/privkey.pem TLSCertificateChainFile /etc/letsencrypt/live/your_site/chain.pem TLSCipherSuite "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RC4-SHA:AES256-GCM-SHA384:AES256-SHA256:CAMELLIA256-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4" TLSOptions NoSessionReuseRequired AllowClientRenegotiations TLSRequired ctrl </IfModule>
Comments are welcome
My Powershell script categories
- Active Directory
- Cluster
- Database
- Exchange
- Files and folders
- Hardware
- Network
- Operating System
- PKI
- SCCM
- Service and process
- Tips
- VMWare
Configure proFTPd with TLS and IP address restriction