Configure proFTPd with TLS and IP address restriction
Configure proFTPd with TLS and IP address restriction

If you want to secure your proFTPD server to use TLS, follow these steps :

  • Edit the file proftpd.conf
    vi /etc/proftpd/proftpd.conf
  • If don’t need IPv6, disable it :
    UseIPv6 off
  • Force listening on one specific IP address and a specific port
    DefaultAddress                  10.20.30.40
    SocketBindTight                 on
    Port                            2121
  • Include the TLS config file :
    Include /etc/proftpd/tls.conf
  • Restrict the access to a specific IP address
    <Limit LOGIN>
                   Order allow,deny
                   Allow from 11.21.31.41
                   Deny from all
    </Limit>
  • Save and close the file proftpd.conf
  • Edit the file tls.conf to set the TLS parameters
    vi /etc/proftpd/tls.conf
  • Replace the content with these lines. For the certificate part, you can use letsencrypt services to get a free certificate
    <IfModule mod_tls.c>
    TLSEngine                               on
    TLSLog                                  /var/log/proftpd/tls.log
    TLSProtocol                             TLSv1.2
    TLSRSACertificateFile                   /etc/letsencrypt/live/your_site/cert.pem
    TLSRSACertificateKeyFile                /etc/letsencrypt/live/your_site/privkey.pem
    TLSCertificateChainFile                 /etc/letsencrypt/live/your_site/chain.pem
    TLSCipherSuite                          "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RC4-SHA:AES256-GCM-SHA384:AES256-SHA256:CAMELLIA256-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4" 
    TLSOptions      NoSessionReuseRequired AllowClientRenegotiations
    TLSRequired                             ctrl
    </IfModule>

Comments are welcome

<>

My Powershell script categories

Configure proFTPd with TLS and IP address restriction

Leave a Reply

Your email address will not be published. Required fields are marked *