FTPeS (aka "explicit FTP over TLS"; used to be "over SSL" but as you know TLS now replaces SSL)
First let me say I am in great debt to the makers of Virtualmin/Webmin/Usermin… much thanks!!
Now, on to FTPeS!
There are several flavors of FTP, but the current supported encrypted FTP is called FTPeS (Explicit FTP over TLS)
Note that you CAN run both SFTP (SSH) and FTPeS (FTP) at the same time, no conflicts
The only problem I had with FTPeS was that my ISP has an older "shared firewall" and could not support my FTPeS configuration, so I asked that they move me outside their shared firewall, which required they give me new IP addresses (I run my own firewall)
ProFTP has a good page on how to configure FTPeS at http://www.proftpd.org/docs/howto/TLS.html
Or you could google for it at https://www.google.com/search?q=how+configure+explicit+ftp+over+tls
I run Virtualmin GPL on Debian 6 (haven’t upgraded to Debian 7 yet, am waiting for the dust to settle)
-
if you don’t have ProFTPd and OpenSSL installed, you’ll need them
[bash #] apt-get install proftpd openssl
(if you are asked, select "standalone" for proftpd) -
edit /etc/proftpd/proftpd.conf and make sure of the following
Include /etc/proftpd/tls.conf
PassivePorts 59000 59999
<Global>
DefaultRoot ~
RootLogin off
IdentLookups off
ServerIdent on “FTP Server ready.”
UseFtpUsers on
RequireValidShell on
</Global> -
edit /etc/proftpd/tls.conf
<IfModule mod_tls.c>
TLSEngine on
TLSLog /var/log/proftpd/tls.log
TLSProtocol SSLv3 TLSv1
TLSRSACertificateFile /etc/proftpd/ftpd-rsa.pem
TLSRSACertificateKeyFile /etc/proftpd/ftpd-rsa-key.pem
TLSCACertificateFile /etc/ssl/certs/ca-certificates.crt
TLSVerifyClient off
TLSRenegotiate required off
#TLSRequired on
TLSOptions AllowClientRenegotiations NoCertRequest NoSessionReuseRequired
</IfModule>(if you require TLS, then normal FTP will be blocked)
-
generate 10 year self-signed certs
[bash #] openssl req -new -x509 -days 3650 -nodes -out ftpd-rsa.pem -keyout ftpd-rsa-key.pem
[bash #] chmod 600 ftpd-rsa-key.pem -
restart ProFTPd
[bash #] /etc/init.d/proftpd restart
-
test locally
[bash #] openssl s_client -connect 127.0.0.1:21 -starttls ftp
quit
If you get a "Session-ID" then it worked.