FTPeS (Working Solution on Debian with Virtualmin/Webmin)

FTPeS (aka "explicit FTP over TLS"; used to be "over SSL" but as you know TLS now replaces SSL)

First let me say I am in great debt to the makers of Virtualmin/Webmin/Usermin… much thanks!!

Now, on to FTPeS!

There are several flavors of FTP, but the current supported encrypted FTP is called FTPeS (Explicit FTP over TLS)

Note that you CAN run both SFTP (SSH) and FTPeS (FTP) at the same time, no conflicts

The only problem I had with FTPeS was that my ISP has an older "shared firewall" and could not support my FTPeS configuration, so I asked that they move me outside their shared firewall, which required they give me new IP addresses (I run my own firewall)

ProFTP has a good page on how to configure FTPeS at http://www.proftpd.org/docs/howto/TLS.html

Or you could google for it at https://www.google.com/search?q=how+configure+explicit+ftp+over+tls

I run Virtualmin GPL on Debian 6 (haven’t upgraded to Debian 7 yet, am waiting for the dust to settle)

  1. if you don’t have ProFTPd and OpenSSL installed, you’ll need them

    [bash #] apt-get install proftpd openssl
    (if you are asked, select "standalone" for proftpd)

  2. edit /etc/proftpd/proftpd.conf and make sure of the following

    Include /etc/proftpd/tls.conf

    PassivePorts 59000 59999

    <Global>
    DefaultRoot ~
    RootLogin off
    IdentLookups off
    ServerIdent on “FTP Server ready.”
    UseFtpUsers on
    RequireValidShell on
    </Global>

  3. edit /etc/proftpd/tls.conf

    <IfModule mod_tls.c>
    TLSEngine on
    TLSLog /var/log/proftpd/tls.log
    TLSProtocol SSLv3 TLSv1
    TLSRSACertificateFile /etc/proftpd/ftpd-rsa.pem
    TLSRSACertificateKeyFile /etc/proftpd/ftpd-rsa-key.pem
    TLSCACertificateFile /etc/ssl/certs/ca-certificates.crt
    TLSVerifyClient off
    TLSRenegotiate required off
    #TLSRequired on
    TLSOptions AllowClientRenegotiations NoCertRequest NoSessionReuseRequired
    </IfModule>

    (if you require TLS, then normal FTP will be blocked)

  4. generate 10 year self-signed certs

    [bash #] openssl req -new -x509 -days 3650 -nodes -out ftpd-rsa.pem -keyout ftpd-rsa-key.pem
    [bash #] chmod 600 ftpd-rsa-key.pem

  5. restart ProFTPd

    [bash #] /etc/init.d/proftpd restart

  6. test locally

    [bash #] openssl s_client -connect 127.0.0.1:21 -starttls ftp
    quit

If you get a "Session-ID" then it worked.

Nice how-to!

Let me make the comment that the Virtualmin default installation on (at least) Ubuntu 12 installs ProFTPD and has an example tls.conf file in place with most of the contents of your tutorial, just commented out.

Yep, true, there’s a TLS.CONF file, but it’s a bit old, I know that the “TLSProtocol” line needed to be updated:

OLD: TLSProtocol SSLv23

NEW: TLSProtocol SSLv3 TLSv1

Thx!!

Yep you’re right there!

I don’t know about Debian (or Debian-based distros), but on CentOS (or most Red Had-based distros), you only need to add -DTLS to /etc/sysconfig/proftpd and place the certificate in /etc/pki/tls/certs/proftpd.pem

Now, you could generate a new certificate for ProFTP, but i find a lot easier to manage to just ln -s the certfificate Webmin uses, so i just
ln -s /etc/webmin/miniserv.pem /etc/pki/tls/certs/proftpd.pem

Quick update, the /etc/proftpd/tls.conf file should be updated to remove SSLv3:

TLSProtocol TLSv1

Also, in case you have trouble with the cipher suite:

TLSCipherSuite ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:AES128-SHA:RC4-SHA:HIGH:!aNULL:!MD5:!ADH