FTP is a very insecure protocol because all passwords and all data are transferred in clear text. By using SSL/TLS, the whole communication can be encrypted, this making FTP much more secure. This article explains how to set up Pure-FTPd with SSL/TLS on a CentOS 6 server.
To install Pure-FTPd on a CentOS 6 Server. Please see the article titled “How To Install Pure-FTPd on CentOS 6 Via Yum”
Creating The SSL Certificate For TLS
To enable SSL/TLS by generating a self signed certificate with the command below. You can also use a “real” certificate, which will be a better solution for production systems. The location of the certificate should be the same as below, as PureFTPd looks for it at this location. The first step, type the following command to install OpenSSL
# yum install openssl -y
Type the following command to create The SSL Certificate For TLS
# mkdir -p /etc/ssl/private/ # openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem # chmod 600 /etc/ssl/private/pure-ftpd.pem
Sample outputs
Generating a 2048 bit RSA private key .......................+++ .......................................................................+++ writing new private key to '/etc/ssl/private/pure-ftpd.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:US State or Province Name (full name) []:TX Locality Name (eg, city) [Default City]:Houston Organization Name (eg, company) [Default Company Ltd]:LifeLinux Organizational Unit Name (eg, section) []:LifeLinux Common Name (eg, your name or your server's hostname) []:[email protected] Email Address []:^C [root@linux ~]# openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem Generating a 2048 bit RSA private key .............+++ ...................................................................................................................+++ writing new private key to '/etc/ssl/private/pure-ftpd.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:US State or Province Name (full name) []:TX Locality Name (eg, city) [Default City]:Houston Organization Name (eg, company) [Default Company Ltd]:LifeLinux Organizational Unit Name (eg, section) []:LifeLinux Common Name (eg, your name or your server's hostname) []:server.lifelinux.com Email Address []:[email protected]
Enabling TLS In Pure-FTPd
In order to enable TLS in Pure-FTPd, open /etc/proftpd/proftpd.conf and find the section beginning with “TLS”
# This option can accept three values : # 0 : disable SSL/TLS encryption layer (default). # 1 : accept both traditional and encrypted sessions. # 2 : refuse connections that don't use SSL/TLS security mechanisms, # including anonymous sessions. # Do _not_ uncomment this blindly. Be sure that : # 1) Your server has been compiled with SSL/TLS support (--with-tls), # 2) A valid certificate is in place, # 3) Only compatible clients will log in. # TLS 1
The option/number insert in the TLS configuration file has the following effect.
* 0 disable SSL/TLS encryption layer (default).
* 1 makes TLS optional for users.
* 2 forces all users to use TLS and refuse connections that don’t use SSL/TLS security mechanisms
To Enable TLS In Pure-FTPd and forces all users to use TLS, add this line to configuration file
TLS 2
Finally, restart Pure-FTPd
# /etc/init.d/pure-ftpd restart