HowTo secure FTP server (SSL/TLS)

[Tamadite]

PURPOSE
Install and configure a secure FTP server. After installation the FTP server will be able to accept ordinary non encrypted FTP connections as well as SSL and TLS secure connections.

==================================================
NOTES
Most of the information in this HowTo is a collection from different sources.

TESTED ON: Asus WL-500gP

ASSUMPTIONS:
i.- firmware: Oleg 1.9.2.7-10
ii.- root file system on the external USB drive
iii.- telnet/ssh deamon installed and active
iv. - ipkg package installed
v.- nano editor installed

SOURCES:
i.- http://www.castaglia.org/proftpd/doc...HOWTO-NAT.html
ii.- http://www.proftpd.org/docs/directiv...d/by-name.html
iii.- This forum

==================================================

Stop Asus inbuilt FTP Server via web interface under "USB Application". Apply changes and reboot.

Remount the root file system as read-write.

Fetch and install proftpd

Code:

ipkg install proftpd

Create certificates and keys
A simple way of generating a 1024bits RSA key pair valid for about 3 years is:

Code:

openssl req -new -x509 -days 1200 -nodes -out /opt/etc/ftpd/server.cert.pem -keyout /opt/etc/ftpd/server.key.pem

Create Certificate Authority (CA)

Code:

openssl genrsa -des3 -out /opt/etc/ftpd/ca.key 1024 
openssl req -new -x509 -days 1200 -key /opt/etc/ftpd/ca.key -out /opt/etc/ftpd/root.cert.pem

Delete RSA private key

Code:

rm /opt/etc/ftpd/ca.key

Save the original proftpd.conf configuration file

Code:

rm /opt/etc/proftpd.conf /opt/etc/proftpd.conf_orig

Create a new configuration file

Code:

nano /opt/etc/proftpd.conf

Paste the following text (do not exit nano yet!)

Code:

# This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use.  It establishes a single server
# and a single anonymous login.  It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.

ServerName                      "ProFTPD Default Installation"
# ServerType                    inetd
ServerType                      standalone
DefaultServer                   on
WtmpLog                         off

# Port 21 is the standard FTP port.
Port                            21

# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask                           022

# To prevent DoS attacks, set the maximum number of child processes
# to 30.  If you need to allow more than 30 concurrent connections
# at once, simply increase this value.  Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd).
MaxInstances                    10

MasqueradeAddress               [your_public_address or dns_hostname]

<Global>
  RootLogin On
  RequireValidShell off
  AuthUserFile /etc/passwd
  AllowStoreRestart on
#  TransferRate RETR 25
#  TransferRate APPE,STOR 100:2048
  PassivePorts [first_port last_port]
</Global>


# Set the user and group under which the server will run.
User                            nobody
Group                           nobody

# To cause every FTP user to be "jailed" (chrooted) into their home
# directory, uncomment this line.
#DefaultRoot ~

# Normally, we want files to be overwriteable.
AllowOverwrite          on

# Bar use of SITE CHMOD by default
<Limit SITE_CHMOD>
  DenyAll
</Limit>

# A basic anonymous configuration, no upload directories.  If you do not
# want anonymous users, simply delete this entire <Anonymous> section.
<Anonymous ~ftp>
  User                          ftp
  Group                         ftp

  # We want clients to be able to login with "anonymous" as well as "ftp"
  UserAlias                     anonymous ftp

  # Limit the maximum number of anonymous logins
  MaxClients                    5

  # We want 'welcome.msg' displayed at login, and '.message' displayed
  # in each newly chdired directory.
  DisplayLogin                  welcome.msg
  DisplayFirstChdir             .message

  # Limit WRITE everywhere in the anonymous chroot
  <Limit WRITE>
    DenyAll
  </Limit>
</Anonymous>

<IfModule mod_tls.c>
  TLSEngine on
  TLSLog /tmp/tls.log
  # TLSProtocol TLSv1
  # SSLv23 Compatibility mode, used to allow both SSLv3 and TLSv1
  TLSProtocol SSLv23


  # Are clients required to use FTP over TLS when talking to this server?
  TLSRequired off

  # Server's certificate
  TLSRSACertificateFile         /opt/etc/ftpd/server.cert.pem
  TLSRSACertificateKeyFile      /opt/etc/ftpd/server.key.pem

  # CA the server trusts
  TLSCACertificateFile          /opt/etc/ftpd/root.cert.pem

  # Authenticate clients that want to use FTP over TLS?
  TLSVerifyClient off

  # Allow SSL/TLS renegotiations when the client requests them, but
  # do not force the renegotiations.  Some clients do not support
  # SSL/TLS renegotiations; when mod_tls forces a renegotiation, these
  # clients will close the data connection, or there will be a timeout
  # on an idle data connection.
  TLSRenegotiate required off
</IfModule>

In the text above modify following lines MasqueradeAddress and PassivePorts as required. Do not use brackets, for instance:
MasqueradeAddress 123.123.123.123
PassivePorts 12345 54321

Move the tls.log to same folder as syslogd.

Code:

rm /var/ftpd/tls.log
touch /tmp/tls.log

Accept FTP traffic from WAN: run the following commands at the command prompt:

Code:

iptables -I INPUT -p tcp --dport 21 -j ACCEPT

Paste the following line at the prompt but substitute first_port:last_port by the passive ports given above under PassivePorts

Code:

iptables -I INPUT -p tcp --dport first_port:last_port -j ACCEPT

For instance:
iptables -I INPUT -p tcp --dport 12345:54321 -j ACCEPT

Add the necessary NAT information to be able to connect via SSL/TSL from WAN (passive mode) or when forcing no encripted -ordinary, FTP to connect in passive mode. Substitute first_port:last_port by the passive ports given above under PassivePorts and lan_ip by the IP address of the br0 interface of your Asus router.

Code:

iptables -t nat -A PREROUTING -i vlan1 -p tcp --dport first_port:last_port -j DNAT --to-destination lan_ip

For instance:
iptables -t nat -A PREROUTING -i vlan1 -p tcp --dport 12345:54321 -j DNAT --to-destination 192.168.1.1


Save changes

Code:

flashfs save && flashfs commit && flashfs enable

Starting FTP deamon
Start the FTP deamon: run the following at the command prompt:

Code:

proftpd

Testing the FTP server
The test has been performed using FTP client FileZilla ver. 2.2.32.

Logontype: Normal
Servertype: FTP, FTP over SSL or FTP over TLS
user/password: same as Asus log-in

Final notes
iptables commands should be added to post-firewall.
proftpd command can be added to post-mount.
If the FTP client is behind a firewall, port 113 at client side should be open but it is not mandatory.
For further advanced configuration and settings, please refer to the sources.

[Serpent]

Nice work, but proftpd isn't slower than vsftpd?
How many resources are used when you transfer something?
And my suggestions:
- try to start proftpd from xinetd (started only when is needed)
- if not, make a start/stop script in /opt/etc/init.d instead of starting proftpd from post-mount (will be stopped gracefully on shutdown)

[Tamadite]

Nice work, but proftpd isn't slower than vsftpd?
How many resources are used when you transfer something?
And my suggestions:
- try to start proftpd from xinetd (started only when is needed)
- if not, make a start/stop script in /opt/etc/init.d instead of starting proftpd from post-mount (will be stopped gracefully on shutdown)

Thanks Serpent for your comments.

For those interested: for further information on init.d or xinetd setup, please read the instructions manual that follows proftpd (/opt/doc/proftpd/proftpd-install.doc). xinetd installation instructions can be found in macsat (http://www.macsat.com/macsat/content/view/25/29/).

For xinetd, please change "user=root" to "user=admin" on file /opt/etc/xinetd.d/proftpd

Regarding proftpd vs. vsftpd performance, I have not figures yet.

[tzd99]

This howto seems pretty straight forward, cheers! Is it possible to add users with their own pre-set directories please?
I'm basically looking for a ftpserver that is accessible from the Internet and where it's easy to set up users like:

user: john password: smith dirAccess: /home/john

So when user John goes on holiday and tries to log in to the ftp server from an Internet café he should be able to do so by using his supplied username and password.

I've been looking through this forum and macsat but i don't really get if above is possible and which ftp server is the best and then how to set up external users.
So if anyone could please help me on this I'd be very thankful!

[Tamadite]

This howto seems pretty straight forward, cheers! Is it possible to add users with their own pre-set directories please?
I'm basically looking for a ftpserver that is accessible from the Internet and where it's easy to set up users like:

user: john password: smith dirAccess: /home/john

So when user John goes on holiday and tries to log in to the ftp server from an Internet café he should be able to do so by using his supplied username and password.

I've been looking through this forum and macsat but i don't really get if above is possible and which ftp server is the best and then how to set up external users.
So if anyone could please help me on this I'd be very thankful!

Use adduser:

Code:

ipkg install adduser

For more information on adduser, use google.

[tzd99]

ah ok so i first have to add a user to the OS before he/she can get access to the ftp if I've understood this correctly.

Thanks for the fast reply!

[freezeghost]

Hi So I made all steps, PROFTPD is running. But when i created user and made some corrections I can't login. Still getting Login incorect

list from /etc/passwd
tester:$1$BXP4eZqB$pleb1HCG/1Tx6M0moN03a0:0:0:ftp:/opt/share/ftp:/bin/sh

on harddrive exist folder /share/ftp

what I'm doing wrong?

Thanx

[Tamadite]

Hi So I made all steps, PROFTPD is running. But when i created user and made some corrections I can't login. Still getting Login incorect

list from /etc/passwd
tester:$1$BXP4eZqB$pleb1HCG/1Tx6M0moN03a0:0:0:ftp:/opt/share/ftp:/bin/sh

on harddrive exist folder /share/ftp

what I'm doing wrong?

Thanx

1) User "tester" has probably same userid as "admin"
2) you wrote:

exist folder /share/ftp

but user points to folder "/opt/share/ftp"

NOTE
====
If you do not want ftp-users to get access to the console via ssh/telnet replace "/bin/sh" by "/dev/null"

[Ehsan]

I installed "adduser", how can I remove an user I have installed?
And how can I modify an exisiting user's home dir?

Also once I've set up the user, how can I enable secure FTP access for it?

[Tamadite]

I installed "adduser", how can I remove an user I have installed?
And how can I modify an existing user's home dir?

Also once I've set up the user, how can I enable secure FTP access for it?

Users are saved in file "/etc/passwd". By default, users on file "/etc/passwd" will have access via FTP. Edit the file and make the desire changes. For more info on file structure use google.

Given the configuration below (proftpd.conf) on the HowTo, it is stated that it supports "FTP, FTP over SSL or FTP over TLS". If only encrypted transmission is required, please read the thoroughly the configuration file remarks.

With the given configuration it is up to the client to decide the transmission type.

Secure transmission can not be steered at user level (some users with encrypted and some users without).

[accurate]

What is this MasqueradeAddress?? Am I supposed to enter my WAN address here Or can I enter something else? I Have dynamic IP, what if it changes. Do I have to update the config file?

[Tamadite]

If TLS/SSL does not work, try filezilla 3.1.1.1 or above. If you get from filezilla:

Code:

Status: Server did not properly shut down TLS connection
Error:  Could not read from transfer socket: ECONNABORTED - Connection aborted

Partial list of broken servers: ProFTPD <=1.3.2rc1

To know the ProFTPD version installed on your Asus run:

Code:

ipkg list_installed | grep proftpd

Source: http://forum.filezilla-project.org/v...st=0&sk=t&sd=a

NOTE:
FileZilla ver. 2.2.32 works with ProFTPD ver. 1.3.1-4

[ebabinski]

I tried this. I could not log on. I get these errors using filezilla

Status: Resolving address of mydomain.com
Status: Connecting to my_IP_address....
Status: Connection attempt failed with "ECONNREFUSED - Connection refused by server".
Error: Could not connect to server
Status: Waiting to retry...

Could you point to an exact URL where we can be enlightened by the adduser command. This click me is useradd.