Your business might have users who depend on using FTP to transfer files to and from a data center server. If that’s the case, you want to make sure that your FTP server is as secure as possible. When SFTP isn’t an option, another way of creating a secure FTP instance is with the help of TLS.

I want to walk you through the process of securing the ProFTP server with TLS. All you need is an instance of Ubuntu Server 18.04 and a user account with sudo privileges.

Installing ProFTP

The first thing to do is install ProFTP. ProFTP is an outstanding FTP server, which offers plenty of features and is reliable for business usage. In order to install ProFTP, follow these steps:

  1. Open a terminal window (or log into your Ubuntu server).
  2. Install ProFTP with the command sudo apt-get install proftpd -y.
  3. Allow the installation to complete.

Today’s AppSec teams need to secure more applications, more transactions and must do so with limited security staff. To keep pace, the old, time-consuming, and high false positive WAF models need to evolve. Security teams simply must be able to automate…

Once the installation finishes, start and enable the service with the following two commands:

sudo systemctl start proftpd
sudo systemctl enable proftpd

Installing OpenSSL

The next step is installing OpenSSL (if it’s not already installed). To do this, go back to your terminal window and issue the command:

sudo apt-get install openssl -y

Once OpenSSL is installed, generate the necessary SSL certificates for ProFTP with the following command:

sudo openssl req -x509 -newkey rsa:1024 -keyout /etc/ssl/private/proftpd.key -out /etc/ssl/certs/proftpd.crt -nodes -days 365

Make sure to answer all of the questions for your certificate. Once that task completes, give the newly generated key the proper permissions with the following commands:

sudo chmod 600 /etc/ssl/private/proftpd.key
sudo chmod 600 /etc/ssl/certs/proftpd.crt

Configuring ProFTP

Now, we need to configure ProFTP to make use of our new SSL certificates. Open the ProFTP configuration file with the command:

sudo nano /etc/proftpd/proftpd.conf

Look for the line #Include /etc/proftpd/tls.conf (around line 140) and remove the # character. Save and close that file. Next, issue the command:

sudo nano /etc/proftpd/tls.conf

Uncomment the following lines (remove the # character):

TLSRSACertificateFile /etc/ssl/certs/proftpd.crt
TLSRSACertificateKeyFile /etc/ssl/private/proftpd.key
TLSEngine on
TLSLog /var/log/proftpd/tls.log
TLSProtocol SSLv23
TLSRequired on
TLSVerifyClient off
TLSOptions NoCertRequest EnableDiags NoSessionReuseRequired

Note: The above lines are scattered throughout the configuration file, so make sure to look closely. Once you make the necessary changes, save and close that file. Restart the ProFTP server with the command:

sudo systemctl restart proftpd

Create a new user

Now we need to create a specific ProFTP user. To do this issue the command:

sudo adduser ftpuser

Note: You can name the FTP user whatever you like.

Once you add the user, you can now access the ProFTP server, using encryption. How you make that connection depends upon the FTP client you use. Just make sure you connect with the new user and make sure the connection encryption type is FTP over TLS (Figure A).

Figure A: Connecting to the TLS-enabled ProFTP server using FileZilla.

If you already have users on the remote server, those users can log into the FTP server using their previously created credentials. In other words, you don’t need to create a new user.

And that’s all there to securing your ProFTP server with TLS encryption. Make sure to add as many users as needed and inform them how to connect with the new TLS protocol.