After you have setup your server (See:How to Setup Virtualmin on CentOS 5) FTP is one of the first things you need secure, and make sure it is done well as you will receive many attacks on this part of your system. This short guide will show how to do this easily on a Virtualmin System.
I would also suggest you really consider switching off ProFTPD and using SFTP with Two-factor authentication enabled. Simply follow my two-factor authentication guide to set this up with SSH and then you use the ssh credentials to do SFTP:
How To: CentOS Two-factor SSH and Virtualmin Authentication via Google-Authenticator
1. Change the ProFTPD config:
Navigate to your sites Virtualmin Control Panel:
https://server1.example.com:10000
or
https://x.x.x.x:10000 ## where x.x.x.x is you server IP
Then click on the WEBMIN link on the TOP LEFT:
Click on the:
Servers>>> ProFTPD Server
Click on:
Find and change the following:
ServerName ProFTPD ServerIdent on FTP Server ready ServerAdmin root@localhost DefaultServer on
Add these lines to change the port FTP listens on and turn off IPv6:
You will have to make sure the port you choose here is open in your firewall, and then also close port 21. I will cover that later.
# Port 21 is the standard FTP port. Port 6021 UseIPv6 off
Add the disable root login option:
# Disable Root Logins RootLogin off
Make sure the TLS section in the confic looks like this:
# TLS (http://www.castaglia.org/proftpd/modules/mod_tls.html) #<IfDefine TLS> TLSEngine on TLSRequired on TLSRSACertificateFile /etc/pki/tls/certs/proftpd.pem TLSRSACertificateKeyFile /etc/pki/tls/certs/proftpd.pem TLSCipherSuiteALL :!ADH:!DES TLSOptions NoCertReques TLSVerifyClient off TLSRenegotiatectrl 3600 data 512000 required off timeout 33 00 TLSLog /var/log/proftpd/tls.log #<IfModule mod_tls_shmcache.c> #TLSSessionCacheshm:/file=/var/run/proftpd/sesscache #<IfModule> #<IfDefine>
Add rules to restrict the ProFTPs Passive ports:
# Restrict the range of ports from which the server will select when sent the # PASV command from a client. Use IANA-registered ephemeral port range of PassivePorts 65000 65100
Click on:
2. Then we need to create the TLS certificates so that TLS will work.
To this you need ti SSH into your server and then execute these commands as root:
Change your directory:
cd /etc/pki/tls/certs
Generate the cert:
openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/pki/tls/certs/proftpd.pem -out /etc/pki/tls/certs/proftpd.pem
This is the output you will see with some explanations to help you:
Generating a 1024 bit RSA private key ......++++++ .......++++++ writing new private key to '/etc/pki/tls/certs/proftpd.pem' -----You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:JP # country State or Province Name (full name) [Some-State]:Hiroshima # state Locality Name (eg, city) []:Hiroshima # city Organization Name (eg, company) []:GTS # company Organizational Unit Name (eg, section) []:Server World # department Common Name (eg, YOUR name) []:www.server.world # server's FQDN Email Address []:[email protected]
Your cert is now created and we now need to just secure the cert:
chmod 600 proftpd.pem
The we need to restart the ProFTPD server:
From SSH:
service proftpd restart
You can also restart it from Virtualmin.
3. Open the new FTP port and close the old port (21) on your firewall
(If you have not yet setup a firewall script see: How to: CentOS 5 and Virtualmin Firewall Init Script )
Click on:
System >>> Bootup and Shutdown
Click on the:
Firewall link
The Firewall script will come up so you can edit it as you would any normal text file.
Press Ctrl + F and Find 21
The firewall rule should look something like this.
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
Replace that one line / firewall / iptables rule with these:
#ProFTPD iptables -A INPUT -p tcp --dport 21 --syn -j DROP iptables -A INPUT -p tcp --dport 6021 -j ACCEPT iptables -A INPUT -p tcp --dport 65000:65100 -j ACCEPT iptables -A PREROUTING -t nat -p tcp --dport 65000:65100 -i eth0 -j DNAT --to xxx.xxx.xxx.xxx
## the 1st rule is to close port 21
## the 2nd rule is to open port 6021 (replace that with the port you chose)
## the 3rd rule it to open the passive ports.
## the 4th rule it to help filezilla and other ftp clients work better. -replace xxx.xxx.xxx.xxx with your servers main IP
Now you should be ready to use your FTP program again and login – with the new user and new port.
Test to make sure that you cant log in on port 21, that you can ONLY login with TLS and you cant login with root.
Thanks for the page – really useful – couple of tweaks to the code though – some typos got through that effectively stop proftpd from starting firstly the intro lines should be:
ServerName “ProFTPD”
ServerIdent on “FTPServer ready”
ServerAdmin root@localhost
DefaultServer on
And then the TLS lines need to be:
# TLS (http://www.castaglia.org/proftpd/modules/mod_tls.html)
#
TLSEngine on
TLSRequired on
TLSRSACertificateFile /etc/pki/tls/certs/proftpd.pem
TLSRSACertificateKeyFile /etc/pki/tls/certs/proftpd.pem
TLSCipherSuite ALL :!ADH:!DES
TLSOptions NoCertRequest
TLSVerifyClient off
TLSRenegotiate ctrl 3600 data 512000 required off timeout 300
TLSLog /var/log/proftpd/tls.log
#
#TLSSessionCacheshm:/file=/var/run/proftpd/sesscache
#
#
Cheers
Hello
I have an unmanaged VPS,, and i know very little about linux,, i have managed to install proftpd,, but i need to set it up securely,, as you have listed in this article.. could you help me do that?
The purpose of the VPS is to store my backups on.. i will be the only one ftping to the site,, so it needs to be setup in a way, that i can only access it.
thank you
Hi Tim,
If you want your server to be secure I would suggest removing FTP altogether and only using SSH – you can SFTP – its just FTP over SSH and is much more secure. You can even go one step further and install Google-Authenticator on your SSH and then you will have two-factor authentication, you cant get more secure than that without going to super extremes. So the question would be what you want to back up – if you are able to use SFTP to store your backups then that would be the way you would need to go. I have other guides on my site on how to set up two-factor authentication on SSH.
If you want me to help with that let me know and I can send you over a email address / skype info and we can chat.
Peace
Hi,
nice how to. I do have a question though. With TLS I would need to open other ports for data channels which my network administrator probably won’t like. At the very top of your article, you mention disabling Proftpd and only use sshd. I was wondering how would you go to do that in virtualmin/webmin ?
Thnak you !
Hi JF,
I am glad you like my How To – yes only using SSH for file transfers via SFTP would be best and much safer, and if you use two factor authentication it would as close to the best security you could get without too much trouble.
To do this on Virtualmin is very simple and would only take a few steps.
1. Stop and disable Proftpd from starting on boot.
2. Close the ports you are using for ProFTPd in your firewall.
3. Use your Default Admin user account for every site`s details to log in and transfer files via SFTP (I use Filezilla to trasnsfer files and it has a option for SFTP, but I am sure you could also find other programs that could do it.)
To make the SFTP and SSH more secure you could:
1. Move your SSH to a non default Port (I would suggest at least doing this)
2. Setting up Two Factor Authentication (Follow my guide: How To: CentOS Two-factor SSH and Virtualmin Authentication via Google-Authenticator)
Let me know if you need any more help!
Peace