After you have setup your server (See:How to Setup Virtualmin on CentOS 5) FTP is one of the first things you need secure, and make sure it is done well as you will receive many attacks on this part of your system. This short guide will show how to do this easily on a Virtualmin System.

I would also suggest you really consider switching off ProFTPD and using SFTP with Two-factor authentication enabled. Simply follow my two-factor authentication guide to set this up with SSH and then you use the ssh credentials to do SFTP:

How To: CentOS Two-factor SSH and Virtualmin Authentication via Google-Authenticator

1. Change the ProFTPD config:

Navigate to your sites Virtualmin Control Panel:


https://x.x.x.x:10000   ##  where x.x.x.x is you server IP


Then click on the WEBMIN link on the TOP LEFT:

  Virtualmin  Webmin

Click on the:

Servers>>> ProFTPD Server

Click on:

Edit Config Files


 Find and change the following:

ServerName ProFTPD
ServerIdent on
FTP Server ready
ServerAdmin root@localhost
DefaultServer on

Add these lines to change the port FTP listens on and turn off IPv6:

You will have to make sure the port you choose here is open in your firewall, and then also close port 21. I will cover that later.

# Port 21 is the standard FTP port.
Port 6021
UseIPv6 off

Add the disable root login option:

# Disable Root Logins
RootLogin off

Make sure the TLS section in the confic looks like this:

# TLS (
#<IfDefine TLS>
TLSEngine on
TLSRequired on
TLSRSACertificateFile /etc/pki/tls/certs/proftpd.pem
TLSRSACertificateKeyFile /etc/pki/tls/certs/proftpd.pem
TLSCipherSuiteALL :!ADH:!DES
TLSOptions NoCertReques
TLSVerifyClient off
TLSRenegotiatectrl 3600 data 512000 required off timeout 33 00
TLSLog /var/log/proftpd/tls.log
#<IfModule mod_tls_shmcache.c>

Add rules to restrict the ProFTPs Passive ports:

# Restrict the range of ports from which the server will select when sent the
# PASV command from a client. Use IANA-registered ephemeral port range of
PassivePorts 65000 65100

Click on:


2. Then we need to create the TLS certificates so that TLS will work.

To this you need ti SSH into your server and then execute these commands as root:

Change your directory:

cd /etc/pki/tls/certs 

Generate the cert:

openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/pki/tls/certs/proftpd.pem -out /etc/pki/tls/certs/proftpd.pem

This is the output you will see with some explanations to help you:

Generating a 1024 bit RSA private key
writing new private key to '/etc/pki/tls/certs/proftpd.pem'
-----You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:JP # country
State or Province Name (full name) [Some-State]:Hiroshima   # state
Locality Name (eg, city) []:Hiroshima # city
Organization Name (eg, company) []:GTS   # company
Organizational Unit Name (eg, section) []:Server World   # department
Common Name (eg, YOUR name) []   # server's FQDN
Email Address []:[email protected]

Your cert is now created and we now need to just secure the cert:

chmod 600 proftpd.pem

The we need to restart the ProFTPD server:

From SSH:

service proftpd restart 

You can also restart it from Virtualmin.


3. Open the new FTP port and close the old port (21) on your firewall

 (If you have not yet setup a firewall script see: How to: CentOS 5 and Virtualmin Firewall Init Script )

Click on:

System >>> Bootup and Shutdown

Click on the:

 Firewall link

 The Firewall script will come up so you can edit it as you would any normal text file.

Press Ctrl + F and Find 21

The firewall rule should look something like this.

iptables -A INPUT -p tcp  --dport 21 -j ACCEPT

Replace that one line / firewall / iptables rule with these:

iptables -A INPUT -p tcp --dport 21 --syn  -j DROP
iptables -A INPUT -p tcp --dport 6021 -j ACCEPT
iptables -A INPUT -p tcp --dport 65000:65100 -j ACCEPT
iptables -A PREROUTING -t nat -p tcp --dport 65000:65100 -i eth0 -j DNAT --to

## the 1st rule is to close port 21

## the 2nd rule is to open port 6021 (replace that with the port you chose)

## the 3rd rule it to open the passive ports.

## the 4th rule it to help filezilla and other ftp clients work better. -replace with your servers main IP


Now you should be ready to use your FTP program again and login – with the new user and new port.

Test to make sure that you cant log in on port 21, that you can ONLY login with TLS and you cant login with root.


How to: CentOS Virtualmin secure ProFTPD
Tagged on:                                                     

Leave a Reply

Your email address will not be published. Required fields are marked *

6 thoughts on “How to: CentOS Virtualmin secure ProFTPD

  • Thanks for the page – really useful – couple of tweaks to the code though – some typos got through that effectively stop proftpd from starting firstly the intro lines should be:
    ServerName “ProFTPD”
    ServerIdent on “FTPServer ready”
    ServerAdmin root@localhost
    DefaultServer on

    And then the TLS lines need to be:
    # TLS (
    TLSEngine on
    TLSRequired on
    TLSRSACertificateFile /etc/pki/tls/certs/proftpd.pem
    TLSRSACertificateKeyFile /etc/pki/tls/certs/proftpd.pem
    TLSCipherSuite ALL :!ADH:!DES
    TLSOptions NoCertRequest
    TLSVerifyClient off
    TLSRenegotiate ctrl 3600 data 512000 required off timeout 300
    TLSLog /var/log/proftpd/tls.log


  • Hello

    I have an unmanaged VPS,, and i know very little about linux,, i have managed to install proftpd,, but i need to set it up securely,, as you have listed in this article.. could you help me do that?

    The purpose of the VPS is to store my backups on.. i will be the only one ftping to the site,, so it needs to be setup in a way, that i can only access it.

    thank you

    1. Hi Tim,

      If you want your server to be secure I would suggest removing FTP altogether and only using SSH – you can SFTP – its just FTP over SSH and is much more secure. You can even go one step further and install Google-Authenticator on your SSH and then you will have two-factor authentication, you cant get more secure than that without going to super extremes. So the question would be what you want to back up – if you are able to use SFTP to store your backups then that would be the way you would need to go. I have other guides on my site on how to set up two-factor authentication on SSH.

      If you want me to help with that let me know and I can send you over a email address / skype info and we can chat.


  • Hi,
    nice how to. I do have a question though. With TLS I would need to open other ports for data channels which my network administrator probably won’t like. At the very top of your article, you mention disabling Proftpd and only use sshd. I was wondering how would you go to do that in virtualmin/webmin ?

    Thnak you !

    1. Hi JF,

      I am glad you like my How To – yes only using SSH for file transfers via SFTP would be best and much safer, and if you use two factor authentication it would as close to the best security you could get without too much trouble.

      To do this on Virtualmin is very simple and would only take a few steps.

      1. Stop and disable Proftpd from starting on boot.
      2. Close the ports you are using for ProFTPd in your firewall.
      3. Use your Default Admin user account for every site`s details to log in and transfer files via SFTP (I use Filezilla to trasnsfer files and it has a option for SFTP, but I am sure you could also find other programs that could do it.)

      To make the SFTP and SSH more secure you could:

      1. Move your SSH to a non default Port (I would suggest at least doing this)
      2. Setting up Two Factor Authentication (Follow my guide: How To: CentOS Two-factor SSH and Virtualmin Authentication via Google-Authenticator)

      Let me know if you need any more help!