Having access to your file through FTP is very convenient and reliable.

FTP has some awesome applications for backup and permits resume download or upload of big files that were interrupted.

The problem is, FTP is a plain text protocol and it is very recommended to implement another layer for security.

One is allowing your firewall to receive FTP connections only from your local network or VPN.

sudo ufw allow from 10.0.0.0/24 to any port 21

In this case, I am permitting access to the whole network 10.0.0.0 (from 10.0.0.1 to 10.0.0.254) for the port 21 (default FTP port).

Another solution is to use the same SSL/TLS key that you may have created for your HTTP server [Read It].

I also realized ProFTPd does not work well with Fail2Ban [Read It], so I prefer to use the native FTP server of Ubuntu, VSFTPD [Read It].

Assuming your FTP server is the ProFTPd and it is already up and running, let’s add the encryption.

sudo nano /etc/proftpd/tls.conf

Look for the lines and add the path to the SSL/TLS key:

TLSEngine          on
TLSProtocol          TLSv1.2

TLSRSACertificateFile /etc/apache2/md/domains/domain.com/pubcert.pem
TLSRSACertificateKeyFile /etc/apache2/md/domains/domain.com/privkey.pem

Note: for this tutorial we assumed the server already has the certificate issued by Let’s Encrypt using the module MD of Apache. If it was generated in another way, search for these files in your system or purchase them. If this is your case, they might located as described above and probably only the domain name needs to be changed.

Confirm that your keys are there, then change the domain name.

TLSOptions NoCertRequest EnableDiags NoSessionReuseRequired

Uncomment the line that ends with “NoSessionReuseRequired”. It is not required but for some reason, my FTP client (FileZilla) was not able to connect because they do not reuse the session.

And uncomment this line to only accept encrypted connections:

TLSRequired          on

Edit the configuration file:

sudo nano /etc/proftpd/proftpd.conf

Uncomment the following line:

Include          /etc/proftpd/tls.conf

Verify the range of ports you need to allow in your firewall:

PassivePorts          40000          50000

In my case, I reduced to only 500 ports. Originally was much more.

Create the rules in your firewall:

sudo ufw allow 21
sudo ufw allow 40000:50000/tcp

Restart the server and test a remote connection:

sudo systemctl restart proftpd

In case of connection fail you can look at the log file to troubleshoot:

sudo tail -n 20 /var/log/proftpd/tls.log

One Reply to “ProFTPd + SSL/TLS on Ubuntu 20.04”

Comments are closed.