Having access to your files through FTP is very convenient and reliable.
FTP has some great applications for backups and supports resuming interrupted downloads or uploads of large files.
The problem is that FTP is a plain text protocol, so it is strongly recommended to add another layer of security.
One option is configuring your firewall to accept FTP connections only from your local network or VPN.
sudo ufw allow from 10.0.0.0/24 to any port 21
In this case, I am allowing access to the entire 10.0.0.0 network (from 10.0.0.1 to 10.0.0.254) on port 21 (the default FTP port).
Another option is to use the same SSL/TLS certificate you may have already created for your HTTP server [Read It].
I also found that ProFTPd does not work well with Fail2Ban [Read It], so I prefer to use Ubuntu’s native FTP server, VSFTPD [Read It].
Assuming your FTP server is ProFTPd and it is already up and running, let’s add encryption.
sudo nano /etc/proftpd/tls.conf
Find the following lines and add the path to your SSL/TLS certificate:
TLSEngine on TLSProtocol TLSv1.2 TLSRSACertificateFile /etc/apache2/md/domains/domain.com/pubcert.pem TLSRSACertificateKeyFile /etc/apache2/md/domains/domain.com/privkey.pem
Note: this tutorial assumes the server already has a certificate issued by Let’s Encrypt using Apache’s MD module. If it was generated a different way, locate these files on your system or obtain them. The paths above are likely correct and you may only need to update the domain name.
Confirm that your certificate files exist, then update the domain name.
TLSOptions NoCertRequest EnableDiags NoSessionReuseRequired
Uncomment the line ending with “NoSessionReuseRequired”. It is not strictly required, but my FTP client (FileZilla) was unable to connect without it since it does not reuse sessions.
Also uncomment this line to enforce encrypted connections only:
TLSRequired on
Edit the main configuration file:
sudo nano /etc/proftpd/proftpd.conf
Uncomment the following line:
Include /etc/proftpd/tls.conf
Check the passive port range you need to open in your firewall:
PassivePorts 40000 50000
In my case, I reduced this to only 500 ports, down from the original range.
Create the firewall rules:
sudo ufw allow 21 sudo ufw allow 40000:50000/tcp
Restart the server and test a remote connection:
sudo systemctl restart proftpd
If the connection fails, check the log file to troubleshoot:
sudo tail -n 20 /var/log/proftpd/tls.log