Having access to your file through FTP is very convenient and reliable.
FTP has some awesome applications for backup and permits resume download or upload of big files that were interrupted.
The problem is, FTP is a plain text protocol and it is very recommended to implement another layer for security.
One is allowing your firewall to receive FTP connections only from your local network or VPN.
sudo ufw allow from 10.0.0.0/24 to any port 21
In this case, I am permitting access to the whole network 10.0.0.0 (from 10.0.0.1 to 10.0.0.254) for the port 21 (default FTP port).
Another solution is to use the same SSL/TLS key that you may have created for your HTTP server [Read It].
I also realized ProFTPd does not work well with Fail2Ban [Read It], so I prefer to use the native FTP server of Ubuntu, VSFTPD [Read It].
Assuming your FTP server is the ProFTPd and it is already up and running, let’s add the encryption.
sudo nano /etc/proftpd/tls.conf
Look for the lines and add the path to the SSL/TLS key:
TLSEngine on TLSProtocol TLSv1.2 TLSRSACertificateFile /etc/apache2/md/domains/domain.com/pubcert.pem TLSRSACertificateKeyFile /etc/apache2/md/domains/domain.com/privkey.pem
Note: for this tutorial we assumed the server already has the certificate issued by Let’s Encrypt using the module MD of Apache. If it was generated in another way, search for these files in your system or purchase them. If this is your case, they might located as described above and probably only the domain name needs to be changed.
Confirm that your keys are there, then change the domain name.
TLSOptions NoCertRequest EnableDiags NoSessionReuseRequired
Uncomment the line that ends with “NoSessionReuseRequired”. It is not required but for some reason, my FTP client (FileZilla) was not able to connect because they do not reuse the session.
And uncomment this line to only accept encrypted connections:
TLSRequired on
Edit the configuration file:
sudo nano /etc/proftpd/proftpd.conf
Uncomment the following line:
Include /etc/proftpd/tls.conf
Verify the range of ports you need to allow in your firewall:
PassivePorts 40000 50000
In my case, I reduced to only 500 ports. Originally was much more.
Create the rules in your firewall:
sudo ufw allow 21 sudo ufw allow 40000:50000/tcp
Restart the server and test a remote connection:
sudo systemctl restart proftpd
In case of connection fail you can look at the log file to troubleshoot:
sudo tail -n 20 /var/log/proftpd/tls.log