{"id":377,"date":"2020-10-03T03:00:22","date_gmt":"2020-10-03T03:00:22","guid":{"rendered":"https:\/\/dft.wiki\/?p=377"},"modified":"2026-04-21T13:36:01","modified_gmt":"2026-04-21T17:36:01","slug":"proftpd-tls-on-ubuntu-20-04","status":"publish","type":"post","link":"https:\/\/dft.wiki\/?p=377","title":{"rendered":"ProFTPd + SSL\/TLS on Ubuntu"},"content":{"rendered":"<p>Having access to your file through FTP is very convenient and reliable.<\/p>\n<p>FTP has some awesome applications for backup and permits resume download or upload of big files that were interrupted.<\/p>\n<p>The problem is, FTP is a plain text protocol and it is very recommended to implement another layer for security.<\/p>\n<p>One is allowing your firewall to receive FTP connections only from your local network or VPN.<\/p>\n<pre>sudo ufw allow from 10.0.0.0\/24 to any port 21<\/pre>\n<p>In this case, I am permitting access to the whole network 10.0.0.0 (from 10.0.0.1 to 10.0.0.254) for the port 21 (default FTP port).<\/p>\n<p>Another solution is to use the same SSL\/TLS key that you may have created for your HTTP server [<a href=\"https:\/\/dft.wiki\/?p=233\">Read It<\/a>].<\/p>\n<p>I also realized ProFTPd does not work well with Fail2Ban [<a href=\"https:\/\/dft.wiki\/?p=401\">Read It<\/a>], so I prefer to use the native FTP server of Ubuntu, VSFTPD [<a href=\"https:\/\/dft.wiki\/?p=500\">Read It<\/a>].<\/p>\n<p>Assuming your FTP server is the ProFTPd and it is already up and running, let&#8217;s add the encryption.<\/p>\n<pre>sudo nano \/etc\/proftpd\/tls.conf<\/pre>\n<p>Look for the lines and add the path to the SSL\/TLS key:<\/p>\n<pre>TLSEngine\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 <strong>on<\/strong>\r\nTLSProtocol\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 <strong>TLSv1.2<\/strong>\r\n\r\nTLSRSACertificateFile \/etc\/apache2\/md\/domains\/<strong>domain.com<\/strong>\/pubcert.pem\r\nTLSRSACertificateKeyFile \/etc\/apache2\/md\/domains\/<strong>domain.com<\/strong>\/privkey.pem<\/pre>\n<p><strong>Note:<\/strong> for this tutorial we assumed the server already has the certificate issued by Let&#8217;s Encrypt using the module MD of Apache. If it was generated in another way, search for these files in your system or purchase them. If this is your case, they might located as described above and probably only the domain name needs to be changed.<\/p>\n<p>Confirm that your keys are there, then change the domain name.<\/p>\n<pre>TLSOptions NoCertRequest EnableDiags <strong>NoSessionReuseRequired<\/strong><\/pre>\n<p>Uncomment the line that ends with &#8220;NoSessionReuseRequired&#8221;. It is not required but for some reason, my FTP client (FileZilla) was not able to connect because they do not reuse the session.<\/p>\n<p>And uncomment this line to only accept encrypted connections:<\/p>\n<pre>TLSRequired\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 <strong>on<\/strong><\/pre>\n<p>Edit the configuration file:<\/p>\n<pre>sudo nano \/etc\/proftpd\/proftpd.conf<\/pre>\n<p>Uncomment the following line:<\/p>\n<pre>Include\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 <strong>\/etc\/proftpd\/tls.conf<\/strong><\/pre>\n<p>Verify the range of ports you need to allow in your firewall:<\/p>\n<pre>PassivePorts\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 <strong>40000\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 50000<\/strong><\/pre>\n<p>In my case, I reduced to only 500 ports. Originally was much more.<\/p>\n<p>Create the rules in your firewall:<\/p>\n<pre>sudo ufw allow <strong>21<\/strong>\r\nsudo ufw allow <strong>40000:50000<\/strong>\/tcp<\/pre>\n<p>Restart the server and test a remote connection:<\/p>\n<pre>sudo systemctl restart proftpd<\/pre>\n<p>In case of connection fail you can look at the log file to troubleshoot:<\/p>\n<pre>sudo tail -n 20 \/var\/log\/proftpd\/tls.log<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Having access to your file through FTP is very convenient and reliable. FTP has some [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-377","post","type-post","status-publish","format-standard","hentry","category-linux"],"_links":{"self":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts\/377","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=377"}],"version-history":[{"count":10,"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts\/377\/revisions"}],"predecessor-version":[{"id":5499,"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts\/377\/revisions\/5499"}],"wp:attachment":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=377"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=377"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=377"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}