Monday, July 23, 2018

Setup secure ProFTPD server on CentOS 7 with TLS

https://linuxconfig.org/setup-secure-proftpd-server-on-centos-7-with-tls

Objective

The objective is to first configure a basic ProFTPD server on CentOS 7. Once we have a basic FTP server setup, we will then add FTP passive mode and increase security by adding Transport Layer Security ( TLS ).

Lastly, we add an optional anonymous configuration to allow anonymous user to login to FTP server without username and password.

Operating System and Software Versions

  • Operating System: - CentOS Linux release 7.5.1804
  • Software: - ProFTPD Version 1.3.5e

Requirements

Privileged access to your Ubuntu System as root or via sudo command is required.

Difficulty

MEDIUM

Conventions

  • # - requires given linux commands to be executed with root privileges either directly as a root user or by use of sudo command
  • $ - given linux commands to be executed as a regular non-privileged user

Instructions

Basic FTP Configuration

Let's start by the basic installation and configuration of the ProFTP server. This includes, installation, firewall rules definition and client testing.

Server Setup

The ProFTPD FTP server is part of a EPEL repository. Therefore, the first step is to enable the EPEL repository and then install the ProFTPD server:
# yum install epel-release
# yum install proftpd
Next, start the ProFTPD server and confirm its correct start by checking for an opened port 21
# service proftpd start
# ss -nlt
Next, we need to puch a whole into server's firewall to allow incoming traffic on port 21
# firewall-cmd --add-port=21/tcp --permanent
# firewall-cmd --reload 


To confirm an opened incoming port 21 execute:
# firewall-cmd --list-ports
Configuring Basig FTP server using ProFTPD on CentOS 7
Configuring Basig FTP server using ProFTPD on CentOS 7
At this stage any existing system user is able to FTP login to the newly configured ProFTPD server. Optionally we can create a new user e.g. lubos with an access to directory /var/ftp-share:
# useradd lubos -s /sbin/nologin -d /var/ftp-share
# passwd lubos
# chmod -R 750 /var/ftp-share
# setsebool -P allow_ftpd_full_access=1

Client Connection

At this point we should be able to perform a FTP connection from a remote client computer. The easiest test is to use the ftp command.

Given that our ProFTPD server can be resolved via ftp.linuxconfig.org hostname and user lubos is existent execute:
$ ftp ftp.linuxconfig.org
Connected to ftp.linuxconfig.org.
220 FTP Server ready.
Name (ftp.linuxconfig.org:lubos): lubos
331 Password required for lubos
Password:
230 User lubos logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> 
NOTE: Please note that at this point we are only able to make "Active FTP connections" only! Any attempt to create a "Passive FTP connection" will fail.

Passive mode FTP Configuration



Server Setup

To enable our FTP server to accept also passive FTP connection execute the following commands to enable passive connections on IANA registered ephemeral port range:
echo "PassivePorts 49152 65534" >> /etc/proftpd.conf
Restart the ProFTPD server:
# service proftpd restart
Open firewall for ports in range 49152-65534:
# firewall-cmd --add-port=49152-65534/tcp --permanent
# firewall-cmd --reload
Confirm that the ports have been opened correctly:
# firewall-cmd --list-ports
Configure ProFTPD server to receive passive FTP connections.
Configure ProFTPD server to receive passive FTP connections.

FTP client connection

As before we can now test the FTP passive connection by using the ftp command. Make sure that this time you use the -p option as shown below:
$ ftp -p ftp.linuxconfig.org
Connected to ftp.linuxconfig.org.
220 FTP Server ready.
Name (ftp.linuxconfig.org:lubos): lubos
331 Password required for lubos
Password:
230 User lubos logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (192,168,1,111,209,252).
150 Opening ASCII mode data connection for file list
226 Transfer complete
ftp> 
All is working as expect!

Secure FTP server with TLS

Server Setup

In case you plan to use your FTP server outside of your local area network, it is recommended to use some sort of encryption. Fortunately, configuring ProFTPD with TLS is extremely easy. First, if not available already, install the openssl package:
# yum install openssl
Next, create a certificate using the following command. The only required value is Common Name which is the hostname of your FTP server :
# openssl req -x509 -nodes -newkey rsa:1024 -keyout /etc/pki/tls/certs/proftpd.pem -out /etc/pki/tls/certs/proftpd.pem
Generating a 1024 bit RSA private key
...++++++
.......++++++
writing new private key to '/etc/pki/tls/certs/proftpd.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:ftp.linuxconfig.org
Email Address []:
Next, as the root user, open /etc/sysconfig/proftpd using your favorite text editor and change:
FROM:
PROFTPD_OPTIONS=""
TO:
PROFTPD_OPTIONS="-DTLS"
Once ready, restart the ProFTPD server:
# service proftpd restart


Client connection

This time we use FileZilla as our FTP testing client:
Create a new FTP connection. To test TLS make sure you select correct encryption and Logon type.
Create a new FTP connection. To test TLS make sure you select a correct Encryption and Logon Type.
Unknown certificate - SSL
FTP client will warn you about the Unknown Certificate. Tick Always Trust and hit OK.


TLS encrypted connection successful.
TLS encrypted connection successful.

Configure anonymous FTP user

Server Setup

To allow anonymous user to login to the FTP server open /etc/sysconfig/proftpd using your favorite text editor and change:
FROM:
PROFTPD_OPTIONS="-DTLS"
TO:
PROFTPD_OPTIONS="-DTLS -DANONYMOUS_FTP"
Above we assume that you have alredy enabled TLS previously. When ready restart the FTP server:
# service proftpd restart

Client connection

Using FileZilla as our FTP testing client:
As Logon Type select Anonymous
As Logon Type select Anonymous


Anonymous FTP connection successful.
Anonymous FTP connection successful.

Appendix

Block/Refuse User's FTP access

In case you need to block/refuse access to FTP server of any system user add his/her username into /etc/ftpusers. One username per line. Doing so any user attempt to login will fail with 530 login error:
$ ftp ftp.linuxconfig.org
Connected to ftp.linuxconfig.org.
220 FTP Server ready.
Name (ftp.linuxconfig.org:lubos): lubos
331 Password required for lubos
Password:
530 Login incorrect.
Login failed.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>


No comments:

Post a Comment