Install ProFTPD with TLS

What Is ProFTPD?

ProFTPD (Professional FTP Daemon) is an open-source FTP server designed to provide a secure, flexible, and highly configurable file transfer platform for Linux environments.

Its configuration syntax is similar to the Apache HTTP Server, making it familiar to many system administrators. ProFTPD supports a wide range of advanced features, y compris:

• Virtual FTP servers
• Anonymous FTP access
• User and group-based permissions
• TLS/SSL encryption
• LDAP authentication
• IPv6 support
• Flexible access controls

When combined with TLS encryption, ProFTPD can securely transfer files while protecting usernames, mots de passe, and data from interception.

Why Use TLS with ProFTPD?

Traditional FTP transmits credentials and data in plain text.

This means attackers monitoring network traffic may be able to view:

• Usernames
• Passwords
• File contents

Sécurité de la couche de transport (TLS) encrypts communication between the FTP client and server, améliorant considérablement la sécurité.

Hébergement Web WordPress

À partir de 3,99 $/mois

Acheter maintenant

Les avantages incluent:

• Encrypted authentication
• Secure file transfers
• Protection against credential theft
• Improved compliance with security standards

Pour les environnements de production, TLS should always be enabled.

Conditions préalables

Before beginning the installation, ensure you have:

Système opérateur

• AlmaLinux 8

Access Requirements

• Root access or sudo privileges
• Internet connectivity

Required Components

• Firewalld (recommended)
• SELinux enabled or configured appropriately

Étape 1: Install the EPEL Repository

ProFTPD packages are not included in the default AlmaLinux repositories.

Install the Extra Packages for Enterprise Linux (EPEL) repository:

sudo yum install -y epel-release

Étape 2: Import the EPEL GPG Key

Import the repository signing key:

Serveur VPS pas cher

À partir de 2,99 $/mois

Acheter maintenant

sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8

This allows package verification during installation.

Étape 3: Mettre à jour le système

Before installing new software, update existing packages:

sudo yum update -y

Keeping the operating system updated helps avoid dependency and compatibility issues.

Étape 4: Install ProFTPD and OpenSSL

Install ProFTPD along with OpenSSL and supporting utilities:

sudo yum install -y proftpd openssl proftpd-utils

After installation completes, start the service:

sudo systemctl start proftpd

Enable automatic startup:

Hébergement VPS Windows

Remote Access & Full Admin

Acheter maintenant

sudo systemctl enable proftpd

Verify service status:

sudo systemctl status proftpd

The service should report an active running state.

Étape 5: Open FTP Port in the Firewall

Allow incoming FTP connections on port 21.

sudo firewall-cmd --add-port=21/tcp --permanent

Reload the firewall configuration:

sudo firewall-cmd --reload

Verify the rule:

sudo firewall-cmd --list-ports

Exemple de sortie:

21/tcp

Étape 6: Verify the Installed Version

Confirm that ProFTPD is installed correctly.

proftpd -v

Exemple de sortie:

ProFTPD Version 1.3.6e

The displayed version may differ depending on the repository version available at installation time.

Étape 7: Create FTP Users

For security purposes, create dedicated users and groups for FTP access.

Create a Group

sudo groupadd proftpdgroup

Créer un utilisateur

sudo useradd -G proftpdgroup ftpuser -s /sbin/nologin -d /ftpshare

Set a password:

sudo passwd ftpuser

Set Directory Permissions

sudo chmod -R 1750 /ftpshare

This restricts access while allowing authorized users to access their files.

Example configuration:

Group: proftpdgroup
User: ftpuser
Home Directory: /ftpshare

Étape 8: Enable TLS Encryption

Before modifying the configuration, create a backup:

sudo cp /etc/proftpd.conf /etc/proftpd.conf.backup

Edit the ProFTPD configuration file:

sudo nano /etc/proftpd.conf

Add the following TLS configuration:

TLSEngine                    on
TLSRequired                  on
TLSRSACertificateFile        /etc/pki/tls/certs/proftpd.pem
TLSRSACertificateKeyFile     /etc/pki/tls/certs/proftpd.pem
TLSCipherSuite               ALL:!ADH:!DES
TLSOptions                   NoCertRequest
TLSVerifyClient              off
TLSRenegotiate               ctrl 3600 data 512000 required off timeout 300
TLSLog                       /var/log/proftpd/tls.log

Save the file after making the changes.

Étape 9: Configure Passive Mode Ports

FTP clients frequently use Passive Mode.

Open a passive port range through the firewall:

sudo firewall-cmd --add-port=1024-65534/tcp

sudo firewall-cmd --add-port=1024-65534/tcp --permanent

Verify the configuration:

sudo firewall-cmd --list-ports

Reload the firewall:

sudo firewall-cmd --reload

Étape 10: Configure SELinux

If SELinux is enabled, allow FTP read and write access:

sudo setsebool -P allow_ftpd_full_access=1

This permits ProFTPD to access files appropriately while SELinux remains active.

Étape 11: Generate a TLS Certificate

Create a self-signed certificate for TLS.

sudo openssl req -x509 -nodes -newkey rsa:2048 \
-keyout /etc/pki/tls/certs/proftpd.pem \
-out /etc/pki/tls/certs/proftpd.pem

During certificate generation, provide details such as:

Country Name
State or Province
City
Organization
Organizational Unit
Common Name
Email Address

The Common Name should typically match your server hostname.

Secure the Certificate

Restrict certificate access:

sudo chmod 0440 /etc/pki/tls/certs/proftpd.pem

This prevents unauthorized users from reading the certificate file.

Étape 12: Enable TLS Startup Option

Modifier:

sudo nano /etc/sysconfig/proftpd

Locate:

PROFTPD_OPTIONS=""

Replace it with:

PROFTPD_OPTIONS="-DTLS"

This instructs ProFTPD to start with TLS support enabled.

Étape 13: Restart ProFTPD

Apply all changes:

sudo systemctl restart proftpd

Verify the service starts successfully:

sudo systemctl status proftpd

The TLS-enabled FTP server is now operational.

Facultatif: Enable Anonymous FTP Access

Anonymous FTP should only be enabled when absolutely necessary.

Because users are not authenticated, anonymous access introduces additional security considerations.

Add the following block to the end of:

/etc/proftpd.conf

<Anonymous ~ftp>
  User ftp
  Group ftp

  UserAlias anonymous ftp
  DirFakeUser on ftp
  DirFakeGroup on ftp
  MaxClients 10

  <Directory *>
    <Limit WRITE>
      DenyAll
    </Limit>
  </Directory>

</Anonymous>

Restart ProFTPD:

sudo systemctl restart proftpd

This configuration allows anonymous read-only access.

Connecting with FileZilla

FileZilla is one of the most popular FTP clients and supports FTP over TLS.

Create a New Site

Ouvrir:

File → Site Manager

Créer un nouveau profil de connexion.

Configure Connection Settings

Ensemble:

Protocol: FTP
Encryption: Require Explicit FTP over TLS
Host: your-server-ip
Port: 21

Configure Login Credentials

For authenticated users:

Logon Type: Normal
Username: ftpuser
Password: your-password

For anonymous access:

Logon Type: Anonymous

Accept the TLS Certificate

During the first connection attempt, FileZilla will display the TLS certificate.

Review the certificate information and click:

OK

to trust the certificate.

After successful authentication, you will be connected securely through TLS.

Testing the TLS Configuration

To verify encryption is working:

Check FileZilla Logs

The connection log should indicate:

TLS connection established

Verify the TLS Log

Review:

cat /var/log/proftpd/tls.log

This log records TLS-related events and can help troubleshoot connection issues.

Confirm Secure Authentication

Ensure credentials are transmitted over encrypted sessions rather than plain FTP.

Meilleures pratiques de sécurité

Use Strong Passwords

All FTP users should use unique and complex passwords.

Limit Anonymous Access

Disable anonymous FTP unless a specific business requirement exists.

Restrict User Directories

Users should only have access to directories they require.

Keep Software Updated

Regularly update:

• AlmaLinux
• ProFTPD
• OuvertSSL

to receive security patches.

Use Trusted Certificates

For production deployments, replace self-signed certificates with certificates issued by a trusted Certificate Authority.

Monitor Logs

Regularly review:

• ProFTPD logs
• TLS logs
• Authentication logs

to identify suspicious activity.

Building a Secure FTP Environment

ProFTPD provides a powerful and flexible FTP solution for AlmaLinux servers. When combined with TLS encryption, it offers a secure method for transferring files while protecting credentials and sensitive data from interception.

By implementing proper user permissions, secure certificates, règles de pare-feu, and ongoing maintenance procedures, administrators can deploy a reliable FTP service suitable for both internal and external file transfer requirements.