SSL/TLS Secure pureFTPd port connections
Securing your FTP connection is important as with any administrative function on your server or site. Using SSL encryption via TLS is a great way of encrypting your data through your FTP server. whether using a valid CA ROOT certificate or a self signed one you can effectively secure your FTP connections and feel better knowing everything you do can only be viewed by you.
Secure Ports
First you should always change the default port for FTP to something very high, I'll use 25497 in this example.
Find and edit your pure-ftpd.conf
# nano /etc/pure-ftpd/pure-ftpd.conf
Find:
# IP address/port to listen to (default=all IP and port 21). # Bind localhost,21
Change to:
# IP address/port to listen to (default=all IP and port 21). Bind MYSERVERIP,25497
Notice I uncommented the Bind line first, then added the new port, and I also changed localhost to my server IP or site IP. This limits connections to the entire localhost server. The more you can do to limit access the better.
Now make sure you remove port 21 as allowed access ijn your firewall and add port 25497
Now find the following:
# Port range for passive connections replies. - for firewalling. # PassivePortRange 30000 50000
This is the default setting, we want to adjust this and narrow down the access ports for PASV (passive) connections.
I will use this example:
# Port range for passive connections replies. - for firewalling. PassivePortRange 40000 40005
Notice I uncommented the line and added 6 ports, ranging from 40000 to 40005. This is because I am the only user accessing the server son no need for hundreds of ports. if you have multiple users you can expand this to say 10 or 15 ports.
Now since we removed port 21 from our allowed access in Firewall you will not be able to conenctn without adding the passive ports in as well for allowed access. So I added 40000,40001,40002,40003,40004,40005 to my firewalls allowed TCP connections rules.
SSL/TLS
Now we can secure our connection. Back when I first wanted to do this I Googled around and found that every single tutorial or guide was wrong. They all said to create the directory /etc/ssl/private/ which is 100% incorrect and doesnt work. Heres the correct way of doing it.
In your pure-ftpd.conf find the following:
# This option can accept three values : # 0 : disable SSL/TLS encryption layer (default). # 1 : accept both traditional and encrypted sessions. # 2 : refuse connections that don't use SSL/TLS security mechanisms, # including anonymous sessions. # Do _not_ uncomment this blindly. Be sure that : # 1) Your server has been compiled with SSL/TLS support (--with-tls), # 2) A valid certificate is in place, # 3) Only compatible clients will log in. # TLS 0
And change to this:
# This option can accept three values : # 0 : disable SSL/TLS encryption layer (default). # 1 : accept both traditional and encrypted sessions. # 2 : refuse connections that don't use SSL/TLS security mechanisms, # including anonymous sessions. # Do _not_ uncomment this blindly. Be sure that : # 1) Your server has been compiled with SSL/TLS support (--with-tls), # 2) A valid certificate is in place, # 3) Only compatible clients will log in. TLS 2
Notice I first uncommented the line and chose 2, which forces SSL/TLS connections only.
Now to add your cert/key for the SSL/TLS connection, this is the real file you need to create. It may already exist as well with a default cert/key file.
# nano /etc/pki/pure-ftpd/pure-ftpd.pem
In this file you want to add your cert and key combined. NOTE KEY FIRST like in the example below.
-----BEGIN RSA PRIVATE KEY----- XSuDEvvAm/9x8UtGaZbTYu69Bt+spSRxFCf1Fmr61PcHOQRJ2mm3lu6aIeThDDnE K99YQQKBgCI0zzsvuErsXCzq5o1zIw2c2Qx4ZsjFJZnE7i6dgmrXb1oUSYVQ5kk9 Y8deTZoJf8M05PsaZHQUn6vaLRvB03zHkKtT25sWb++aIuf89b2hXlfTWzDVCSD5 DDmCnqn9+ZNJEdAKfgK67aT2aWIvjwmtxs1KTL93GNxIqAwoA7PB -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIIDtzCCAp8CAQYwDQYJKoZIhvcNAQEFBQAwgckxIzAhBgNVBAoTGmRldkNVIFNv ZnR3YXJlIERldmVsb3BtZW50MSAwHgYDVQQLExdkZXZDVSBTZWN1cml0eSBEaXZp c2lvbjEgMB4GCSqGSIb3DQEJARYRc3VwcG9ydEBkZXZjdS5jb20xETAPBgNVBAcT CE5ldyBZb3JrMREwDwYDVQQIEwhOZXcgWW9yazELMAkGA1UEBhMCVVMxKzApBgNV -----END CERTIFICATE-----
Of course your key and cert will be much longer, this is just a snippet for example purposes.
Now save the file and restart pureFTPd
# /etc/init.d/pure-ftpd restart
Open you FTP client and configure it accordingly.
As an example in CuteFTP choose SSL/TLS connection and make sure to update the port. You can import the certs as well in Option.
Most clients are similar, some you may just need to connect and it will prompt you to accept the cert.
IP Access
The most sure fire way of locking down FTP would be to restrict access to only your IP or the IPs of anyone you allow access to. Use your firewall for this, its the easiest way. just allow access to your FTP port(s) through your IP and deny all others
Either way you are now connecting securely on a secure port and you'll feel better in knowing only you can access FTP on your server.
No comments:
Post a Comment