Centos 5 Proftpd SSL TLS Chroot LDAP Active Directory Auth 2003 SBS

04Jun09

I needed to set up a secure way of transferring files without the hassle of connecting to the VPN yet still maintaining a secure encrypted connection, oh and it has to authenticate from our Windows 2003 SBS (small business server) via Active Directory!

Here is how I did it!

Install proftpd (from rpmforge) and openss if you need it (I already had openssl installed).

yum install proftpd

Couple of security tweaks and the chroot!

vim /etc/proftpd/proftpd.conf

DefaultRoot ~
IdentLookups off
ServerIdent on "FTP Server ready."

Create ssl cert

mkdir /etc/proftpd/ssl

openssl req -new -x509 -days 365 -nodes -out /etc/proftpd/ssl/proftpd.cert.pem -keyout /etc/proftpd/ssl/proftpd.key.pem

Country Name (2 letter code) [AU]: <– Enter your Country Name (e.g., “DE”).
State or Province Name (full name) [Some-State]: <– Enter your State or Province Name.
Locality Name (eg, city) []: <– Enter your City.
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <– Enter your Organization Name (e.g., the name of your company).
Organizational Unit Name (eg, section) []: <– Enter your Organizational Unit Name (e.g. “IT Department”).
Common Name (eg, YOUR name) []: <– Enter the Fully Qualified Domain Name of the system (e.g. “server1.example.com”).
Email Address []: <– Enter your Email Address.

Open up  /etc/proftpd/proftpd.conf in your favorite editor (vi I hope?) and find the section:

<IfModule mod_tls.c>
TLSEngine                  off
</IfModule>

I personally commented it out and replaced it with the following:
<IfModule mod_tls.c>
TLSEngine                  on
TLSLog                     /var/log/proftpd/tls.log
TLSProtocol                SSLv23
TLSOptions                 NoCertRequest
TLSRSACertificateFile      /etc/proftpd/ssl/proftpd.cert.pem
TLSRSACertificateKeyFile   /etc/proftpd/ssl/proftpd.key.pem
TLSVerifyClient            off
TLSRequired                on
</IfModule>

If you use TLSRequired on, then only TLS connections are allowed (this locks out any users with old FTP clients that don't have TLS support); by commenting out that line or using TLSRequired off both TLS and non-TLS connections are allowed, depending on what the FTP client supports.

Restart proftpd so it re-reads our config changes! 

/etc/init.d/proftpd restart

Test it with a client I highly recommend Filezilla http://filezilla-project.org/
Currently playing with the LDAP settings for Proftpd! Will post back as soon as I have cracked this one!


About these ads





			

Filed under: centos, Geek Stuff, Linux, Windows SBS 2003   |  1 Comment
Tags: centos, Centos 5, CentOS Linux, howto, proftp chroot SSL TLS LDAP Active Directory Auth 2003 SBS, proftp ldap auth, Proftpd 2003 sbs auth, proftpd active directory, proftpd active directory auth, Proftpd Chroot, Proftpd howto, Proftpd SSL, Proftpd TLS