Centos 5 Proftpd SSL TLS Chroot LDAP Active Directory Auth 2003 SBS


I needed to set up a secure way of transferring files without the hassle of connecting to the VPN yet still maintaining a secure encrypted connection, oh and it has to authenticate from our Windows 2003 SBS (small business server) via Active Directory!

Here is how I did it!

Install proftpd (from rpmforge) and openss if you need it (I already had openssl installed).

yum install proftpd

Couple of security tweaks and the chroot!

vim /etc/proftpd/proftpd.conf

DefaultRoot ~
IdentLookups off
ServerIdent on "FTP Server ready."

Create ssl cert

mkdir /etc/proftpd/ssl

openssl req -new -x509 -days 365 -nodes -out /etc/proftpd/ssl/proftpd.cert.pem -keyout /etc/proftpd/ssl/proftpd.key.pem

Country Name (2 letter code) [AU]: <– Enter your Country Name (e.g., “DE”).
State or Province Name (full name) [Some-State]:
<– Enter your State or Province Name.
Locality Name (eg, city) []:
<– Enter your City.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
<– Enter your Organization Name (e.g., the name of your company).
Organizational Unit Name (eg, section) []:
<– Enter your Organizational Unit Name (e.g. “IT Department”).
Common Name (eg, YOUR name) []:
<– Enter the Fully Qualified Domain Name of the system (e.g. “server1.example.com”).
Email Address []:
<– Enter your Email Address.

Open up  /etc/proftpd/proftpd.conf in your favorite editor (vi I hope?) and find the section:

<IfModule mod_tls.c>
TLSEngine                  off

I personally commented it out and replaced it with the following:
<IfModule mod_tls.c>
TLSEngine                  on
TLSLog                     /var/log/proftpd/tls.log
TLSProtocol                SSLv23
TLSOptions                 NoCertRequest
TLSRSACertificateFile      /etc/proftpd/ssl/proftpd.cert.pem
TLSRSACertificateKeyFile   /etc/proftpd/ssl/proftpd.key.pem
TLSVerifyClient            off
TLSRequired                on

If you use TLSRequired on, then only TLS connections are allowed (this locks out any users with old FTP clients that don't have TLS support); by commenting out that line or using TLSRequired off both TLS and non-TLS connections are allowed, depending on what the FTP client supports.

Restart proftpd so it re-reads our config changes! 

/etc/init.d/proftpd restart

Test it with a client I highly recommend Filezilla http://filezilla-project.org/

Currently playing with the LDAP settings for Proftpd! Will post back as soon as I have cracked this one!


No Responses Yet to “Centos 5 Proftpd SSL TLS Chroot LDAP Active Directory Auth 2003 SBS”

  1. Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: