After you have setup your server (See:How to Setup Virtualmin on CentOS 5) FTP is one of the first things you need secure, and make sure it is done well as you will receive many attacks on this part of your system. This short guide will show how to do this easily on a Virtualmin System.
I would also suggest you really consider switching off ProFTPD and using SFTP with Two-factor authentication enabled. Simply follow my two-factor authentication guide to set this up with SSH and then you use the ssh credentials to do SFTP:
1. Change the ProFTPD config:
Navigate to your sites Virtualmin Control Panel:
Then click on the WEBMIN link on the TOP LEFT:
Click on the:
Servers>>> ProFTPD Server
Find and change the following:
ServerName ProFTPD ServerIdent on FTP Server ready ServerAdmin [email protected] DefaultServer on
Add these lines to change the port FTP listens on and turn off IPv6:
You will have to make sure the port you choose here is open in your firewall, and then also close port 21. I will cover that later.
# Port 21 is the standard FTP port. Port 6021 UseIPv6 off
Add the disable root login option:
# Disable Root Logins RootLogin off
Make sure the TLS section in the confic looks like this:
# TLS (http://www.castaglia.org/proftpd/modules/mod_tls.html) #<IfDefine TLS> TLSEngine on TLSRequired on TLSRSACertificateFile /etc/pki/tls/certs/proftpd.pem TLSRSACertificateKeyFile /etc/pki/tls/certs/proftpd.pem TLSCipherSuiteALL :!ADH:!DES TLSOptions NoCertReques TLSVerifyClient off TLSRenegotiatectrl 3600 data 512000 required off timeout 33 00 TLSLog /var/log/proftpd/tls.log #<IfModule mod_tls_shmcache.c> #TLSSessionCacheshm:/file=/var/run/proftpd/sesscache #<IfModule> #<IfDefine>
Add rules to restrict the ProFTPs Passive ports:
# Restrict the range of ports from which the server will select when sent the # PASV command from a client. Use IANA-registered ephemeral port range of PassivePorts 65000 65100
2. Then we need to create the TLS certificates so that TLS will work.
To this you need ti SSH into your server and then execute these commands as root:
Change your directory:
Generate the cert:
openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/pki/tls/certs/proftpd.pem -out /etc/pki/tls/certs/proftpd.pem
This is the output you will see with some explanations to help you:
Generating a 1024 bit RSA private key ......++++++ .......++++++ writing new private key to '/etc/pki/tls/certs/proftpd.pem' -----You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:JP # country State or Province Name (full name) [Some-State]:Hiroshima # state Locality Name (eg, city) :Hiroshima # city Organization Name (eg, company) :GTS # company Organizational Unit Name (eg, section) :Server World # department Common Name (eg, YOUR name) :www.server.world # server's FQDN Email Address :[email protected]
Your cert is now created and we now need to just secure the cert:
chmod 600 proftpd.pem
The we need to restart the ProFTPD server:
service proftpd restart
You can also restart it from Virtualmin.
3. Open the new FTP port and close the old port (21) on your firewall
(If you have not yet setup a firewall script see: How to: CentOS 5 and Virtualmin Firewall Init Script )
System >>> Bootup and Shutdown
Click on the:
The Firewall script will come up so you can edit it as you would any normal text file.
Press Ctrl + F and Find 21
The firewall rule should look something like this.
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
Replace that one line / firewall / iptables rule with these:
#ProFTPD iptables -A INPUT -p tcp --dport 21 --syn -j DROP iptables -A INPUT -p tcp --dport 6021 -j ACCEPT iptables -A INPUT -p tcp --dport 65000:65100 -j ACCEPT iptables -A PREROUTING -t nat -p tcp --dport 65000:65100 -i eth0 -j DNAT --to xxx.xxx.xxx.xxx
## the 1st rule is to close port 21
## the 2nd rule is to open port 6021 (replace that with the port you chose)
## the 3rd rule it to open the passive ports.
## the 4th rule it to help filezilla and other ftp clients work better. -replace xxx.xxx.xxx.xxx with your servers main IP
Now you should be ready to use your FTP program again and login – with the new user and new port.
Test to make sure that you cant log in on port 21, that you can ONLY login with TLS and you cant login with root.