How to Install ProFTPD with TLS on AlmaLinux

The open-source FTP server called ProFTPD has a name that is short for Pro FTP daemon.

Learn how to install ProFTPD on AlmaLinux with Transport Layer Security (TLS), as well as how to access the ProFTPD Server using TLS as an anonymous user via FileZilla.

What is ProFTPD?

ProFTPD is an improved, secure, and fully customizable File Transfer Protocol (FTP) server. Its configuration syntax is identical to that of the Apache HTTP Server. Its flexible server infrastructure supports several virtual FTP servers, anonymous FTP, and permission-based directory visibility. It has advanced features like virtual hosts, SSL/TLS encryption, and Lightweight Directory Access Protocol (LDAP) authentication.

Prerequisites

• Operating System and Version: AlmaLinux OS 8.
• Access to the AlmaLinux system as root, including the capability to use the sudo command or as an admin user with the corresponding admin privileges.

Installing ProFTPD with TLS on AlmaLinux

Step 1: Enable the Extra Packages for Enterprise Linux (EPEL) Repository

ProFTPD is not included in the AlmaLinux default repository ("repo"), so you must install the EPEL Repository on your AlmaLinux system. You can install the EPEL Repository by executing the following command:

~]# yum -y install epel-release

Step 2: Import the EPEL GPG-Key

You can import the EPEL GPG-Key by executing the following command:

~]# rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8

Step 3: Update Your AlmaLinux System

You can update your AlmaLinux System by executing the following command:

~]# yum -y update

Step 4: Install ProFTPD and OpenSSL

You can install ProFTPD AlmaLinux and OpenSSL by executing the following command:

~]# yum install -y proftpd openssl proftpd-utils

You can execute the following commands, which will start the ProFTPD service, thereby enabling it to kick off at bootup time automatically:

~]# systemctl start proftpd.service
~]# systemctl enable proftpd.service 

Step 5: Configure the Firewall to Open the FTP Port

If you have firewalld installed, you can use firewall-cmd to configure the firewall and open the FTP port:

~]# firewall-cmd --add-port=21/tcp --permanent
~]# firewall-cmd --reload

Here is the output:

[root@proftpd-almalinux ~]# firewall-cmd --add-port=21/tcp --permanent
success
[root@proftpd-almalinux ~]# firewall-cmd --reload
success

You can run the command below to confirm an opened incoming port 21:

~]# firewall-cmd --list-ports

Here is the output:

[root@proftpd-almalinux ~]# firewall-cmd --list-ports 
21/tcp

Step 6: Check the ProFTPD Version

You can issue this command to check the ProFTPD version:

~]# proftpd -v 

Here is the output:

[root@proftpd-almalinux ~]# proftpd -v 
ProFTPD Version 1.3.6e 

Step 7: Creating ProFTPD Users

You must create a group and a home directory for the ProFTPD user. You can create a group for ProFTPD users by executing the following command:

~]# groupadd <groupname>

Run the following command to create a new user:

~]# useradd -G <groupname> <ProFTPD user> -s /sbin/nologin -d <Home directory>
~]# passwd <ProFTPD user>

Then, you can set the permission for the home directory of the user:

~]# chmod -R 1750 <home directory>

For this example, the group proftpdgroup, the user noufal, and the home directory ftpshare have been created for the user.

Here is the output:

[root@proftpd-almalinux ~]# groupadd proftpdgroup 
[root@proftpd-almalinux ~]# useradd -G proftpdgroup noufal -s /sbin/nologin -d /ftpshare
[root@proftpd-almalinux ~]# passwd noufal 
Changing password for user noufal.
New password: 
Retype new password: 
passwd: all authentication tokens updated successfully.
[root@proftpd-almalinux ~]# chmod -R 1750 /ftpshare 

Step 8: Enabling TLS in ProFTPD

To enable TLS in ProFTPD, navigate to /etc/proftpd.conf and add the following lines. It is recommended to back up the original file before modifying it:

#<IfDefine TLS>
TLSEngine                    on
TLSRequired                  on
TLSRSACertificateFile        /etc/pki/tls/certs/proftpd.pem
TLSRSACertificateKeyFile     /etc/pki/tls/certs/proftpd.pem
TLSCipherSuite               ALL:!ADH:!DES
TLSOptions                   NoCertRequest
TLSVerifyClient              off
TLSRenegotiate               ctrl 3600 data 512000 required off timeout 300
TLSLog                       /var/log/proftpd/tls.log
#</IfDefine>

To allow customers to access ProFTPD and secure transfer files in Passive Mode, open the whole port range between 1024 and 65534 on the firewall by executing the following commands:

~]# firewall-cmd --add-port=1024-65534/tcp  
~]# firewall-cmd --add-port=1024-65534/tcp --permanent
~]# firewall-cmd --list-ports
~]# firewall-cmd --list-services
~]# firewall-cmd --reload

By executing the following command, you can notify Security-Enhanced Linux (SELinux) to allow the file's read/write access:

setsebool -P allow_ftpd_full_access=1 

To use TLS, you must first generate an SSL certificate. You can generate the SSL certificates in /etc/pki/tls/certs by executing the following command:

~]# openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/pki/tls/certs/proftpd.pem -out /etc/pki/tls/certs/proftpd.pem

You can enter the following details as per your requirements:

Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:

By executing the following command, you can set the certificate to only be readable for security purposes:

chmod 0440 /etc/pki/tls/certs/proftpd.pem

Then, you can open the /etc/sysconfig/proftpd file and make the following changes in it:

FROM:
PROFTPD_OPTIONS=""

TO:
PROFTPD_OPTIONS="-DTLS"

Finally, restart the ProFTPD service by running the following command to reflect the changes:

~]# systemctl restart proftpd.service

Step 9: Anonymous FTP Access in ProFTPD (Optional)

Please carefully note that allowing anonymous FTP access may present a security risk, as users accessing your server via this method are not logged.

Add the lines below at the end of the ProFTPD configuration file /etc/proftpd.conf to create an anonymous FTP account:

###Anonymous share#####
<Anonymous ~ftp>
  User ftp
  Group ftp

UserAlias anonymous ftp
DirFakeUser       on ftp 
DirFakeGroup on ftp
MaxClients 10

    <Directory *>    
<Limit WRITE>     
DenyAll   
</Limit> 
    </Directory>

</Anonymous>

Then, you must restart the FTP service to reflect the changes:

~]# systemctl restart proftpd.service

Step 10: Accessing ProFTPD Server With FileZilla

To access ProFTPD Server using TLS with FileZilla, follow the steps below.

Go to File and click Site Manager to enter the following details per your requirements.

Here is the sample output:

Once you enter the details, click Connect, and it will ask for the trust certificate:

Click the OK button. It will use TLS to connect to the FTP-shared directory:

You can also connect to the Anonymous account using FileZilla by following the steps below:

1. Go to File and click Site Manager.
2. Choose FTP as the Protocol, enter host details, and set Require Explicit FTP over TLS as Encryption.
3. Set Anonymous as Logon Type.

Click Connect. It will connect to the server with an Anonymous user.

Wrapping Up

FTP is an insecure protocol by default because passwords and data are transmitted in cleartext. ProFTPD supports TLS as the successor of Secure Sockets Layer (SSL) for secure connections. Our customers know that enhanced security is a pillar of the Liquid Web hosting business.

TLS allows all communication to be encrypted, making FTP more secure. You can use this tutorial to learn how to install ProFTPD AlmaLinux with TLS and connect to the ProFTPD server using TLS as an anonymous user via FileZilla. Our team would happy to help you with answers you any questions you have as you optimize your website hosted with Liquid Web.