Jump to content
Froxlor Forum
  • 0

Encrypt FTP connection (PureFTPD)



I'm using PureFTP with TLS since years for Froxlor with purchased SSL certificates. Now the certificate expired and I want to use Let's encrypt.
Here is my suggestion for a more secure PureFTP configuration - in addition to the current parameters from the froxlor setup guide:

Making TLS mandatory:

echo "2" > /etc/pure-ftpd/conf/TLS

Reduce the Ciphers to the secure ones:

echo "HIGH:!aNULL:!LOW:!EXP:!RC4:!3DES:!SSLv3:!SSLv2" > /etc/pure-ftpd/conf/TLSCipherSuite

Doing this every time the host certificates are updated (or once a night ;-) ):

cat /etc/ssl/froxlor-custom/{{hostname}}.crt /etc/ssl/froxlor-custom/{{hostname}}_chain.pem /etc/ssl/froxlor-custom/{{hostname}}.key > /etc/ssl/private/pure-ftpd.pem
systemctl restart pure-ftpd-mysql

Maybe it's an option to make this part of the default configuration and integrate the certificate merging into the froxlor-cron? Any ideas how this could look like on different distributions (Gentoo / RHEL / Ubuntu)?

Thanks for your feedback

Share this post

Link to post
Share on other sites

1 answer to this question

Recommended Posts

  • 1

current git version generates and stores the FULLCHAIN, as others wanted to use the certificate in other services

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Similar Content

    • By Robert08020
      Wenn ich einen neuen Kunden anlege, Doamin zuweise und FTP einrichte und gehe dann via WinSCP auf den Server, finde ich nichts. Der Ordner /var/customers wurde nicht erstellt.
      Kann mir jemand helfen?
      Mfg Robert08020
    • By Kyle Willets
       Package                       Arch                   Version                         Repository            Size
       proftpd                       x86_64                 1.3.5e-4.el7                    epel                 3.7 M
       proftpd-mysql                 x86_64                 1.3.5e-4.el7                    epel                  50 k
      Transaction Summary
      Reinstall  2 Packages
      Total download size: 3.7 M
      Installed size: 9.7 M
      Is this ok [y/d/N]: y
      Downloading packages:
      (1/2): proftpd-1.3.5e-4.el7.x86_64.rpm                                                    | 3.7 MB  00:00:00
      (2/2): proftpd-mysql-1.3.5e-4.el7.x86_64.rpm                                              |  50 kB  00:00:00
      Total                                                                            4.0 MB/s | 3.7 MB  00:00:00
      Running transaction check
      Running transaction test
      Transaction test succeeded
      Running transaction
        Installing : proftpd-1.3.5e-4.el7.x86_64                                                                   1/2
        Installing : proftpd-mysql-1.3.5e-4.el7.x86_64                                                             2/2
        Verifying  : proftpd-mysql-1.3.5e-4.el7.x86_64                                                             1/2
        Verifying  : proftpd-1.3.5e-4.el7.x86_64                                                                   2/2
        proftpd.x86_64 0:1.3.5e-4.el7                        proftpd-mysql.x86_64 0:1.3.5e-4.el7
      [root@s128426 ~]# mv "/etc/proftpd/proftpd.conf" "/etc/proftpd/proftpd.conf.frx.bak"
      mv: cannot stat ‘/etc/proftpd/proftpd.conf’: No such file or directory
      [root@s128426 ~]# ^C
      [root@s128426 ~]# cd /etc/proftpd/
      -bash: cd: /etc/proftpd/: No such file or directory

      I am unable to setup ProFTP. I am using the latest version of Centos 7 and PHP 7. It says it installed, but yeah as ya can see. With the SSL it says to config something but does nto say what. So was wondering if anyone had any tips on how to get Lets Encypt working properly.
      Thank You.
    • By jnje
      Hallo Forum,
      is there a way to setup an FTP Lock in Froxlor  for the User/costumer?
      On a server that I use in the UK (see attachment) the user / costumer can
      open the FTP for a selected peridot of time. After which then it closes automatically.
      Is this not a useful solution to obtain a little more security with costumers that are
      not that conscious about safty etc.

    • By cronosdev
      Hallo Froxlor Forum,
      kämpfe nun seit einigen Tagen mit einem Problem auf einem neu aufgesetzten Ubuntu 14.04 Server. Habe Froxlor zuerst per apt installiert und anschließend per Webinterface konfiguriert. Wenn ich nun einen neuen Kunden anlege und versuche mich mit diesem per FTP zu verbinden erhalte ich folgende Fehlermeldung:
      Status: Verbinde mit [sERVER_IP]
      Antwort: fzSftp started, protocol_version=5
      Befehl: open "[KUNDEN_NAME]@[sERVER_IP]" 22
      Befehl: Pass: *********
      Fehler: Authentifizierung fehlgeschlagen.
      Fehler: Kritischer Fehler: Herstellen der Verbindung zum Server fehlgeschlagen
      auth.log sagt folgendes;
        h2568842 sshd[15198]: input_userauth_request: invalid user [KUNDEN_NAME][preauth] h2568842 sshd[15198]: pam_unix(sshd:auth): check pass; user unknown h2568842 sshd[15198]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=[MEINE_IP] h2568842 sshd[15198]: Failed password for invalid user [KUNDEN_NAME] from [MEINE_IP] port 39808 ssh2 h2568842 sshd[15198]: error: Received disconnect from [MEINE_IP]: 13: Unable to authenticate [preauth]   Kunde wurde ordnungsgemäß in der Froxlor Database unter ftp_users angelegt.   Jemand ne Idee wie das Problem gelöst werden kann.   MFG            
    • By bluescreen
      i have a debian 8.3 with apache+phpfpm installed with a custom user for php. When i create a new ftp user (pureftp) from the panel the uid is taken from the db and then i cannot write on web folders that have my custom user ad owner. If i write with a different user then the php then i cannot modify files from ftp and vice versa. Any ideas?