--------------------------------------------------------------------------------
The current version of custombuild (1.1) supports rebuilding of
ProFTPD with mod_tls. This how-to may be considered obsolete
if you are using custombuild. More info on custombuild here
--------------------------------------------------------------------------------
My first HOWTO and I don't even own a DA license yet!
What is this? This is a how-to for installing ProFTPD 1.3.0a on a RHEL based system (I wrote using CentOS 4.4) with support for SSLv3 and TLSv1 connections using the default apache certificate. I imagine the source build may work for other distributions also. The RPM build follows RHEL a bit more closely.
In a nutshell this is just adding a small addition to the configure line for ProFTPD in both the RPM spec file and the source build line and then making an addition to the proftpd.conf and proftpd.vhosts.conf templates. I hope that these simple changes might be added to DirectAdmin source builds in the future. I always try to use TLS/SSL FTP when available. You don't know the importance of this until you have your FTP passwords captured in plaintext and used for malicious activity... But that's another story. On with the how-to.
Section A will do the how-to using the ProFTPD 1.3.0a sources directly from ProFTPD. Section B will rebuild a RPM using the DirectAdmin ProFTPD 1.3.0a source RPM.
--------------------------------------------------------------------------------
A. Install and Setup ProFTPD 1.3.0a with SSL/TLS from source
--------------------------------------------------------------------------------
Follow the instructions at http://help.directadmin.com/item.php?id=82 substituting some small changes outlined in detail below.
1. Configure Statement Changes:
Change: --prefix=/usr/local
To: --prefix=/usr
Change: --mandir=/usr/local/man
To: --mandir=/usr/man
Change: --with-modules=mod_ratio:mod_readme
To: --with-modules=mod_ratio:mod_readme:mod_tls
Now you are ready to run the configure line. Here is the configure command that I had run:
* DO NOT run make or make install yet. To keep things clean we will first uninstall the current default ProFTPD RPM that was installed by the DirectAdmin setup.
2. Backup/Uninstall Current ProFTPD RPM:
Backup your config files just in case (uninstalling the RPM should rename /etc/proftpd.conf to /etc/proftpd.conf.rpmsave and leave the other conf files untouched).
3. Build and Install ProFTPD From Source:
Now you may continue the steps at http://help.directadmin.com/item.php?id=82. Begin with make and then make install. After you make and make install ProFTPD and there were no errors installing, you can copy the init.d script that the RPM removed. You will also need to copy your saved proftpd.conf to /etc/proftpd.conf, overwriting the one installed from source.
At this point you should have a working ProFTPD install just as the original RPM was. Verify that your ProFTPD installation is working. If it is not you will need to correct any errors. I will do my best to help with compile time problems. But that is beyond the scope of this how-to.
So your install is working? Great! Let's continue to the SSL/TLS configuration changes.
4. Add SSL/TLS Settings To Configuration and Templates:
To enable TLSv1 and SSLv3 add the following under </Global> (outside the <Global></Global> statements) in /etc/proftpd.conf and /usr/local/directadmin/data/templates/proftpd.conf:
This takes care of the main IP address. After a ProFTPD restart SSL/TLS should now be enabled on the main IP only.
To enable SSL/TLS on each VirtualHost add the following to /usr/local/directadmin/data/templates/proftpd.vhosts.conf before the |EXTRA| token:
This code should work anywhere in between the <VirtualHost> and </VirtualHost> tags.
To add SSL/TLS to any existing VirtualHosts add these 7 lines between <VirtualHost> and </VirtualHost> in /etc/proftpd.vhosts.conf for each set of <VirtualHost> and </VirtualHost> tags:
All done!
You can now restart ProFTPD and test SSL and TLS. The settings in most FTP clients which support SSL or TLS are referred to as AUTH SSL and AUTH TLS. This setup utilizes the default apache SSL certificate. This should be sufficient as most FTP clients will not validate SSL certificates against a known certificate authority.
* This concludes section A. If you are looking for the RPM version of this how-to see section B below.
--------------------------------------------------------------------------------
B. Install and Setup ProFTPD 1.3.0a with SSL/TLS from RPM
--------------------------------------------------------------------------------
I was also able to compile the 1.3.0a source RPM by only changing the spec file to add mod_tls to the configure line just as we did from source. The RPM built fine. But I did not test the RPM yet. I assume it will work exactly as source does.
If you are adventurous you may build and install the RPM version. This should also help if you want to install ProFTPD 1.3.0a with SSL/TLS on many servers with the same OS distribution.
Install Necessary RPMs:
The one RPM I was missing to build source RPMs was rpm-build. On CentOS this can be install with yum:
There may also be other RPMs needed such as gcc-*, openssl-*, automake, and autoconf. I will update this post if I find more RPM pre-requisites.
Download Source RPM from DirectAdmin:
Get and install the source RPM from http://files.directadmin.com/services/proftpd-1.3.0a-1.src.rpm:
Modify The proftpd.spec File:
We need to modify the proftpd.spec file before building the RPM so that it includes mod_tls in the modules section of the configure line:
Using your favorite editor open proftpd.spec. Find the following line:
Then add mod_tls to the modules list so that the line looks like:
Build RPM:
Time to build the RPM:
Backup/Uninstall Current ProFTPD RPM:
Backup your config files just in case (uninstalling the RPM should rename /etc/proftpd.conf to /etc/proftpd.conf.rpmsave and leave the other conf files untouched).
Install and Start ProFTPD:
Modify Config Files:
We need to install the SSL/TLS settings into the default configuration files and templates for ProFTPD. Follow step # 4 of section A for these instructions.
All done!
* This concludes section B. If you are looking for the source version of this how-to see section A above.
ProFTPD uses the same certificate files as httpd. Even the syntax is very similar. I just used the paths to the current default DirectAdmin httpd SSL certificate.
Information gathered on mod_tls and the configuration directives I got here: http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-TLS.html
Hope you found this how-to helpful!
The current version of custombuild (1.1) supports rebuilding of
ProFTPD with mod_tls. This how-to may be considered obsolete
if you are using custombuild. More info on custombuild here
--------------------------------------------------------------------------------
My first HOWTO and I don't even own a DA license yet!
What is this? This is a how-to for installing ProFTPD 1.3.0a on a RHEL based system (I wrote using CentOS 4.4) with support for SSLv3 and TLSv1 connections using the default apache certificate. I imagine the source build may work for other distributions also. The RPM build follows RHEL a bit more closely.
In a nutshell this is just adding a small addition to the configure line for ProFTPD in both the RPM spec file and the source build line and then making an addition to the proftpd.conf and proftpd.vhosts.conf templates. I hope that these simple changes might be added to DirectAdmin source builds in the future. I always try to use TLS/SSL FTP when available. You don't know the importance of this until you have your FTP passwords captured in plaintext and used for malicious activity... But that's another story. On with the how-to.
Section A will do the how-to using the ProFTPD 1.3.0a sources directly from ProFTPD. Section B will rebuild a RPM using the DirectAdmin ProFTPD 1.3.0a source RPM.
--------------------------------------------------------------------------------
A. Install and Setup ProFTPD 1.3.0a with SSL/TLS from source
--------------------------------------------------------------------------------
Follow the instructions at http://help.directadmin.com/item.php?id=82 substituting some small changes outlined in detail below.
1. Configure Statement Changes:
Change: --prefix=/usr/local
To: --prefix=/usr
Change: --mandir=/usr/local/man
To: --mandir=/usr/man
Change: --with-modules=mod_ratio:mod_readme
To: --with-modules=mod_ratio:mod_readme:mod_tls
Now you are ready to run the configure line. Here is the configure command that I had run:
Code:
./configure \
--prefix=/usr \
--sysconfdir=/etc \
--localstatedir=/var/run \
--mandir=/usr/local/man \
--without-pam \
--disable-auth-pam \
--with-modules=mod_ratio:mod_readme:mod_tls \
LDFLAGS=-static
* DO NOT run make or make install yet. To keep things clean we will first uninstall the current default ProFTPD RPM that was installed by the DirectAdmin setup.
2. Backup/Uninstall Current ProFTPD RPM:
Backup your config files just in case (uninstalling the RPM should rename /etc/proftpd.conf to /etc/proftpd.conf.rpmsave and leave the other conf files untouched).
Code:
# mkdir /etc/proftpd.backups
# cp /etc/proftpd.* /etc/proftpd.backups/
# service proftpd stop
# rpm -e proftpd-standalone
# rpm -e proftpd
3. Build and Install ProFTPD From Source:
Now you may continue the steps at http://help.directadmin.com/item.php?id=82. Begin with make and then make install. After you make and make install ProFTPD and there were no errors installing, you can copy the init.d script that the RPM removed. You will also need to copy your saved proftpd.conf to /etc/proftpd.conf, overwriting the one installed from source.
Code:
# cp /etc/proftpd.backups/proftpd.conf /etc/proftpd.conf
# cp contrib/dist/rpm/proftpd.init.d /etc/init.d/proftpd
# chmod +x /etc/init.d/proftpd
# chkconfig proftpd on
# service proftpd restart
At this point you should have a working ProFTPD install just as the original RPM was. Verify that your ProFTPD installation is working. If it is not you will need to correct any errors. I will do my best to help with compile time problems. But that is beyond the scope of this how-to.
So your install is working? Great! Let's continue to the SSL/TLS configuration changes.
4. Add SSL/TLS Settings To Configuration and Templates:
To enable TLSv1 and SSLv3 add the following under </Global> (outside the <Global></Global> statements) in /etc/proftpd.conf and /usr/local/directadmin/data/templates/proftpd.conf:
Code:
<IfModule mod_tls.c>
TLSEngine on
TLSLog /var/log/proftpd/tls.log
TLSProtocol SSLv23
# Are clients required to use FTP over TLS when talking to this server?
TLSRequired off
# Server's certificate
TLSRSACertificateFile /etc/httpd/conf/ssl.crt/server.crt
TLSRSACertificateKeyFile /etc/httpd/conf/ssl.key/server.key
# CA the server trusts
TLSCACertificateFile /etc/httpd/conf/ssl.crt/ca-bundle.crt
# Authenticate clients that want to use FTP over TLS?
TLSVerifyClient off
</IfModule>
This takes care of the main IP address. After a ProFTPD restart SSL/TLS should now be enabled on the main IP only.
To enable SSL/TLS on each VirtualHost add the following to /usr/local/directadmin/data/templates/proftpd.vhosts.conf before the |EXTRA| token:
Code:
<IfModule mod_tls.c>
TLSEngine on
TLSLog /var/log/proftpd/tls.log
TLSRSACertificateFile /etc/httpd/conf/ssl.crt/server.crt
TLSRSACertificateKeyFile /etc/httpd/conf/ssl.key/server.key
TLSCACertificateFile /etc/httpd/conf/ssl.crt/ca-bundle.crt
</IfModule>
To add SSL/TLS to any existing VirtualHosts add these 7 lines between <VirtualHost> and </VirtualHost> in /etc/proftpd.vhosts.conf for each set of <VirtualHost> and </VirtualHost> tags:
Code:
<IfModule mod_tls.c>
TLSEngine on
TLSLog /var/log/proftpd/tls.log
TLSRSACertificateFile /etc/httpd/conf/ssl.crt/server.crt
TLSRSACertificateKeyFile /etc/httpd/conf/ssl.key/server.key
TLSCACertificateFile /etc/httpd/conf/ssl.crt/ca-bundle.crt
</IfModule>
All done!
You can now restart ProFTPD and test SSL and TLS. The settings in most FTP clients which support SSL or TLS are referred to as AUTH SSL and AUTH TLS. This setup utilizes the default apache SSL certificate. This should be sufficient as most FTP clients will not validate SSL certificates against a known certificate authority.
* This concludes section A. If you are looking for the RPM version of this how-to see section B below.
--------------------------------------------------------------------------------
B. Install and Setup ProFTPD 1.3.0a with SSL/TLS from RPM
--------------------------------------------------------------------------------
I was also able to compile the 1.3.0a source RPM by only changing the spec file to add mod_tls to the configure line just as we did from source. The RPM built fine. But I did not test the RPM yet. I assume it will work exactly as source does.
If you are adventurous you may build and install the RPM version. This should also help if you want to install ProFTPD 1.3.0a with SSL/TLS on many servers with the same OS distribution.
Install Necessary RPMs:
The one RPM I was missing to build source RPMs was rpm-build. On CentOS this can be install with yum:
Code:
yum install rpm-build
Download Source RPM from DirectAdmin:
Get and install the source RPM from http://files.directadmin.com/services/proftpd-1.3.0a-1.src.rpm:
Code:
# cd /usr/src
# wget http://files.directadmin.com/services/proftpd-1.3.0a-1.src.rpm
# rpm -Uvh proftpd-1.3.0a-1.src.rpm
Modify The proftpd.spec File:
We need to modify the proftpd.spec file before building the RPM so that it includes mod_tls in the modules section of the configure line:
Code:
# cd /usr/src/redhat/SPECS
Code:
--with-modules=mod_ratio:mod_readme \
Code:
--with-modules=mod_ratio:mod_readme:mod_tls \
Build RPM:
Time to build the RPM:
Code:
# cd /usr/src/redhat/SPECS
# rpmbuild -bb proftpd.spec
Backup/Uninstall Current ProFTPD RPM:
Backup your config files just in case (uninstalling the RPM should rename /etc/proftpd.conf to /etc/proftpd.conf.rpmsave and leave the other conf files untouched).
Code:
# mkdir /etc/proftpd.backups
# cp /etc/proftpd.* /etc/proftpd.backups/
# service proftpd stop
# rpm -e proftpd-standalone
# rpm -e proftpd
Install and Start ProFTPD:
Code:
# cd /usr/src/redhat/RPMS/i386
# rpm -ivh proftpd-1.3.0a-1.i386.rpm
# rpm -ivh proftpd-standalone-1.3.0a-1.i386.rpm
# cp /etc/proftpd.backups/proftpd.conf /etc/proftpd.conf
# service proftpd restart
Modify Config Files:
We need to install the SSL/TLS settings into the default configuration files and templates for ProFTPD. Follow step # 4 of section A for these instructions.
All done!
* This concludes section B. If you are looking for the source version of this how-to see section A above.
ProFTPD uses the same certificate files as httpd. Even the syntax is very similar. I just used the paths to the current default DirectAdmin httpd SSL certificate.
Information gathered on mod_tls and the configuration directives I got here: http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-TLS.html
Hope you found this how-to helpful!
Last edited: