Register for the iXsystems Community to get an ad-free experience and exclusive discounts in our eBay Store.
Resource icon

How to set-up proftpd as a secure SFTP server

Ever wanted to share your media collection, photos, (insert media type here) with friends or family securely, but unsure how to do it? Well, there's this commonly known service as SFTP, also known as SSH File Transfer Protocol. If you use Linux, FreeBSD or some other kind of *NIX based system, you've probably already used commands like scp or sftp before.

Now, it's best not to confuse SFTP with FTPS, both of which are two very different protocols. FTPS is FTP over SSL for security. It uses a control channel and opens new connections for the data transfer, it also requires a SSL certificate.

SFTP (SSH File Transfer Protocol) was designed as an extension of SSH to provide file transfer capability, so it usually uses only the SSH port for both data and control. This is the one we're going to be focusing on in this post.

For this how-to, we're not going to use the built-in OpenSSH SFTP server, instead we're going to use ProFTPd with the SFTP module. This is typically more secure as does not allow terminal sessions, TCP port forwarding or X forwarding. ProFTPd will also be listening on a different port than OpenSSH allowing you to run both.

So, to begin you must first create a new jail.

1. Go to Jails > New Jail
2. Give your jail a name, in this case we'll call it sftpserver
3. Click on 'Advanced' and ensure VIMAGE is enabled
4. Click OK
For complete instructions on how to configure Jails, please refer to the FreeNAS documentation at http://doc.freenas.org/9.3/freenas_jails.html#adding-jails

If you already have existing media, you may want to add storage to your jail, such as your media collection. To add storage, go to Jails > Storage and click Add Storage.

1. Select sftpserver from the Jail drop down list
2. Select your media source, in my case, this is /mnt/tank/media
3. Set the destination directory on the jail, I have set this to /mnt/media
4. Check Read-Only if you don't want any changes being made to this storage (recommended)
5. Ensure Create directory is checked, this will create the /mnt/media directory for the attached storage
Once your jail is created and storage attached, you need to access it's shell. You can do this from either the FreeNAS GUI by going to Jails > Select the jail sftpserver > Shell (icon at the bottom of the screen) or SSH in to your FreeNAS box and run the command:

# jexec sftpserver csh

Once you have the shell, you can start installing ProFTPd. We're going to be using the ports tree for installing. Why aren't you using pkg? I hear you ask. Well, there's an issue with the pre-compiled ProFTPd SFTP module which in some cases can cause it to not to respond to requests. Building from ports ensures the SFTP module is built against the latest version of OpenSSL.

So, at the prompt, run the portsnap command to pull down the latest copy of the ports tree (this may take some time):

# portsnap fetch extract

Once portsnap has finished, you will find ProFTPd in /usr/ports/ftp/proftpd, change into that directory:

# cd /usr/ports/ftp/proftpd

Once in the proftpd directory, you first need to create the make configuration, this allows you to enable/disable various features of ProFTPd and it's dependencies. In most cases, you will only need the defaults, so you can simply press enter on each prompt. I'm not going to go into each and every option, since defaults will suite 99% of use cases for ProFTPd. You don't need to explicitly select the SFTP module in the configuration, since it's a default module.

To create the make configuration:

# make config-recursive

Once the make configuration has been created, you're ready to build ProFTPd and it's dependencies. You can then perform an install and clean. This will compile ProFTPd, install it in /usr/local, then clean up any temporary files that were left over from the compile.

# make install clean

If you don't see any error messages, congratulations! You have successfully compiled ProFTPd and are ready to start configuring it. If you see a make error, please refer to the ProFTPd documentation.

Okay, now on to the good stuff!

The ProFTPd configuration file can be found under /usr/local/etc/proftpd.conf, and auxillary configuration can be found in the directory /usr/local/etc/proftpd

I'm going to use the VIM editor in this example, if you're more comfortable in something else, such as nano, feel free to install it from pkg or ports. I'm not going to explain how to install this, as it's outside the scope of this how-to.

Before we start to configure ProFTPd, we need to generate the SSH server keys and dhparams (Diffie–Hellman) files. To generate the SSH server keys, you can simply run:

# ssh-keygen -f /etc/ssh/ssh_host_rsa_key -N '' -t rsa
# ssh-keygen -f /etc/ssh/ssh_host_dsa_key -N '' -t dsa


To generate the dhparams file, run:

# openssl dhparam -out /usr/local/etc/proftpd/dhparams.pem 2048

So what is the dhparams file for anyway? It's known as Perfect Forward Secrecy, or Diffie-Hellman key exchange. It's basically just a prime number for the SSH key exchange. You don't really need it, but it does add an extra bit of security. I'm going to use it in this configuration.

Now that the keys are generated, change into the /usr/local/etc directory:

# cd /usr/local/etc

Now edit the proftpd.conf file:

# vim proftpd.conf

Code:
ServerName					  "SFTP Server"
ServerType					  standalone
DefaultServer				   on
ScoreboardFile				  /var/run/proftpd/proftpd.scoreboard

LoadModule mod_sftp.c

UseIPv6						 off
Umask						   022
MaxInstances					30
CommandBufferSize			   512

# Set the user and group under which the server will run.
User							nobody
Group						   nogroup

AllowOverwrite				  on

# Bar use of SITE CHMOD by default
<Limit SITE_CHMOD>
  DenyAll
</Limit>

<IfModule mod_sftp.c>

		SFTPEngine on
		Port 2222
		SFTPLog /var/log/proftpd/sftp.log

		# Configure both the RSA and DSA host keys, using the same host key
		# files that OpenSSH uses.
		SFTPHostKey /etc/ssh/ssh_host_rsa_key
		SFTPHostKey /etc/ssh/ssh_host_dsa_key
		SFTPDHParamFile /usr/local/etc/proftpd/dhparams.pem
		SFTPKeyBlacklist /usr/local/etc/proftpd/blacklist.dat

		SFTPAuthMethods publickey password

		SFTPAuthorizedUserKeys file:/usr/local/etc/proftpd/authorized_keys/%u

		# Enable compression
		SFTPCompression delayed

		RequireValidShell off

		AuthUserFile /usr/local/etc/proftpd/ftp.users
		AuthGroupFile /usr/local/etc/proftpd/ftp.groups

		DirFakeUser on ~
		DirFakeGroup on ~

		DefaultRoot ~

</IfModule>


The configuration above is pretty basic. The configuration does the following:

- Loads SFTP module
- Listen on TCP port 2222
- Use the SSH server keys
- Use the dhparams.pem we created earlier
- Use the known bad SSH keys blacklist
- Set the authentication method to use both password and public keys (we'll get to this later)
- Enable compression
- The virtual user/group files for authentication

Now we must create both a user a group to access your SFTP server.

Create the ftp.users file:

# vim /usr/local/etc/proftpd/ftp.users

Code:
media:*:1000:1000::/mnt/media:/sbin/nologin
photos:$1$8Vex0vR9$Qt5rA51UDxOj/GnmIXjwL1:1001:1000::/mnt/media/photos:/sbin/nologin


You've probably seen something like this before if you've worked with *NIX systems, it's basically a passwd file that contains your ProFTPd virtual users. We have two users, media and photos. The user media does not have a password set, instead we're going to use OpenSSH public keys. The user 'photos' has a salted and hashed password.

To generate a salted and hashed password, you can use the utility: ftpasswd

# ftpasswd --hash

Enter a password and you will be given output such as:

Code:
ftpasswd: $1$bil8yaQC$uygCkBCLjfZ5NZzREMpBL1


If you're going to use OpenSSH keys, you can set the second field to an asterisk (*) to indicate there is no password for this user.

Next, we must create a groups file:

# vim /usr/local/etc/proftpd/ftp.groups

Code:
media:*:1000:media


If you want to know more about passwd files, nixCraft have a good FAQ covering it at http://www.cyberciti.biz/faq/understanding-etcpasswd-file-format

The ownership of the ftp.users and ftp.groups files need to be readable by ProFTPd only.

# chown nobody:nobody /usr/local/etc/proftpd/ftp.{users,groups}
# chmod 600 /usr/local/etc/proftpd/ftp.{users,groups}


At this point, your ProFTPd SFTP server is now ready to go. You can add ProFTPd to your rc.conf file and start the service:

# sysrc proftpd_enable=YES
# service proftpd start


Once the ProFTPd service has started, you may try to access your SFTP server using WinSCP or Filezilla, using the IP of your jail and TCP port 2222.

If you decided to not use passwords and use OpenSSH public keys, you will need to convert your public key to the OpenSSH RFC4716 format in order for it to work with ProFTPd. Details on how to convert existing SSH public key for use with ProFTPd, see http://www.proftpd.org/docs/contrib/mod_sftp.html#UsageRFC4716Format

Once you have generated your public key, you will want to put it in the directory /usr/local/etc/proftpd/authorized_keys. If you don't already have this directory, you will need to create it:

# mkdir /usr/local/etc/proftpd/authorized_keys

The public key file must be the same name as your user, in this example we're using media. Now you can copy/paste your OpenSSH RFC4716 format public key into your users authorized_keys file:

# vim /usr/local/etc/proftpd/authorized_keys/media

Code:
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "2048-bit RSA, converted by User@HOST from OpenSSH"
AAAAB3NzaC1yc2EAAAADAQABAAABAQDS2ZccowxmzPra+/gtc239vq9NmOiMUc2playE+G
Epu8mVt7jB0sbA7os5jSlT1C0H+4I/wXqx6BHsLeXyMws0v5tUlWcxREoSGvOpI4cIuWSr
phZliK9ywJDMYNNhnhBWfKLnn0pR4LMs2NJTUl6BovhSH+cKHYRA5VRj6tZyMHVj7KRQS3
yDLIpkRRZ7kx71a6DNluzpNC2yeh18Ia+b7PsjlJmr0+7757OSxwdJq/PmOS1FFW1i0BlV
kIksjpT1Iga/ngVRUhNvhNPjOEOQRyFLQBXLueGPKmX48ggU9Tk44T4GR4Kuh8089jDmY2
pfa6muFOqGScCGy2AzcHVT
---- END SSH2 PUBLIC KEY ----


You can now attempt to login to your SFTP server using your private OpenSSH key using your favorite SFTP client.

Now, if you want your shiny new SFTP server to be accessible over the Internet, you'll most likely need to set-up a NAT on your router. You'll need to look into your routers documentation on how to do this. I highly recommend using a high TCP port number greater than 1024, and NAT it to your jail IP and TCP port 2222.
Author
m0nkey_
Views
4,242
First release
Last update
Rating
0.00 star(s) 0 ratings

More resources from m0nkey_

Top