Blog :: Security Operations

How to effectively secure and monitor FTP


FTP: the forgotten cloud. Used by millions of organizations, it’s often left out to pasture when it comes to security due to client connectivity issues and backwards compatibility. Most recently the FBI sent out Private Industry Notification #170322-001, warning of a recent ramp up of attacks on unsecured FTP servers. Cyber criminals have been logging in with anonymous details and other default usernames with little to no password protection. This is disturbing, given the progress in file transfer encryption and authentication types.

While there are legitimate use cases for anonymous logins on FTP servers, some corporations store health records, employee records, and transaction records—among other sensitive data—on these same servers.

FTP can be secured using various methods:

FTPS is implicit SSL/TLS-encrypted FTP that works just like HTTPS. Security is enabled with SSL as soon as the connection starts. The default FTPS port is 990. This protocol was the first version of encrypted FTP available, and while considered deprecated, is still widely used. None of the major web browsers support FTPS.

FTPES is explicit FTP over SSL/TLS. This starts out as plain FTP over port 21, but is upgraded to TLS/SSL encryption through special FTP commands. This upgrade usually occurs before the user credentials are sent over the connection. FTPES is a somewhat newer form of encrypted FTP (although still over a decade old), and is considered the preferred way to establish encrypted connections because it can be more firewall friendly. None of the major web browsers support FTPES.

You have your FTP server; now how do you effectively secure it? There are varying FTP server software from commercial to free for nearly all operating systems. I will provide a general overview of FTPS that should apply to every server you use.

Ubuntu 16.04 w/ ProFTPD

Because we must run all the steps from this tutorial with root privileges, we can either prepend all commands in this tutorial with the string sudo, or become root right now by typing

sudo -s

I will use the nano editor to edit configuration files in this tutorial. If you like to use nano as well and haven’t installed it yet, then run this command to install nano.

1. Install ProFTPd and OpenSSL

TLS needs OpenSSL. To install ProFTPd and OpenSSL, simply run:

apt-get -y install proftpd openssl

For security reasons, you should add the following lines to /etc/proftpd/proftpd.conf:

nano /etc/proftpd/proftpd.conf
 DefaultRoot ~
 ServerIdent on "FTP Server ready."

The first option enables of FTP users into their home directory and the second option enables a ServerIdent message that does not contain any information about the used FTP server software, version, or OS. This way, a potential attacker can’t get these details on a silver platter.

2. Create the SSL Certificate for TLS

In order to use TLS, we must create an SSL certificate. I’ll create it in /etc/proftpd/ssl, therefore I create that directory first:

mkdir /etc/proftpd/ssl

Afterward, we can generate the SSL certificate as follows:

openssl req -new -x509 -days 365 -nodes -out /etc/proftpd/ssl/proftpd.cert.pem -keyout /etc/proftpd/ssl/proftpd.key.pem
Country Name (2 letter code) [Some Country]: ⇐ Enter your Country Name (e.g., "DE").
 State or Province Name (full name) [Some-State]: Enter your State or Province Name.
 Locality Name (eg, city) [Some City]: Enter your City.
 Organization Name (eg, company) [Internet Widgits Pty Ltd]: Enter your Organization Name (e.g., the name of your company).
 Organizational Unit Name (eg, section) [Some Department]: Enter your Organizational Unit Name (e.g. "IT Department").
 Common Name (eg, YOUR name) []: Enter the Fully Qualified Domain Name of the system (e.g. "").
 Email Address [[email protected]]:Enter your Email Address.

and secure the generated certificate files.

chmod 600 /etc/proftpd/ssl/proftpd.*

3. Enable TLS in ProFTPd

In order to enable TLS in ProFTPd, open /etc/proftpd/proftpd.conf…

nano /etc/proftpd/proftpd.conf

… and uncomment the Include /etc/proftpd/tls.conf line:

 # This is used for FTPS connections
 Include /etc/proftpd/tls.conf

Then open /etc/proftpd/tls.conf and make it look as follows:

nano /etc/proftpd/tls.conf

<IfModule mod_tls.c>
 TLSEngine                  on
 TLSLog                     /var/log/proftpd/tls.log
 TLSProtocol TLSv1.2
 TLSCipherSuite AES128+EECDH:AES128+EDH
 TLSOptions                 NoCertRequest AllowClientRenegotiations
 TLSRSACertificateFile      /etc/proftpd/ssl/proftpd.cert.pem
 TLSRSACertificateKeyFile   /etc/proftpd/ssl/proftpd.key.pem
 TLSVerifyClient            off
 TLSRequired                on
 RequireValidShell          no

If you set TLSRequired on, then only TLS connections are allowed (this locks out any users using old FTP clients without TLS support). By commenting out that line or using TLSRequired off, both TLS and non-TLS connections are allowed, depending on what the FTP client supports.

Restart ProFTPd afterward:

systemctl restart proftpd.service

That’s it. You can now try to connect using your FTP client; however, you should configure your FTP client to use TLS (this is a must if you use TLSRequired on).

If you’re having problems with TLS, you can take a look at the TLS log file /var/log/proftpd/tls.log.

4. Add an FTP User

The ProFTPD configuration used in this tutorial authenticates users against the Linux system user database (/etc/passwd and /etc/shadow). In this step, I will add a user “tom” to be used for FTP login only.

useradd --shell /bin/false tom

Then we have to create the home directory of our user “tom” and change the ownership of that directory to the user and

mkdir /home/tom
 chown tom:tom /home/tom/

This will add the user “tom” with the shell /bin/false. This shell ensures that he can log in by FTP, but not by SSH. The home directory of a user is /home/[USERNAME] by default, in our case /home/tom. ProFTPD is configured to jail the user to his home directory, so he cannot access system files outside of /home/tom. If you would like to set a different home directory, use the command below:

useradd --home /srv/tomftp --create-home --shell /bin/false tom

This command sets a different home directory. In this case, the directory is /srv/tomftp for the user.

The next step is to set a password for tom. Execute the passwd command:

passwd tom

And enter the new password twice when requested.

Now using Scrutinizer, you will be able to monitor your FTPS traffic effectively.