In theory activating FTPES (FTP with explicit TLS encryption) on a pure-ftpd FTP server is pretty straightforward.
1. Create a file /etc/ssl/private/pure-ftpd.pem
This pem file contains both private key and certificate (can also contain the intermediate certificate as well). For security reasons set relevant permissions that only root is able to read this file.
echo -ne "-----BEGIN RSA PRIVATE KEY-----\nMIIE....\n-----END CERTIFICATE-----\n" > /etc/ssl/private/pure-ftpd.pem
chmod 600 /etc/ssl/private/pure-ftpd.pem
2. Enable TLS encryption in pure-ftpd
On a current Ubuntu 14.04 LTS, the pure-ftpd config options are handled through files in /etc/pure-ftpd/conf. To enable TLS, a specific value has to be set in the file /etc/pure-ftpd/conf/TLS.
Enable TLS (but continue to allow normal plain-text connections):
echo 1 > /etc/pure-ftpd/conf/TLS
Enable TLS and allow only encrypted connections:
echo 2 > /etc/pure-ftpd/conf/TLS
3. Restart pure-ftpd
service pure-ftpd restart
Restarting ftp server: Running: /usr/sbin/pure-ftpd -l puredb:/etc/pure-ftpd/pureftpd.pdb -l pam -Y 1 -O clf:/var/log/pure-ftpd/transfer.log -A -8 UTF-8 -d -E -u 1000 -B
The output shows the currently defined pure-ftpd parameters, defined by the available config files in /etc/pure-ftpd.
So much for the setup itself. But now to the problem. As soon as I tried to connect to this pure-ftpd server with FTPES, I got the following error message in FileZilla:
Status: Connection established, waiting for welcome message...
Status: Initializing TLS...
Status: Verifying certificate...
Status: TLS connection established.
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is your current location
Command: TYPE I
Response: 200 TYPE is now 8-bit binary
Command: PASV
Response: 227 Entering Passive Mode
Command: MLSD
Error: Connection timed out after 20 seconds of inactivity
Error: Failed to retrieve directory listing
In pure-ftpd's verbose log I only saw the following entries:
Jun 12 10:49:36 ftpserver01 pure-ftpd: (?@myclient.local) [INFO] New connection from myclient.local
Jun 12 10:49:36 ftpserver01 pure-ftpd: (?@myclient.local) [DEBUG] Command [auth] [TLS]
Jun 12 10:49:36 ftpserver01 pure-ftpd: (?@myclient.local) [INFO] SSL/TLS: Enabled TLSv1/SSLv3 with AES256-GCM-SHA384, 256 secret bits cipher
Jun 12 10:49:36 ftpserver01 pure-ftpd: (?@myclient.local) [DEBUG] Command [user] [ftpuser]
Jun 12 10:49:36 ftpserver01 pure-ftpd: (?@myclient.local) [DEBUG] Command [pass] [<*>]
Jun 12 10:49:36 ftpserver01 pure-ftpd: (?@myclient.local) [INFO] ftpuser is now logged in
Jun 12 10:49:36 ftpserver01 pure-ftpd: (ftpuser@myclient.local) [DEBUG] Command [opts] [UTF8 ON]
Jun 12 10:49:36 ftpserver01 pure-ftpd: (ftpuser@myclient.local) [DEBUG] Command [pbsz] [0]
Jun 12 10:49:36 ftpserver01 pure-ftpd: (ftpuser@myclient.local) [DEBUG] Command [prot] [P]
Jun 12 10:49:36 ftpserver01 pure-ftpd: (ftpuser@myclient.local) [DEBUG] Command [pwd] []
Jun 12 10:49:36 ftpserver01 pure-ftpd: (ftpuser@myclient.local) [DEBUG] Command [type] [I]
Jun 12 10:49:36 ftpserver01 pure-ftpd: (ftpuser@myclient.local) [DEBUG] Command [pasv] []
Jun 12 10:49:36 ftpserver01 pure-ftpd: (ftpuser@myclient.local) [DEBUG] Command [mlsd] []
Jun 12 10:51:33 ftpserver01 pure-ftpd: (ftpuser@myclient.local) [INFO] Logout.
When I tried the same connection without encryption, the connection worked.
It turns out that, as soon as encryption is used, the FTP connection is continued on a passive high port, which of course needs to be enabled in the firewall, too. A "normal" non-encrypted ftp connection keeps its connection on the server port 21.
In order to limit the number of passive high ports, I defined them in yet another pure-ftpd config file, called PassivePortRange:
echo "20000 20500" > /etc/pure-ftpd/conf/PassivePortRange
This means that additional (passive) FTP ports are defined between tcp/20000 and tcp/20500.
After a restart of pure-ftpd and modification of the incoming firewall rules, the connection finally worked:
Status: Connection established, waiting for welcome message...
Status: Initializing TLS...
Status: Verifying certificate...
Status: TLS connection established.
Status: Connected
Status: Retrieving directory listing...
Status: Verifying certificate...
Status: Directory listing of "/" successful
So keep in mind to (define and) create firewall rules for additional passive FTP ports when you want your FTP connections encrypted.
No comments yet.
AWS Android Ansible Apache Apple Atlassian BSD Backup Bash Bluecoat CMS Chef Cloud Coding Consul Containers CouchDB DB DNS Database Databases Docker ELK Elasticsearch Filebeat FreeBSD Galera Git GlusterFS Grafana Graphics HAProxy HTML Hacks Hardware Icinga Influx Internet Java KVM Kibana Kodi Kubernetes LVM LXC Linux Logstash Mac Macintosh Mail MariaDB Minio MongoDB Monitoring Multimedia MySQL NFS Nagios Network Nginx OSSEC OTRS Office PGSQL PHP Perl Personal PostgreSQL Postgres PowerDNS Proxmox Proxy Python Rancher Rant Redis Roundcube SSL Samba Seafile Security Shell SmartOS Solaris Surveillance Systemd TLS Tomcat Ubuntu Unix VMWare VMware Varnish Virtualization Windows Wireless Wordpress Wyse ZFS Zoneminder