Is there a way to block all normal ftp traffic, and only allow the sftp protocol in sftp?
edit: sorry my bad!
for secure ftp i must use the ftpes protocol...
Asked
Active
Viewed 4,284 times
4 Answers
4
You don't need proftpd to do SFTP, you can do that natively with ssh.
If for some reason you want to use proftpd (i.e. you want to integrated with non-system accounts easier). You'll want to deny access to the login verb for the server, then create a specific virtual host with the sftp engine on and allow the login verb.
To accomplish that your proftpd.conf will look something like this.
<Limit LOGIN>
DenyAll
</Limit>
<VirtualHost 1.2.3.4>
SFTPEngine on
<Limit LOGIN>
AllowAll
</Limit>
<all your other crap...>
</VirtualHost>
Dominic D
- 1,406
3
If you want to do FTPES with proftpd you basically need to follow 4 steps.
1) Install proftpd and openssl
apt-get install proftpd openssl
2) Generate a cert (assuming you are going to self sign, make sure to match the common name to the ftp site dns name to make clients complain less)
mkdir /etc/proftpd/ssl
openssl req -new -x509 -days 365 -nodes -out /etc/proftpd/ssl/proftpd.cert.pem -keyout /etc/proftpd/ssl/proftpd.key.pem
3) Edit proftpd.conf replace the mod_tls module section of your config with the text below (note the TLSRequired on directive)
<IfModule mod_tls.c>
TLSEngine on
TLSLog /var/log/proftpd/tls.log
TLSProtocol SSLv23
TLSOptions NoCertRequest
TLSRSACertificateFile /etc/proftpd/ssl/proftpd.cert.pem
TLSRSACertificateKeyFile /etc/proftpd/ssl/proftpd.key.pem
TLSVerifyClient off
TLSRequired on
</IfModule>
4) Restart proftpd
/etc/init.d/proftpd restart
Dominic D
- 1,406
0
What do you mean by sftp? SecureFTP (AKA SSL ftp), or ftp over ssh (AKA sftp)?
For sftp - just run sshd, and do not use any ftp daemon at all.
Sunny
- 5,894