FTP is a very insecure protocol because all passwords and all data are transferred in clear text. By using TLS, the whole communication can be encrypted, thus making FTP much more secure. This article explains how to configure PureFTPd to accept TLS sessions on a Debian Lenny server.

1 Installing OpenSSL

OpenSSL is needed by TLS; to install OpenSSL, we simply run (verify version or if installed / openssl version) :

aptitude install openssl

2 Configuring PureFTPd

If you want to allow FTP and TLS sessions, run

echo 1 > /etc/pure-ftpd/conf/TLS

If you want to accept TLS sessions only (no FTP), run

echo 2 > /etc/pure-ftpd/conf/TLS

instead.

To not allow TLS at all (only FTP), either delete /etc/pure-ftpd/conf/TLS or run

echo 0 > /etc/pure-ftpd/conf/TLS

 

3 Creating The SSL Certificate For TLS

In order to use TLS, we must create an SSL certificate. I create it in /etc/ssl/private/, therefore I create that directory first:

 mkdir -p /etc/ssl/private/

Afterwards, we can generate the SSL certificate as follows:

openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem

Country Name (2 letter code) [AU]: <– Enter your Country Name (e.g., “DE”).
State or Province Name (full name) [Some-State]:<– Enter your State or Province Name.
Locality Name (eg, city) []:<– Enter your City.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:<– Enter your Organization Name (e.g., the name of your company).
Organizational Unit Name (eg, section) []:<– Enter your Organizational Unit Name (e.g. “IT Department”).
Common Name (eg, YOUR name) []:<– Enter the Fully Qualified Domain Name of the system (e.g. “server1.example.com”).
Email Address []:<– Enter your Email Address.

Change the permissions of the SSL certificate:

chmod 600 /etc/ssl/private/pure-ftpd.pem

Finally restart PureFTPd:

/etc/init.d/pure-ftpd-mysql restart

That’s it. You can now try to connect using your FTP client; however, you should configure your FTP client to use TLS/SSL explicit encryption.