My status

My backup memory

Chủ Nhật, 2 tháng 9, 2012

Setup PureFTP over TLS (ISPconfig 3)

+ Add passive port range to router and firewall of ISPconfig. For example: 40110 40210
+ Create new file PassivePortRange and PassivePortRange in /etc/pure-ftpd/conf
+ add parameter in these files

echo "40110 40210" > /etc/pure-ftpd/conf/PassivePortRange

echo "192.168.xxx..xxx" > /etc/pure-ftpd/conf/ForcePassiveIP

+ restart pureftpd

/etc/init.d/pure-ftpd-mysql restart

+ Wait a minute then Done!

+ check port need to be open in firewall. Run command as root

grep -i ftps /etc/services

You will see the result like below -> so 989:990 need to be open

ftps-data 989/tcp    # FTP over SSL (data)
ftps  990/tcp
Specify Encryption type in FileZilla is:Require explicit FTP over TLS (see pic below)

Explicit: must use TLS
Implicit: use is optional when available
--update----------
In order to force using FTP with TLS in ISPconfig, first refer to pure-ftp's manual
Link http://download.pureftpd.org/pub/pure-ftpd/doc/README.TLS
   ------------------------ ACCEPTING TLS SESSIONS ------------------------
      
Once the certificate has been installed, you need to start a TLS-enabled
pure-ftpd daemon with the -Y (or --tls=) switch. Example :

/usr/local/sbin/pure-ftpd --tls=1 &

- With "--tls=0", support for SSL/TLS is disabled. This is the default.

- With "--tls=1", clients can connect either the traditional way or through an
SSL/TLS layer. This is probably the setting you need if you want to enable
TLS without having too much angry customers.

- With "--tls=2", cleartext sessions are refused and only SSL/TLS compatible
clients are accepted.

- With "--tls=3", cleartext sessions are refused and only SSL/TLS compatible 
clients are accepted. Clear data connections are also refused, so private 
data connections are enforced. This is an extreme setting.

When SSL/TLS has been successfully negociated for a connection, you'll see
something similar to this in log files :

<<
SSL/TLS: Enabled TLSv1/SSLv3 with AES256-SHA, 256 secret bits cipher
>>

A cipher using traditional algorithms with a 40 bits key is weak but
exportable to almost any country. This is the minimum size accepted by the
server, else a "Cipher too weak" error message will be logged and reported to
the client.
--------------------
nano /etc/pure-ftpd/conf/TLS

change value 1 to 2

then restart pure-ftp
/etc/init.d/pure-ftpd-mysql restart

Test FileZilla with plain FTP connection, you'll get error message
"Response:    421 Sorry, cleartext sessions are not accepted on this server."
Posted by at
Labels: , ,

Không có nhận xét nào:

Đăng nhận xét

Đăng ký: Đăng Nhận xét (Atom)