How to set up PureFTPd using TLS session on CentOS 7

On this page

  1. Preliminary remark
  2. Installing OpenSSL
  3. Configuring PureFTPd
  4. Create SSL Certificate for TLS
  5. Configuring FileZilla for TLS
  6. Links

This article describes how to set up PureFTPd using a TLS session on a CentOS 7 server. Simple FTP is an insecure protocol, as all passwords and all data are transferred unencrypted. Using TLS, all communication can be encrypted, making FTP much more secure.

1 Preliminary note

You should have a working PureFTPd installation on your CentOS 7 server.

2 Installing OpenSSL

OpenSSL is required for TLS, to install OpenSSL, we just run:

yum install openssl

3 Configuring PureFTPd

Open /etc/pure-ftpd/pure-ftpd.conf … (See the guide on how to install nano on Linux)

nano /etc/pure-ftpd/pure-ftpd.conf

If you want to allow FTP and TLS sessions, set TLS to 1:

[...]
# This option can accept three values :
# 0 : disable SSL/TLS encryption layer (default).
# 1 : accept both traditional and encrypted sessions.
# 2 : refuse connections that don't use SSL/TLS security mechanisms,
#     including anonymous sessions.
# Do _not_ uncomment this blindly. Be sure that :
# 1) Your server has been compiled with SSL/TLS support (--with-tls),
# 2) A valid certificate is in place,
# 3) Only compatible clients will log in.

TLS                      1
[...]

If you want to accept TLS sessions only (not FTP), set TLS to 2:

[...]
# This option can accept three values :
# 0 : disable SSL/TLS encryption layer (default).
# 1 : accept both traditional and encrypted sessions.
# 2 : refuse connections that don't use SSL/TLS security mechanisms,
#     including anonymous sessions.
# Do _not_ uncomment this blindly. Be sure that :
# 1) Your server has been compiled with SSL/TLS support (--with-tls),
# 2) A valid certificate is in place,
# 3) Only compatible clients will log in.

TLS                      2
[...]

In order to not allow TLS at all (FTP only), set TLS to 0:

[...]
# This option can accept three values :
# 0 : disable SSL/TLS encryption layer (default).
# 1 : accept both traditional and encrypted sessions.
# 2 : refuse connections that don't use SSL/TLS security mechanisms,
#     including anonymous sessions.
# Do _not_ uncomment this blindly. Be sure that :
# 1) Your server has been compiled with SSL/TLS support (--with-tls),
# 2) A valid certificate is in place,
# 3) Only compatible clients will log in.

TLS                      0
[...]

Then remove the # in front of the next 2nd line:

TLSCipherSuite           HIGH
CertFile                 /etc/ssl/private/pure-ftpd.pem

and save the modified config file.

4 Create SSL Certificate For TLS

In order to use TLS, we must create an SSL certificate. I create it in / etc / ssl / private /, so I first create the directory using the command mkdir:

mkdir -p /etc/ssl/private/

After that, we can generate an SSL certificate as follows:

openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem

Country name (2 letter code) [XX]: <- Enter the Country name (eg “RU”). Region or state name (full name) []:. <- Enter the state or area Name of the area (for example, city) [Default City]: <- Enter the city. Organization name (for example, company) [ по умолчанию Company Ltd]: <- Enter the name of the organization (for example, your company name). Organizational unit name (for example, section) []: <- Enter the organizational unit, name (for example, ”IT department”). Common name (like your name or the hostname of your server) []: <- Enter the fully qualified domain name of the system (for example, “server1.example.com”). E-mail address []: <- Enter your email address.

Changing SSL Certificate Permissions:

CHMOD 600 /etc/ssl/private/pure-ftpd.pem

And finally restart PureFTPd:

systemctl restart pure-ftpd.service

That’s all. Now you can try connecting using an FTP client. However, you must configure your FTP client to use TLS – see the next chapter for how to do this with FileZilla.

5 Configuring FileZilla for TLS

To use FTP with TLS, you need an FTP client (see the guide on the 6 best FTP clients) that supports TLS, such as FileZilla or the FireFTP plugin in Firefox.

In FileZilla, open the Site Manager:

Select a server that uses PureFTPd with TLS. In the Server Type drop-down menu, select: explicitly require FTP over TLS instead of regular FTP:

Server details in FileZilla

You can now connect to the server. If this is the first time you do this, you must accept the server’s new SSL certificate:

SSL certificate warning in FileZilla

If all goes well, you should now be logged into the server:

FileZilla login successful

  • PureFTPd: http://www.pureftpd.org/
  • FileZilla: http://filezilla-project.org/
  • CentOS: http://www.centos.org/
Sidebar