Enable And Use Ftp Over Ssl?

[CitiZen]

Hello TCH Techs,

 

Can this be implemented, so people like myself can FTP securely to and from our Web server? I'm sure there are MANY people hosted by TCH that would appriciate the effort to do this.

 

How-To's:

 

How to - Enable and use FTP over SSL

 

First you need a SSL enabled FTP client.

 

You also need to be using PROFTP, latest stable version with cPanel.

 

If you don't have a PassivePorts directive then you MAY need one...

 

place PassivePorts 35000 35999 into:

 

/etc/proftpd.conf

 

IF you edited the conf file don't forget to:

 

/etc/rc.d/init.d/proftpd stop

/etc/rc.d/init.d/proftpd start

 

Make sure these ports are open on your firewall (TCP inbound).

 

Start up Core FTP and add a site - under "SSL Options" tick "Auth SSL" or "Auth TLS" (both work for me) and

"SSL Listings" and "SSL TRansfers" should both be ticked. Connect. You'll be asked to accept a Certificate

from your server. Do so. You now have a padlock in the lower right corner.

 

If your Certificate servername read "cpanel.ev1servers.net" like mine did and you have a different servername,

you can correct it by:

 

cd /etc

cp ftpd-rsa.pem ftpd-rsa.pem.bak

cp ftpd-rsa-key.pem ftpd-rsa-key.pem.bak

openssl req -new -x509 -days 3650 -nodes -out ftpd-rsa.pem -keyout ftpd-rsa-key.pem

 

 

You will be asked a series of questions. You can answer all of them (EXCEPT common name) with a "." - no quotes.

 

Enter the actual common name (hostname) of your server.

 

This will create a 509 certificate that will last 10 years.

 

Login via SSL_FTP and see your new Certificate. Nice huh!

 

You can configure the Proftpd SSL options at:

 

/etc/proftpd.conf

 

in the section:

 

TLSEngine on

TLSProtocol TLSv1

TLSRequired off

TLSRSACertificateFile /etc/ftpd-rsa.pem

TLSRSACertificateKeyFile /etc/ftpd-rsa-key.pem

TLSVerifyClient off

 

The only change you may want to make is to force users to use SSL_FTP (TLSRequired on). IF you changed the config

file don't forget to:

 

/etc/rc.d/init.d/proftpd stop

/etc/rc.d/init.d/proftpd start

 

On a last note to configure SSL email, simply open Ports 995 (pop3) and 993 (imap) on your firewall and configure

your email client to use SSL (in advanced???). The inbound server name will be your hostname not mail.******

(so you don't get a SSL Certificate warning each time). To force SSL_Email simply close Port 110 on your firewall.

 

Turn off telnet or don't issue shell access.

 

Now force users to login to cpanel via the SSL ports (turn off other ports in firewall).

 

Your user passwords are now totally secured by SSL.

 

Thanks to Freddo from the EV1Servers forums for this Howto

 

Thanks in advance!

[TCH-Rob]

I am going to go out on a limb here and say probably not. This config looks like it is meant for a single site. Think of how this would have to be done to have it work on over 70 servers with a few hundred accounts per server. That would be no small task. Many times you dont see a specific feature here because there isnt a simple way to implement it. It isnt that we havent thought of it before.

[CitiZen]

Hi Rob,

 

So there's no secure way to transfer files to our sites, correct? That stinks!

 

Then can something be implemented, so we can FTP securely on TCH servers?

 

Thanks

[TCH-Rob]

So there's no secure way to transfer files to our sites, correct?

Not entirely. Though a bit of a pain you can log into cPanel securely and use the file manager to upload your files. If you have many files you may need to zip them up first and unpack them when they are uploaded. It isnt like we dont want to have other ways to do it but making changes to the cPanel install may be overwritten when the next release is pushed and then we have to do it all over again.

[CitiZen]

Hi Rob,

 

Sorry about my raving, but I am use to FTP'ing through SSH.

 

I just checked out the feature you suggested within the Cpanel.

 

1. I used the https://www.****:2083 address to connect to Cpanel.

 

2. I zipped up some files and then uploaded the .zip file.

 

3. I extracted the .zip file and set the permissions within the Cpanel. (Didn't know you could do that)

 

4. Using this method was NOT, as fast as, FTP'ing, but it was all done through SSL and no plain-text password was sent through the Internet. 

 

Thanks

 

 

P.S. How big of an .zip file is supported through Cpanel uploading?

[TCH-Rob]

P.S. How big of an .zip file is supported through Cpanel uploading?

 

I need to check. I have uploaded the entire osCommerce package before it was part od cPanel so I know at least 2 meg.