[Newbie Engineer's Memo] How to change from FTP to SFTP using proftpd

Introduction

Before we get to the change instructions, let's take a quick look...
" proftpd (Professional FTP Daemon)" is
a type of FTP server software used when using FTP connections (file transfers using the FTP protocol).
However, since the FTP protocol is in plain text and not encrypted, it poses
a security risk This time, we'll use proftpd to change from FTP (plain text) to SFTP (encrypted)!

premise

environment

Cloud: AWS
FTP server software: proftpd
proftpd version: 1.3.8b
Port: 21 (FTP)

*Please note that some versions of proftpd may not support SFTP.

References)
① ProFTPD official documentation
http://www.proftpd.org/docs/
② ProFTPD module: mod_sftp
http://www.proftpd.org/docs/contrib/mod_sftp.html

conditions

① The FTP server software will use the existing proftpd.
② We want to switch to SFTP communication using the existing username and password.
③ The port for SFTP will be 8022.

→ Reduce the amount of work required and switch easily

Memo

1. Configure the SFTP port in the security group
2. Edit proftpd.conf
3. Change hostkey permissions
4. Settings reflected

Parallel Operational Procedures (FTP + SFTP)

1. Set the SFTP port in the security group
→ Allow the SFTP port (8022) for the target IP

2. Edit proftpd.conf
2.1. Make a backup of the target file

cp -ip /etc/proftpd.conf /etc/proftpd.conf_$(date +"%Y%m%d")

Check the difference:

diff /etc/proftpd.conf /etc/proftpd.conf_$(date +"%Y%m%d")

→ Get a backup and check that there are no differences

2.2 Add SFTP settings
→ Add the following to the bottom line.
Addition contents:

LoadModule mod_sftp.c # Load the SFTP module<IfModule mod_sftp.c><VirtualHost 0.0.0.0> SFTPEngine on # Enable the SFTP engine SFTPLog /var/log/sftp.log # Specify the log file DefaultRoot ~ # Specify the default root # Virtual user settings AuthUserFile /etc/ftppasswd # Specify the path to the file containing user information used for authentication AuthGroupFile /etc/ftpgroup # Specify the path to the file containing group information used for authentication AuthOrder mod_auth_file.c # Specify the authentication order Port 8022 # Specify the port for SFTP # Use the hostkey from sshd SFTPHostKey /etc/ssh/ssh_host_rsa_key # Specify the host key for SFTP</VirtualHost></IfModule>

3. Change the hostkey permissions

chmod 600 /etc/ssh/ssh_host_rsa_key

→ Check that the permissions of /etc/ssh/ssh_host_rsa_key are 600

4. Setting Reflection4.1
Syntax Check

proftpd -t

→ Syntax check: Make sure it's complete

4.2 Check the port

netstat -lntp

Expected results:

tcp6 0 0 :::21 :::* LISTEN PID/proftpd

→ Check that proftpd is listening only on port 21

4.3 Checking the process

ps auuxf | grep proftpd

Expected results:

nobody 1140 0.0 0.1 52348 39724 ? SLs 2024 8:28 proftpd: (accepting connections)

→ Check that the proftpd process is running properly
→ Check that no existing users are connected via ftp

Check the status

systemctl status proftpd

→ The process status value is "Running"

4.5. Restart proftpd

systemctl restart proftpd

→ Check that the process status is "Running" and that a reboot has been performed
→ Check that the proftpd process is running normally

4.6 Check the port

netstat -lntp

Expected results:

tcp6 0 0 :::8022 :::* LISTEN PID/proftpd

→　Ensure that the ports for FTP and SFTP are listed (21, 8022)

5. Check the connection
→ Use tools such as winscp to check that FTP and SFTP connections are possible, and that editing, deleting, uploading, etc. are also possible.

・FTP

Transfer protocol	FTP
host name	Target host IP
port number	21
username	Target FTP username
password	The password of the target FTP user

SFTP

Transfer protocol	SFTP
host name	Target host IP
port number	8022
username	Target FTP username
password	The password of the target FTP user

▶ Both FTP and SFTP connections are possible!

 

Problem

If you want to abolish FTP communication for security reasons,
you can do so by restricting FTP communication with LIMIT and removing the IP permission for the corresponding port in the security group.
However, I was unable to close the port's LISTEN state...
(Well, since FTP connections are impossible, I'd rather just pretend I didn't see it.)

 
# FTP<Limit LOGIN> DenyAll # Deny FTP connections</Limit> LoadModule mod_sftp.c # Load the SFTP module # SFTP<IfModule mod_sftp.c><VirtualHost 0.0.0.0><Limit LOGIN> AllowAll # Allow SFTP connections</Limit> SFTPEngine on # Enable the SFTP engine SFTPLog /var/log/sftp.log # Specify the log file DefaultRoot ~ # Specify the default root # Virtual user settings AuthUserFile /etc/ftppasswd # Specify the path to the file containing user information used for authentication AuthGroupFile /etc/ftpgroup # Specify the path to the file containing group information used for authentication AuthOrder mod_auth_file.c # Specify the authentication order Port 8022 # Specify the port for SFTP # Use the hostkey from sshd SFTPHostKey /etc/ssh/ssh_host_rsa_key # Specify the host key for SFTP</VirtualHost></IfModule> 

*Even if you have discontinued FTP communication, use tools such as winscp to check whether connections are restricted as expected!

Finally

It was surprisingly easy to switch from FTP to SFTP communication.
Since both methods can be used in tandem, it's also great that you can check whether there are any problems with the SFTP communication connection before switching to encryption.
If you're concerned about the security of your FTP communication, please give it a try.
Thank you for reading to the end!