[Newbie Engineer's Memo] How to change from FTP to SFTP using proftpd

Introduction

Before explaining how to make the change, let me briefly explain...
" proftpd (Professional FTP Daemon)" is
a type of FTP server software used when making an FTP connection (file transfer using the FTP protocol).
However, since the FTP protocol is in plain text and not encrypted,security risksthere are
This time, I tried changing from FTP (plain text) to SFTP (encrypted) using proftpd!

premise

environment

Cloud: AWS
FTP server software: proftpd
proftpd version: 1.3.8b
Port: 21 (FTP)

*Please note that some versions of proftpd may not support SFTP.

References:
① ProFTPD official documentation
http://www.proftpd.org/docs/
② ProFTPD module: mod_sftp:
http://www.proftpd.org/docs/contrib/mod_sftp.html

conditions

① Use the existing proftpd FTP server software.
② Switch to SFTP communication using the existing username and password.
③ The port for SFTP should be 8022.

→ Reduce the amount of work required and switch easily

Memo

1. Configure the SFTP port in the security group
2. Edit proftpd.conf
3. Change hostkey permissions
4. Settings reflected

Parallel Operational Procedures (FTP + SFTP)

1. Configure the security group to allow the SFTP port
→ Allow the SFTP port (8022) for the target IP address.

2. Edit proftpd.conf
2.1. Take a backup of the target file

cp -ip /etc/proftpd.conf /etc/proftpd.conf_$(date +"%Y%m%d")

Check the difference:

diff /etc/proftpd.conf /etc/proftpd.conf_$(date +"%Y%m%d")

→ Get a backup and check that there are no differences

2.2 Add SFTP settings
→ Add the following to the bottom line
:

LoadModule mod_sftp.c # Load the SFTP module<IfModule mod_sftp.c><VirtualHost 0.0.0.0> SFTPEngine on # Enable the SFTP engine SFTPLog /var/log/sftp.log # Specify the log file DefaultRoot ~ # Specify the default root # Virtual user settings AuthUserFile /etc/ftppasswd # Specify the path to the file containing user information used for authentication AuthGroupFile /etc/ftpgroup # Specify the path to the file containing group information used for authentication AuthOrder mod_auth_file.c # Specify the authentication order Port 8022 # Specify the port for SFTP # Use the hostkey from sshd SFTPHostKey /etc/ssh/ssh_host_rsa_key # Specify the host key for SFTP</VirtualHost></IfModule>

3. Change the hostkey permissions

chmod 600 /etc/ssh/ssh_host_rsa_key

→ Verify that the permissions for /etc/ssh/ssh_host_rsa_key are set to 600.

4. Apply settings
4.1 Syntax check

proftpd -t

→ Syntax check: Make sure it's complete

4.2 Check the port

netstat -lntp

Expected results:

tcp6 0 0 :::21 :::* LISTEN PID/proftpd

→ Check that proftpd is listening only on port 21

4.3 Checking the process

ps auuxf | grep proftpd

Expected results:

nobody 1140 0.0 0.1 52348 39724 ? SLs 2024 8:28 proftpd: (accepting connections)

→ Verify that the proftpd process is running correctly
→ Verify that no existing users are connecting via FTP.

Check the status

systemctl status proftpd

→ The process status value is "Running"

4.5. Restart proftpd

systemctl restart proftpd

→ Confirm that the process status is "Running" and that a restart is occurring
→ Confirm that the proftpd process is running correctly

4.6 Check the port

netstat -lntp

Expected results:

tcp6 0 0 :::8022 :::* LISTEN PID/proftpd

→　Ensure that the ports for FTP and SFTP are listed (21, 8022)

5. Connection check
→ Use a tool such as winscp to confirm that FTP and SFTP connections are possible, and that editing, deleting, and uploading are also possible.

・FTP

Transfer Protocol	FTP
Hostname	Target host IP
Port number	21
Username	Target FTP username
password	The password of the target FTP user

SFTP

Transfer Protocol	SFTP
Hostname	Target host IP
Port number	8022
Username	Target FTP username
password	The password of the target FTP user

▶ Both FTP and SFTP connections are possible!

 

Problem

If you want to discontinue FTP communication for security reasons,
you can do so by restricting FTP communication with LIMIT and removing the IP permission for the relevant port in the security group.
However, I couldn't close the port's LISTEN state...
(Well, since FTP connections are impossible anyway, let's just ignore that.)

 
# FTP<Limit LOGIN> DenyAll # Deny FTP connections</Limit> LoadModule mod_sftp.c # Load the SFTP module # SFTP<IfModule mod_sftp.c><VirtualHost 0.0.0.0><Limit LOGIN> AllowAll # Allow SFTP connections</Limit> SFTPEngine on # Enable the SFTP engine SFTPLog /var/log/sftp.log # Specify the log file DefaultRoot ~ # Specify the default root # Virtual user settings AuthUserFile /etc/ftppasswd # Specify the path to the file containing user information used for authentication AuthGroupFile /etc/ftpgroup # Specify the path to the file containing group information used for authentication AuthOrder mod_auth_file.c # Specify the authentication order Port 8022 # Specify the port for SFTP # Use the hostkey from sshd SFTPHostKey /etc/ssh/ssh_host_rsa_key # Specify the host key for SFTP</VirtualHost></IfModule> 

*Even if you have discontinued FTP communication, use tools such as winscp to check whether connections are restricted as expected!

Finally

I was surprised at how easy it was to switch from FTP to SFTP communication! 🙌
It's also great that you can use both simultaneously, allowing you to check if there are any issues with the SFTP connection before switching to encryption.
If you're concerned about the security of FTP communication, please give it a try.
Thank you for reading to the end!