I will give an example of configuring FTPS in ProFTP, and prohibit simple connections without encryption.
Let’s say ProFTPd is installed, for example, as I described in the article:
Installing and Configuring ProFTPd in Ubuntu
The certificate can be obtained free of charge from Let’s Encrypt, for example, as I described in the article:
Installing Certbot in Ubuntu
Or we can generate it manually, for example (the proftpd.key file must be readable only by the root user):
sudo openssl req -x509 -newkey rsa:1024 -keyout /etc/ssl/private/proftpd.key -out /etc/ssl/certs/proftpd.crt -nodes -days 3650
Then open the standard configuration file:
sudo nano /etc/proftpd/tls.conf
In this file, we will specify the parameters:
<IfModule mod_tls.c>
TLSEngine on
TLSLog /var/log/proftpd/tls.log
TLSProtocol SSLv23
TLSRequired yes
TLSRSACertificateFile /etc/letsencrypt/live/ixnfo.com/cert.pem
TLSRSACertificateKeyFile /etc/letsencrypt/live/ixnfo.com/privkey.pem
TLSCACertificateFile /etc/letsencrypt/live/ixnfo.com/chain.pem
</IfModule>
If the certificate was generated manually, then we indicate it like this:
TLSRSACertificateFile /etc/ssl/certs/proftpd.crt
TLSRSACertificateKeyFile /etc/ssl/private/proftpd.key
Let’s open the main ProFTPd configuration file:
sudo nano /etc/proftpd/proftpd.conf
Let’s uncomment or specify the line that includes the tls.conf file:
Include /etc/proftpd/tls.conf
Let’s check the correctness of the configuration and restart ProFTPd to apply the changes:
sudo proftpd --configtest
sudo service proftpd restart
Now you can connect to the FTP server using an encrypted connection.
TLSRequired yes – Denies connections without encryption.
See also my article:
Client did not reuse SSL session from control channel, rejecting data connection