Cyberpanel: Enable FTP over TLS implicit encryption

I recently installed CyberPanel on one of my web servers for easy administration of my web server.

However, my organization doesn’t allow users to use FTP accounts on port 21. So, the only option is to use FTPS connection on port 990.

CyberPanel uses Pure-FTPd to manage its FTP accounts. Pure-FTPd offers both non-encrypted as well as encrypted FTP connections. However, the problem with FTP connection over TLS offered by Pure-FTPd still remains the same because it still uses Port 21 because it offers Explicit encryption.

After a lot of troubleshooting and brainstorming, I found a workaround to fix this problem. This is not an exact fix, but this is a great workaround to offer FTP over TLS on port 990. This would not be implicit encryption but if your organization doesn’t allow you to use port 21, you can use this workaround to fix your problem.

Step 1: Configure PureFTPd

Centos: Go to /etc/pure-ftpd/pure-ftpd.conf

nano /etc/pure-ftpd/pure-ftpd.conf

Ubuntu: Go to /etc/pure-ftpd/conf

nano /etc/pure-ftpd/conf/TLS

Here are the TLS options that you can choose. I chose option 3. If you want to choose the same, set your TLS to 3.

[...]

- With "--tls=1", clients can connect either the traditional way or through an
TLS layer. This is probably the setting you need if you want to enable
TLS without having too many angry customers.

- With "--tls=2", cleartext sessions are refused and only TLS compatible
clients are accepted.

- With "--tls=3", cleartext sessions are refused and only TLS compatible
clients are accepted. Clear data connections are also refused, so private
data connections are enforced. This is an extreme setting.

When TLS has been successfully negotiated for a connection, you'll see
something similar to this in log files :

<<
TLS: Enabled TLSv1/SSLv3 with ECDHE-ECDSA-AES128-GCM-SHA256, 128 secret bits cipher
>>                     

[...]

Also, add TLSCipherSuite in pure-ftpd.conf file in order to disable TLS 1.1 and enable high security:

Ubuntu and Centos:
nano /etc/pure-ftpd/pure-ftpd.conf

TLSCipherSuite              HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3

Step 2: Create SSL Certificate for TLS

CyberPanel by default creates an SSL certificate for TLS, so if you want to skip this step and use it as is, you can go to Step 3.

Go to /etc/ssl/private

mkdir -p /etc/ssl/private/

yum -y install openssl or apt-get install openssl

openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem

Change the permissions of the SSL Certificate

chmod 600 /etc/ssl/private/pure-ftpd.pem

Restart Pure-FTPd:

systemctl restart pure-ftpd.service

or

service pure-ftpd-mysql restart

Step 3: Add argument ‘Bind’ in the configuration file to force Port 990

For Ubuntu servers, you can use the following command in /etc/pure-ftpd/conf directory:

echo ",990" > /etc/pure-ftpd/conf/Bind

This will allow FTP connection from all IP addresses on Port 990. If you want to specify specific subnet change the format as follows:



echo "0.0.0.0/0,990" > /etc/pure-ftpd/conf/Bind

Now, you can restart pure-ftpd and check if your settings have been implemented or not:

service pure-ftpd-mysql restart

Netstat -tnulp | grep pure-ftpd

You will see something similar:

Step 4: Create FTP account on CyberPanel and test in on WinSCP or FileZilla

Go to Website > Manage Website > File Manager > public_html> create new folder for the new user (eg amittal)

Please make sure, that you duplicate the following settings on your WinSCP connection:

I hope this helps you to fix your problem. Let me know if you need any further assistance.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.