I recently installed CyberPanel on one of my web servers for easy administration of my web server.
However, my organization doesn’t allow users to use FTP accounts on port 21. So, the only option is to use FTPS connection on port 990.
CyberPanel uses Pure-FTPd to manage its FTP accounts. Pure-FTPd offers both non-encrypted as well as encrypted FTP connections. However, the problem with FTP connection over TLS offered by Pure-FTPd still remains the same because it still uses Port 21 because it offers Explicit encryption.
After a lot of troubleshooting and brainstorming, I found a workaround to fix this problem. This is not an exact fix, but this is a great workaround to offer FTP over TLS on port 990. This would not be implicit encryption but if your organization doesn’t allow you to use port 21, you can use this workaround to fix your problem.
Step 1: Configure PureFTPd
Centos: Go to /etc/pure-ftpd/pure-ftpd.conf
nano /etc/pure-ftpd/pure-ftpd.confUbuntu: Go to /etc/pure-ftpd/conf
nano /etc/pure-ftpd/conf/TLSHere are the TLS options that you can choose. I chose option 3. If you want to choose the same, set your TLS to 3.
[...] - With "--tls=1", clients can connect either the traditional way or through an TLS layer. This is probably the setting you need if you want to enable TLS without having too many angry customers. - With "--tls=2", cleartext sessions are refused and only TLS compatible clients are accepted. - With "--tls=3", cleartext sessions are refused and only TLS compatible clients are accepted. Clear data connections are also refused, so private data connections are enforced. This is an extreme setting. When TLS has been successfully negotiated for a connection, you'll see something similar to this in log files : << TLS: Enabled TLSv1/SSLv3 with ECDHE-ECDSA-AES128-GCM-SHA256, 128 secret bits cipher >> [...]
Also, add TLSCipherSuite in pure-ftpd.conf file in order to disable TLS 1.1 and enable high security:
Ubuntu and Centos:
nano /etc/pure-ftpd/pure-ftpd.conf
TLSCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
Step 2: Create SSL Certificate for TLS
CyberPanel by default creates an SSL certificate for TLS, so if you want to skip this step and use it as is, you can go to Step 3.
Go to /etc/ssl/private
mkdir -p /etc/ssl/private/
yum -y install openssl or apt-get install openssl
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
Change the permissions of the SSL Certificate
chmod 600 /etc/ssl/private/pure-ftpd.pem
Restart Pure-FTPd:
systemctl restart pure-ftpd.service
or
service pure-ftpd-mysql restartStep 3: Add argument ‘Bind’ in the configuration file to force Port 990
For Ubuntu servers, you can use the following command in /etc/pure-ftpd/conf directory:
echo ",990" > /etc/pure-ftpd/conf/BindThis will allow FTP connection from all IP addresses on Port 990. If you want to specify specific subnet change the format as follows:
echo "0.0.0.0/0,990" > /etc/pure-ftpd/conf/Bind
Now, you can restart pure-ftpd and check if your settings have been implemented or not:
service pure-ftpd-mysql restart
Netstat -tnulp | grep pure-ftpdYou will see something similar:
Step 4: Create FTP account on CyberPanel and test in on WinSCP or FileZilla
Go to Website > Manage Website > File Manager > public_html> create new folder for the new user (eg amittal)
Please make sure, that you duplicate the following settings on your WinSCP connection:
I hope this helps you to fix your problem. Let me know if you need any further assistance.
