Only ftps with proftpd on debian

Question

Is there a way to block all normal ftp traffic, and only allow the sftp protocol in sftp?

edit: sorry my bad!

for secure ftp i must use the ftpes protocol...

Answer 1

You don't need proftpd to do SFTP, you can do that natively with ssh.

If for some reason you want to use proftpd (i.e. you want to integrated with non-system accounts easier). You'll want to deny access to the login verb for the server, then create a specific virtual host with the sftp engine on and allow the login verb.

To accomplish that your proftpd.conf will look something like this.

  <Limit LOGIN>
    DenyAll
  </Limit>

  <VirtualHost 1.2.3.4>
    SFTPEngine on
    <Limit LOGIN>
      AllowAll
    </Limit>
    <all your other crap...>
  </VirtualHost>

Answer 2

If you want to do FTPES with proftpd you basically need to follow 4 steps.

1) Install proftpd and openssl

apt-get install proftpd openssl

2) Generate a cert (assuming you are going to self sign, make sure to match the common name to the ftp site dns name to make clients complain less)

mkdir /etc/proftpd/ssl
openssl req -new -x509 -days 365 -nodes -out /etc/proftpd/ssl/proftpd.cert.pem -keyout /etc/proftpd/ssl/proftpd.key.pem

3) Edit proftpd.conf replace the mod_tls module section of your config with the text below (note the TLSRequired on directive)

<IfModule mod_tls.c>
  TLSEngine                  on
  TLSLog                     /var/log/proftpd/tls.log
  TLSProtocol                SSLv23
  TLSOptions                 NoCertRequest
  TLSRSACertificateFile      /etc/proftpd/ssl/proftpd.cert.pem
  TLSRSACertificateKeyFile   /etc/proftpd/ssl/proftpd.key.pem
  TLSVerifyClient            off
  TLSRequired                on
</IfModule>

4) Restart proftpd

/etc/init.d/proftpd restart

Answer 3

when you only want to allow ftps with proftpd, TLSRequired is the option your are looking for.

Answer 4

What do you mean by sftp? SecureFTP (AKA SSL ftp), or ftp over ssh (AKA sftp)?

For sftp - just run sshd, and do not use any ftp daemon at all.