Securing FTP accounts created under ISPConfig

Discussion in 'Installation/Configuration' started by pannet1, Nov 1, 2017.

  1. pannet1

    pannet1 Member

    hi @till + others

    i am able to access the server patch with the new client ftp user created. however i am able to access the server through Filezilla only when i select encryption (only use plain FTP - insecure). Please advise how to force new accounts created to use explicit or implicit TLS.

    I have also successfully created letsencrpt SSL for this client. Is there a way to (optionally) capitalize on that.

    os: debian stretch
    ispconfig: 3.1.7p1
  2. pannet1

    pannet1 Member

    bumping it again.

  3. till

    till Super Moderator Staff Member ISPConfig Developer

    That's a pure-ftpd setting and not an ISPConfig setting. By default-pure-ftpd allows sessions that are encrypted and unencrypted. If you want to allow TLS sessions only, then run:

    echo 2 > /etc/pure-ftpd/conf/TLS

    and restart pure ftpd
    ahrasis and pannet1 like this.
  4. pannet1

    pannet1 Member

    Thanks @till
    Got it. now.
  5. pannet1

    pannet1 Member

    just noticed i am unable to login with tls with the same password i used for plain text. then i saw this notice


    server1 pure-ftpd: ([email protected]?) [DEBUG] Couldn't load the DH parameters file /etc/ssl/private/pure-ftpd-dhparams.pem
    now how to resolve this.
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Check that you are really using FTPS (FTP over TLS) and not SFTP in your FTP client. SFTP is not FTP, it is SSH.
  7. pannet1

    pannet1 Member

    Negative. I am using "TLS encryption if available option" not SFTP protocol.

    Filezilla Log
    Status:   Resolving address of
    Status:   Connecting to
    Status:   Connection established, waiting for welcome message...
    Response:   220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
    Response:   220-You are user number 4 of 50 allowed.
    Response:   220-Local time is now 23:59. Server port: 21.
    Response:   220-This is a private system - No anonymous login
    Response:   220-IPv6 connections are also welcome on this server.
    Response:   220 You will be disconnected after 15 minutes of inactivity.
    Command:   AUTH TLS
    Error:   Connection timed out after 20 seconds of inactivity
    Error:   Could not connect to server
  8. ahrasis

    ahrasis Well-Known Member

    I faced this too and I noticed that I don't have the /etc/ssl/private/pure-ftpd-dhparams.pem but I already have the /etc/ssl/private/dhparams.pem which I created by running "openssl dhparam -out /etc/ssl/private/dhparams.pem 4096". So I solved my problem by creating a symlink to it instead.
    ln -s /etc/ssl/private/dhparams.pem /etc/ssl/private/pure-ftpd-dhparams.pem
    However, I am facing another problem while using TLS, that is I cannot access my ftp server via hostname (though using its ip works fine). I will try to figure this out first and share the solution later on.
  9. pannet1

    pannet1 Member

    hi ahrasis,

    ref our separate conversation on this .. did you have the problem resolved. IP address is also fine for me. i did not test it, though. will work on it and let you know. thanks for your help.

Share This Page