FTPS server on PVE configured, but only allowing unencrypted connections

[whiney1]

I'm trying to setup FTPS / ProFTPD on my fresh Proxmox VE 8.2.7 home server. I'm setting it up as a service on the base install (pve node I guess?) as I read elsewhere this is better than spinning up a VM just for this.
I had ProFTPD running well on a previous straight Debian install but am having trouble recreating that success.


Tried a few different approaches that were all essentially the same but followed this guide in the most recent attempt. As per that guide I added the 'mod_tls.c' section instead of uncommenting the 'include ../tls.conf" line. Created the certs etc, restarted the service, tried full reboots. I am using WinSCP to test connection settings, but get the same results on other devices too.

I did previously try restoring my conf file to original state by uninstall/reinstall, then using the INCLUDE tls.conf line, and edit tls.conf, but got the same results. I've also tried regenerating the SSL certs several times, and confirmed that they have been generated as expected.

The relevant /etc/proftpd/proftpd.conf section looks like this atm:

<IfModule mod_tls.c>
 TLSEngine on
 TLSLog /var/log/proftpd/tls.log
 TLSProtocol SSLv23 TLSv1.2
 TLSRSACertificateFile /etc/ssl/certs/proftpd.crt
 TLSRSACertificateKeyFile /etc/ssl/private/proftpd.key
 TLSVerifyClient off
 TLSRequired on
</IfModule>

Where I'm at now:

• can access FTP via user login on regular unencrypted login
• can't access FTPS via 'TLS/SSL Explicit Encryption', I get "Connection failed. AUTH not understood"

So it seems like the server is not requiring TLS and is in fact not allowing the defined TLS connection.
This is the proftpd status output:

● proftpd.service - ProFTPD FTP Server
     Loaded: loaded (/lib/systemd/system/proftpd.service; enabled; preset: enabled)
     Active: active (running) since Sun 2024-11-17 00:21:27 ACDT; 20min ago
       Docs: man:proftpd(8)
    Process: 4947 ExecStartPre=/usr/sbin/proftpd --configtest -c $CONFIG_FILE $OPTIONS (code=exited, status=0/SUCCE>
    Process: 4950 ExecStart=/usr/sbin/proftpd -c $CONFIG_FILE $OPTIONS (code=exited, status=0/SUCCESS)
   Main PID: 4951 (proftpd)
      Tasks: 1 (limit: 4398)
     Memory: 3.3M
        CPU: 395ms
     CGroup: /system.slice/proftpd.service
             └─4951 "proftpd: (accepting connections)"
Nov 17 00:21:27 pve systemd[1]: Starting proftpd.service - ProFTPD FTP Server...
Nov 17 00:21:27 pve proftpd[4947]: Checking syntax of configuration file
Nov 17 00:21:27 pve systemd[1]: Started proftpd.service - ProFTPD FTP Server.
Nov 17 00:21:33 pve proftpd[4956]: pam_unix(proftpd:session): session opened for user reolink(uid=1000) by (uid=0)
Nov 17 00:21:36 pve proftpd[4956]: pam_unix(proftpd:session): session closed for user reolink
Nov 17 00:22:00 pve proftpd[5038]: pam_unix(proftpd:session): session opened for user reolink(uid=1000) by (uid=0)
Nov 17 00:23:38 pve proftpd[5038]: pam_unix(proftpd:session): session closed for user reolink

Any suggestions on where to look next? TIA

 

[LnxBil]

I read elsewhere this is better than spinning up a VM just for this.

That could be true for anything. Hopefully there was also a section about not to install stuff on your hypervisor. If you mess with the hypervisor itself, you can have unforeseeable consequences, so please just stick to a container or a VM for anything that has nothing to do with the hypervisor.

Any suggestions on where to look next?

Increase debugging and look in the proftpd logfiles. Maybe ask in a ProFTPd forum, this is not a PVE-related question?

What is your goal, which you want to solve with IT stone age technology? Is SMB/CIFS or even sftp not better suited for this?

 

[whiney1]

Hi, thanks for your reply LnxBil.

What is your goal, which you want to solve with IT stone age technology?

Sorry, I probably should have added more detail but was worried the text wall would get too big.
I need FTPS unfortunately, due to network camera software limitations. It's the only choice, even SFTP isn't possible.

Hopefully there was also a section about not to install stuff on your hypervisor.

Yes, definitely, although this particular advice was saying specifically that a simple FTP service on the hypervisor was a better solution than a VM. Perhaps that was a bum steer but it seemed straightforward enough and easy to wind back.. at the start anyway.

Maybe ask in a ProFTPd forum, this is not a PVE-related question?

Fair enough, again I should have been clearer - setup was failing for seemingly Proxmox specific reasons, I was wondering if there was some particular Proxmox configuration I needed to take into consideration.

I did since give up on this and setup OMV in a VM and that seems to be working well.
If there is something I should have known about getting the original ProFTPD setup going though I'm keen to find out, for learning purposes really.

 

[RolandK]

>setup was failing for seemingly Proxmox specific reasons

what proxmox specific reason ?

 

[whiney1]

well yeah, not sure, that's what I was wondering?

if there was some reason it might be the cause of a ProFTPD service not working properly, after a few different attempts at config.
Google and searching here didn't get me far and I ran out of things to try.

 

[RolandK]

what about trying proftpd on a fresh debian12 VM to see how it behaves there?

otherwise, give vsftpd a try.

 

[Johannes S]

what about trying proftpd on a fresh debian12 VM to see how it behaves there?

Or a debian lxc if resources are of concern