Only sftp with protftpd on debian

Is there a way to block all normal ftp traffic, and only allow the sftp protocol in sftp?

edit: sorry my bad!

for secure ftp i must use the ftpes protocol...

From serverfault

• What do you mean by sftp? SecureFTP (AKA SSL ftp), or ftp over ssh (AKA sftp)?

  For sftp - just run sshd, and do not use any ftp daemon at all.

  : i think SecureFTP, because in need to make a openssl certificate. To connect i must use sftp://devhouse.nl

  Dominic D : sftp:// is the accepted short hand for ftp over ssh
  From Sunny

• You don't need proftpd to do SFTP, you can do that natively with ssh.

  If for some reason you want to use proftpd (i.e. you want to integrated with non-system accounts easier). You'll want to deny access to the login verb for the server, then create a specific virtual host with the sftp engine on and allow the login verb.

  To accomplish that your proftpd.conf will look something like this.

    <Limit LOGIN>
      DenyAll
    </Limit>
  
    <VirtualHost 1.2.3.4>
      SFTPEngine on
      <Limit LOGIN>
        AllowAll
      </Limit>
      <all your other crap...>
    </VirtualHost>
  

  Sunny : Much better answer than mine. I did not know that you can do that. +1 from me.
  From Dominic D

• hi,

  when you only want to allow ftps with proftpd, this is the option your are looking for.

  From Christian

• sorry my bad!

  for secure ftp i must use the ftpes protocol...

  Sunny : @tomkeim: this is not a discussion board. If you have to clarify the question, please, edit the question. That way it becomes much more understandable and searchable. Cheers.
  From

• If you want to do FTPES with proftpd you basically need to follow 4 steps.

  1) Install proftpd and openssl

  apt-get install proftpd openssl
  

  2) Generate a cert (assuming you are going to self sign, make sure to match the common name to the ftp site dns name to make clients complain less)

  mkdir /etc/proftpd/ssl
  openssl req -new -x509 -days 365 -nodes -out /etc/proftpd/ssl/proftpd.cert.pem -keyout /etc/proftpd/ssl/proftpd.key.pem
  

  3) Edit proftpd.conf replace the mod_tls module section of your config with the text below (note the TLSRequired on directive)

  <IfModule mod_tls.c>
    TLSEngine                  on
    TLSLog                     /var/log/proftpd/tls.log
    TLSProtocol                SSLv23
    TLSOptions                 NoCertRequest
    TLSRSACertificateFile      /etc/proftpd/ssl/proftpd.cert.pem
    TLSRSACertificateKeyFile   /etc/proftpd/ssl/proftpd.key.pem
    TLSVerifyClient            off
    TLSRequired                on
  </IfModule>
  

  4) Restart proftpd

  /etc/init.d/proftpd restart
  

  From Dominic D