OpenSSH is not the only one capable of doing file transfers over a secure line called SFTP (ShellFTP/SecureFTP/SSHFTP). ProFTPd can also do it using mod_sftp and the support has been added on version 1.3.3. Why choose SFTP over FTPS? Simple, SFTP transfers all data over 1 single port!!! This means you do not have to fiddle around with needed passive ports on your firewall setup.

Now here’s to install and run a separate SFTP server:

1. Download and install the EPEL repo (EPEL)

2. Install proftpd with:

yum install proftpd

3. Then edit your proftpd config file and add following content somewhere in the config file (somewhere at the end i suppose should be best):

LoadModule mod_sftp.c
<IfModule mod_sftp.c>
        SFTPEngine On
        SFTPHostKey /etc/ssh/ssh_host_rsa_key
        SFTPLog /var/log/proftpd/sftp.log
        SFTPOptions     IgnoreSFTPUploadPerms
        SFTPClientMatch ".*" channelWindowSize 256MB
        SFTPCompression delayed
</IfModule>

3b. (Optional) Should you want to allow login for users with invalid shells (e.g. /bin/false or /sbin/nologin), do the following:

RequireValidShell   off
# AuthOrder         mod_auth_pam.c* mod_auth_unix.c

4. start the proftpd server

service proftpd start

For more infos about the sftp module visit the manual page

Apache is one of the most secure software out there but the SSL module is not very restrictively configured by default. Many of you know that SSLv3 in now considered insecure and so are RC4 and other algos. Here are two lines which graded the server from "F" to "A" in the SSL testing and helped preventing several SSL attacks as Heartbleed, Poodle and recently Freak.

These lines need to be put into your ssl.conf AND any other vhost directive if apache supports SNI:

Here is an older list: (before 2018):

SSLProtocol TLSv1.2 +TLSv1.1 +TLSv1
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256

Here is a simpler and more up to date list with config options (2018):

SSLProtocol TLSv1.2
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!aNULL:!MD5:!DSS
SSLHonorCipherOrder On
​SSLCompression Off

Another simple commande to remove SELinux file attributes which are causing sometimes trouble with different servers:

find myfolder -exec setfattr -x security.selinux {} \;

Should there be some errors about setfattr install the attr package on CentOS.