First, follow the instructions in this post to build a firewall host.

In AWS EC2, launch the FreeBSD 10.3 ftpssl instance.

Attach 1 interface eth0 to the ftpssl instance.

Subnet Interface Address
DMZ eth0 10.20.1.13

The ftpssl instance will use 10.20.1.1 for its default gateway.

From the firewall instance, you should be able to login to the ftpssl instance using your ssh key.

ssh -i key.pem ec2-user@10.20.1.13

Modify the following files

vi /etc/rc.conf
------------------------------ cut here ------------------------------
ec2_configinit_enable=YES
ec2_fetchkey_enable=YES
ec2_ephemeralswap_enable=YES
ec2_loghostkey_enable=YES
firstboot_freebsd_update_enable=YES
firstboot_pkgs_enable=YES
growfs_enable="YES"
ifconfig_DEFAULT="SYNCDHCP"
sshd_enable="YES"
firstboot_pkgs_list="awscli"
------------------------------ cut here ------------------------------

vi /etc/dhclient.conf
------------------------------ cut here ------------------------------
supersede host-name "ftpssl-host.domain";
supersede domain-name "domain";
supersede domain-name-servers 127.0.0.1;
------------------------------ cut here ------------------------------

vi /etc/hosts
------------------------------ cut here ------------------------------
::1                     localhost localhost.domain
127.0.0.1               localhost localhost.domain
10.20.1.10              firewall-host.domain firewall-host
10.20.1.13              ftpssl-host.domain ftpssl-host
------------------------------ cut here ------------------------------

vi /etc/nsswitch.conf
------------------------------ cut here ------------------------------
group: files
passwd: files
services: files
------------------------------ cut here ------------------------------

vi /etc/group
------------------------------ cut here ------------------------------
ftpssl:*:21:
------------------------------ cut here ------------------------------

vipw
------------------------------ cut here ------------------------------
superftpuser:*:1100:21::0:0:Super FTP User:/home/proftpd/root/super:/usr/local/bin/bash
downloaduser:*:1101:21::0:0:Download User:/home/proftpd/root/super/download:/usr/sbin/nologin
uploaduser:*:1101:21::0:0:Upload User:/home/proftpd/root/super/upload:/usr/sbin/nologin
------------------------------ cut here ------------------------------

Add swap file and a second disk for /usr

dd if=/dev/zero of=/boot/swap1 bs=1m count=1024
chmod 0600 /boot/swap1

In EC2, create a new EBS Volume (10G) and attach it to the ftpssl instance (/dev/sdf).

sysctl kern.disks
------------------------------ cut here ------------------------------
kern.disks: xbd5 ada0
------------------------------ cut here ------------------------------

gpart create -s GPT xbd5
gpart add -t freebsd-ufs -a 1M xbd5

gpart show
------------------------------ cut here ------------------------------
=>       3  20971515  ada0  GPT  (10G)
         3        32     1  freebsd-boot  (16K)
        35  20971483     2  freebsd-ufs  (10G)

=>      34  20971453  xbd5  GPT  (10G)
        34      2014        - free -  (1.0M)
      2048  20967424     1  freebsd-ufs  (10G)
  20969472      2015        - free -  (1.0M)
------------------------------ cut here ------------------------------

newfs -U /dev/xbd5p1

mkdir /newdisk
mount /newdisk

cd /usr
tar cf - . | ( cd /newdisk/.; tar xpf - )

mkdir /newhome
cd /home
tar cf - . | ( cd /newhome/.; tar xpf - )

mv /home /home-
mv /newhome /home

mv /usr /usr-
mkdir /usr

vi /etc/fstab
------------------------------ cut here ------------------------------
/dev/gpt/rootfs   /       ufs     rw      1       1
/dev/xbd5p1       /usr    ufs     rw      2       2
md99              none    swap    sw,file=/boot/swap1,late 0 0
------------------------------ cut here ------------------------------

swapon -aL
swapinfo -k

reboot

/bin/rm -f /home-
chflags -R noschg /usr-
/bin/rm -rf /usr-

Enable unbound (local caching DNS resolver)

vi /etc/rc.conf.d/local_unbound
------------------------------ cut here ------------------------------
local_unbound_enable="YES"
local_unbound_forwarders="8.8.8.8"
------------------------------ cut here ------------------------------

vi /etc/resolvconf.conf
------------------------------ cut here ------------------------------
resolv_conf="/dev/null"
resolvconf="NO"
------------------------------ cut here ------------------------------

Fetch and extract the ports tree

portsnap fetch
portsnap extract
portsnap fetch update

Install portmaster and rpl utilities

cd /usr/ports/ports-mgmt/portmaster
make clean all install
make clean

portmaster -d misc/rpl

Adjust sshd

vi /etc/ssh/sshd_config
------------------------------ cut here ------------------------------
ClientAliveInterval 900
IgnoreRhosts yes
LoginGraceTime 30
MaxAuthTries 3
PermitEmptyPasswords no
PermitRootLogin no
PubkeyAuthentication yes
------------------------------ cut here ------------------------------

sh /etc/rc.d/sshd restart

Adjust syslog

vi /etc/syslog.conf
------------------------------ cut here ------------------------------
*.*                                             /var/log/all.log
------------------------------ cut here ------------------------------

touch /var/log/all.log
chmod 0640 /var/log/all.log
chown root:wheel /var/log/all.log

sh /etc/rc.d/syslogd restart

vi /etc/newsyslog.conf
-------------------------- cut here --------------------------
/var/log/all.log                       600  12    *    $M1D0 J
-------------------------- cut here --------------------------

Enable NTP

ntpdate 0.freebsd.pool.ntp.org

vi /etc/ntp.conf
------------------------------ cut here ------------------------------
server 0.pool.ntp.org iburst maxpoll 9
server 1.pool.ntp.org iburst maxpoll 9
server 2.pool.ntp.org iburst maxpoll 9
restrict default limited kod nomodify notrap nopeer noquery
restrict -6 default limited kod nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict -6 ::1
restrict 127.127.1.0
------------------------------ cut here ------------------------------

vi /etc/rc.conf.d/ntpd
------------------------------ cut here ------------------------------
ntpd_enable="YES"
ntpd_program="/usr/sbin/ntpd"
ntpd_config="/etc/ntp.conf"
ntpd_sync_on_start="YES"
ntpd_flags="-p /var/run/ntpd.pid"
------------------------------ cut here ------------------------------

sh /etc/rc.d/ntpd start

Install postfix

portmaster -d mail/postfix

vi /etc/periodic.conf
------------------------------ cut here ------------------------------
daily_clean_hoststat_enable="NO"
daily_status_mail_rejects_enable="NO"
daily_status_include_submit_mailq="NO"
daily_submit_queuerun="NO"
------------------------------ cut here ------------------------------

sh /etc/rc.d/sendmail stop

vi /etc/rc.conf.d/sendmail
------------------------------ cut here ------------------------------
sendmail_enable="NONE"
------------------------------ cut here ------------------------------

vi /etc/rc.conf.d/postfix
------------------------------ cut here ------------------------------
postfix_enable="YES"
------------------------------ cut here ------------------------------

sh /usr/local/etc/rc.d/postfix start

Update FreeBSD

freebsd-update fetch
freebsd-update fetch install

Fetch and extract the src tree

portmaster -d devel/subversion
portmaster -d security/ca_root_nss

svn co https://svn0.us-west.FreeBSD.org/base/releng/10.3 /usr/src
svn up /usr/src
cd /usr/src
make clean
make update SVN_UPDATE=yes

vi /etc/make.conf
------------------------------ cut here ------------------------------
WITHOUT_X11=yes
WITHOUT_ATM=yes
WITHOUT_I4B=yes
WITHOUT_IPX=yes
WITHOUT_NIS=yes
DEFAULT_VERSIONS+=ssl=openssl
------------------------------ cut here ------------------------------

vi /etc/src.conf
------------------------------ cut here ------------------------------
WITHOUT_X11=yes
WITHOUT_ATM=yes
WITHOUT_I4B=yes
WITHOUT_IPX=yes
WITHOUT_NIS=yes
------------------------------ cut here ------------------------------

Install the following ports

portmaster -d shells/bash
portmaster -d sysutils/lsof
portmaster -d security/sudo
portmaster -d security/openssl

cp /usr/local/openssl/openssl.cnf.sample /usr/local/openssl/openssl.cnf

Install ProFTPD

portmaster -d ftp/proftpd

vi /etc/rc.conf.d/proftpd
------------------------------ cut here ------------------------------
proftpd_enable="YES"
proftpd_config="/home/proftpd/etc/proftpd.conf"
------------------------------ cut here ------------------------------

Integrate ClamAV into ProFTPd for virus scanning

portmaster -d security/proftpd-mod_clamav

vi /etc/rc.conf.d/clamav_clamd
------------------------------ cut here ------------------------------
clamav_clamd_enable="YES"
clamav_clamd_socket="/var/run/clamav/clamd.sock"
------------------------------ cut here ------------------------------

vi /etc/rc.conf.d/clamav_freshclam
------------------------------ cut here ------------------------------
clamav_freshclam_enable="YES"
------------------------------ cut here ------------------------------

freshclam

rpl '#TCPSocket 3310' 'TCPSocket 3310' /usr/local/etc/clamd.conf

sh /usr/local/etc/rc.d/clamav-freshclam start
sh /usr/local/etc/rc.d/clamav-clamd start

Install MySQL backend

portmaster -d databases/mysql57-server

vi /usr/local/etc/rc.d/mysql-server
------------------------------ cut here ------------------------------
        eval $mysql_install_db $mysql_install_db_args # >/dev/null 2>/dev/null
                eval `/usr/bin/limits ${mysql_limits_args}` # 2>/dev/null
------------------------------ cut here ------------------------------

vi /etc/rc.conf.d/mysql
------------------------------ cut here ------------------------------
mysql_enable="YES"
mysql_limits="NO"
mysql_args=""
------------------------------ cut here ------------------------------

sh /usr/local/etc/rc.d/mysql-server start

mysqladmin -u root -p password 'password'

portmaster -d databases/proftpd-mod_sql_mysql

Configure and start ProFTPD

mkdir /home/proftpd
mkdir /home/proftpd/conf
mkdir /home/proftpd/empty
mkdir /home/proftpd/etc
mkdir /home/proftpd/etc/users
mkdir /home/proftpd/log
mkdir /home/proftpd/root
mkdir /home/proftpd/root/super
mkdir /home/proftpd/root/super/download
mkdir /home/proftpd/root/super/upload
mkdir /home/proftpd/ssh
mkdir /home/proftpd/ssl

cp /etc/ssh/ssh_host_rsa_key /home/proftpd/ssh/ssh_host_rsa_key

cp /usr/local/etc/proftpd.conf /home/proftpd/etc/proftpd.conf

rpl "ProFTPD Default Installation" "FTPSSL" /home/proftpd/etc/proftpd.conf

rpl '#DefaultRoot ~' 'DefaultRoot ~' /home/proftpd/etc/proftpd.conf

vi /home/proftpd/etc/proftpd.conf
------------------------------ cut here ------------------------------
ServerName                      "FTPSSL"
ServerType                      standalone
DefaultServer                   on
MasqueradeAddress       elastic-ip-address-of-the-firewall-instance
PassivePorts 60000 65535
ScoreboardFile          /var/run/proftpd/proftpd.scoreboard
Port                            21
LoadModule mod_clamav.c
LoadModule mod_tls.c
TLSEngine                on
TLSLog                   /home/proftpd/log/tls.log
TLSProtocol              SSLv3 TLSv1
TLSRequired              on
TLSRSACertificateFile    /home/proftpd/ssl/crt.pem
TLSRSACertificateKeyFile /home/proftpd/ssl/key.rsa.null.pem
TLSCACertificateFile     /home/proftpd/ssl/ca-crt.pem
TLSVerifyClient          off
TLSRenegotiate           none
TLSOptions               AllowDotLogin NoSessionReuseRequired
ClamAV on
ClamServer localhost
ClamPort 3310
LoadModule mod_sql.c
LoadModule mod_sql_mysql.c
LoadModule mod_sql_passwd.c
SQLBackend              mysql
SQLEngine               on
SQLPasswordEngine       on
SQLAuthenticate         on
SQLAuthTypes            SHA1
SQLConnectInfo          proftpd@localhost root password
SQLDefaultUID           1100
SQLDefaultGID           21
SQLUserInfo             users userid passwd NULL NULL homedir shell
SQLGroupInfo            groups groupname gid members
SQLUserWhereClause      "disabled != 1"
SQLLogFile              /home/proftpd/log/sql
SQLLog PASS             updatecount
SQLNamedQuery           updatecount UPDATE "login_count=login_count+1, last_login=now() WHERE userid='%u'" users
SQLLog RETR             bytes-out-count
SQLNamedQuery           bytes-out-count UPDATE "bytes_out_used=bytes_out_used+%b WHERE userid='%u'" users
SQLLog RETR             files-out-count
SQLNamedQuery           files-out-count UPDATE "files_out_used=files_out_used+1 WHERE userid='%u'" users
SQLLog STOR             bytes-in-count
SQLNamedQuery           bytes-in-count UPDATE "bytes_in_used=bytes_in_used+%b WHERE userid='%u'" users
SQLLog STOR             files-in-count
SQLNamedQuery           files-in-count UPDATE "files_in_used=files_in_used+1 WHERE userid='%u'" users
CreateHome              on 775
AuthOrder               mod_sql.c
UseIPv6                         off
Umask                           002
MaxInstances                    30
CommandBufferSize       512
User                            ftp
Group                           ftp
DefaultRoot ~
AllowOverwrite          on
DisplayConnect          /home/proftpd/conf/connect.msg
ExtendedLog             /home/proftpd/log/extended
IdentLookups            off
MaxClients              20 "Sorry, max %m users -- try again later"
MaxClientsPerHost       4 "Sorry, you may not connect more than 4 times."
MaxClientsPerUser       4 "Sorry, you may not connect more than 4 times."
MaxHostsPerUser         4 "Sorry, you may not connect more than 4 times."
MaxLoginAttempts        6
MultilineRFC2228        on
RequireValidShell       off
ServerIdent             on "FTPSSL server ready"
ServerLog               /home/proftpd/log/server
SystemLog               /home/proftpd/log/system
TransferLog             /home/proftpd/log/transfer
UseReverseDNS           off
<Limit SITE_CHMOD>
  DenyAll
</Limit>
Include /home/proftpd/etc/users/*.conf
------------------------------ cut here ------------------------------

vi /home/proftpd/etc/users/downloaduser.conf
------------------------------ cut here ------------------------------
<Directory ~downloaduser>
  <Limit WRITE>
    DenyAll
    AllowUser superftpuser
  </Limit>
</Directory>
------------------------------ cut here ------------------------------

vi /home/proftpd/etc/users/uploaduser.conf
------------------------------ cut here ------------------------------
<Directory ~uploaduser>
  <Limit ALL>
    DenyAll
    AllowUser superftpuser
  </Limit>
  <Limit CDUP CWD PWD XCWD XCUP>
    AllowAll
  </Limit>
  <Limit STOR STOU>
    AllowAll
  </Limit>
</Directory>
------------------------------ cut here ------------------------------

vi /home/proftpd/conf/connect.msg
------------------------------ cut here ------------------------------
Restricted access only
------------------------------ cut here ------------------------------

vi /home/proftpd/conf/login.msg
------------------------------ cut here ------------------------------
Welcome / FTPSSL
------------------------------ cut here ------------------------------

vi /home/proftpd/conf/quit.msg
------------------------------ cut here ------------------------------
Goodbye / FTPSSL
------------------------------ cut here ------------------------------

chown -R downloaduser:ftpssl /home/proftpd/root/super/download/.
chown -R uploaduser:ftpssl /home/proftpd/root/super/upload/.
chown -R superftpuser:ftpssl /home/proftpd/root/.

chmod 775 /home/proftpd/root/super/download
chmod 775 /home/proftpd/root/super/upload

sh /usr/local/etc/rc.d/proftpd start

Optionally install client certificate for ftpssl users

Example :

cp client-crt.pem /home/proftpd/root/super/download/.tlslogin
chmod 644 /home/proftpd/root/super/download/.tlslogin
chown superftpuser:ftpssl /home/proftpd/root/super/download/.tlslogin

Install Apache, PHP and ProFTPd-Admin

portmaster -d -m 'WITH_PROXY_MODULES=yes' -m 'WITH_SUEXEC_MODULES=yes' www/apache24
------------------------------ cut here ------------------------------
[X] SUEXEC
------------------------------ cut here ------------------------------

rpl /usr/local/etc/apache24/httpd.conf /home/apache/conf/httpd.conf /usr/local/etc/rc.d/apache24
rpl /var/run/httpd /home/apache/pid/httpd /usr/local/etc/rc.d/apache24
rpl -q '.pid' '' /usr/local/etc/rc.d/apache24

mkdir /home/apache
mkdir /home/apache/conf
mkdir /home/apache/empty
mkdir /home/apache/lock
mkdir /home/apache/logs
mkdir /home/apache/logs/data
chown www:www /home/apache/logs/data
mkdir /home/apache/pid
mkdir /home/apache/conf/ssl.crl
mkdir /home/apache/conf/ssl.crt
mkdir /home/apache/conf/ssl.crt/ftpssl
mkdir /home/apache/conf/ssl.key
mkdir /home/apache/conf/ssl.key/ftpssl
mkdir /home/apache/virtual

touch /home/apache/logs/access
touch /home/apache/logs/error

cd /usr/local/etc/apache24; tar cf - . |(cd /home/apache/conf/.; tar xf -)

rpl 'ServerRoot "/usr/local"' 'ServerRoot "/home/apache"' /home/apache/conf/httpd.conf
rpl 'LoadModule userdir_module' '#LoadModule userdir_module' /home/apache/conf/httpd.conf
rpl '#LoadModule ssl_module' 'LoadModule ssl_module' /home/apache/conf/httpd.conf
rpl 'ServerAdmin you@example.com' 'ServerAdmin root@securesc.ca' /home/apache/conf/httpd.conf
rpl 'DirectoryIndex index.html' 'DirectoryIndex index.html index.php' /home/apache/conf/httpd.conf
rpl 'ErrorLog "/var/log/httpd-error.log"' 'ErrorLog "/home/apache/logs/error"' /home/apache/conf/httpd.conf
rpl 'CustomLog "/var/log/httpd-access.log"' 'CustomLog "/home/apache/logs/access"' /home/apache/conf/httpd.conf
rpl 'Listen 80' '#Listen 80' /home/apache/conf/httpd.conf
rpl libexec/apache24/ /usr/local/libexec/apache24/ /home/apache/conf/httpd.conf
rpl etc/apache24/ /home/apache/conf/ /home/apache/conf/httpd.conf

vi /home/apache/conf/httpd.conf
------------------------------ cut here ------------------------------
ServerName ftpssl.domain:80
PidFile "/home/apache/pid/httpd"
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps
LoadFile /usr/local/lib/libxml2.so
LoadModule cgi_module /usr/local/libexec/apache24/mod_cgi.so
LoadModule unique_id_module /usr/local/libexec/apache24/mod_unique_id.so
LoadModule suexec_module /usr/local/libexec/apache24/mod_suexec.so
LoadModule xml2enc_module  /usr/local/libexec/apache24/mod_xml2enc.so
LoadModule suphp_module /usr/local/libexec/apache24/mod_suphp.so
#LoadModule security2_module /usr/local/libexec/apache24/mod_security2.so
LoadModule proxy_html_module /usr/local/libexec/apache24/mod_proxy_html.so

ExtendedStatus On

ProxyHTMLLinks  a               href
ProxyHTMLLinks  area            href
ProxyHTMLLinks  link            href
ProxyHTMLLinks  img             src longdesc usemap
ProxyHTMLLinks  object          classid codebase data usemap
ProxyHTMLLinks  q               cite
ProxyHTMLLinks  blockquote      cite
ProxyHTMLLinks  ins             cite
ProxyHTMLLinks  del             cite
ProxyHTMLLinks  form            action
ProxyHTMLLinks  input           src usemap
ProxyHTMLLinks  head            profile
ProxyHTMLLinks  base            href
ProxyHTMLLinks  script          src for
ProxyHTMLEvents onclick ondblclick onmousedown onmouseup \
                onmouseover onmousemove onmouseout onkeypress \
                onkeydown onkeyup onfocus onblur onload \
                onunload onsubmit onreset onselect onchange
ProxyHTMLLinks        frame           src longdesc
ProxyHTMLLinks        iframe          src longdesc
ProxyHTMLLinks        body            background
ProxyHTMLLinks        applet          codebase
------------------------------ cut here ------------------------------

vi /etc/rc.conf.d/apache24
------------------------------ cut here ------------------------------
apache24_enable="YES"
apache24_profiles=""
apache24limits_enable="NO"
apache24_flags="-f /home/apache/conf/httpd.conf"
apache24limits_args="-e -C daemon"
apache24_http_accept_enable="YES"
------------------------------ cut here ------------------------------

touch /home/apache/logs/suexec

portmaster -d lang/php56
portmaster -d textproc/php56-simplexml
portmaster -d databases/php56-mysqli

cp /usr/local/etc/php.ini-production /usr/local/etc/php.ini
rpl ';date.timezone =' 'date.timezone = America/Montreal' /usr/local/etc/php.ini
rpl ';include_path = ".:/php/includes"' 'include_path = ".:/php/includes"' /usr/local/etc/php.ini
rpl 'max_execution_time = 30' 'max_execution_time = 300' /usr/local/etc/php.ini
rpl 'short_open_tag = Off' 'short_open_tag = On' /usr/local/etc/php.ini
rpl 'post_max_size = 8M' 'post_max_size = 32M' /usr/local/etc/php.ini
rpl 'memory_limit = 128M' 'memory_limit = 512M' /usr/local/etc/php.ini

portmaster -d -m 'WITH_SETID_MODE=force' www/suphp

cp /usr/local/etc/suphp.conf-example /usr/local/etc/suphp.conf

vi /usr/local/etc/suphp.conf
------------------------------ cut here ------------------------------
;docroot=/usr/local/www/*:${HOME}/public_html
docroot=/
check_vhost_docroot=false
umask=0022
min_uid=0
min_gid=0
------------------------------ cut here ------------------------------

mkdir /home/apache/virtual/proftpd_admin
mkdir /home/apache/logs/proftpd_admin

cd /root

fetch https://github.com/ChristianBeer/ProFTPd-Admin/archive/master.zip
unzip master.zip
cd ProFTPd-Admin-master
tar cf - . |(cd /home/apache/virtual/proftpd_admin/.; tar xpf -)
rpl '0000-00-00 00:00:00' '1970-01-01 00:00:01' tables.sql

mysql -u root -p
mysql> drop database proftpd;

mysqladmin -p create proftpd
mysql -u root -p proftpd < tables.sql

cd /home/apache/virtual/proftpd_admin
cp configs/config_example.php configs/config.php

vi /home/apache/virtual/proftpd_admin/configs/config.php
------------------------------ cut here ------------------------------
$cfg['default_homedir'] = "/home/proftpd/root/super/changeme";
$cfg['min_uid'] = -1;
$cfg['max_uid'] = -1;
$cfg['min_gid'] = -1;
$cfg['max_gid'] = -1;
$cfg['db_name'] = "proftpd";
$cfg['db_user'] = "root";
$cfg['db_pass'] = "XXX";
------------------------------ cut here ------------------------------

chmod 400 /home/apache/virtual/proftpd_admin/configs/config.php

chown -R ftp:ftp /home/apache/virtual/proftpd_admin/.

vi /home/apache/conf/Includes/10.20.1.13.conf
------------------------------ cut here ------------------------------
Listen 10.20.1.13:443
------------------------------ cut here ------------------------------

vi /home/apache/conf/Includes/ftpssl.conf
------------------------------ cut here ------------------------------
<VirtualHost 10.20.1.13:443>
    ServerAdmin apache@securesc.ca
    ServerName ftpssl.domain
    ServerAlias ftpssl
    DocumentRoot /home/apache/virtual/proftpd_admin
    ErrorLog /home/apache/logs/proftpd_admin/error
    CustomLog /home/apache/logs/proftpd_admin/access combined
    SSLEngine on
    SSLProtocol all -SSLv2
    SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXPORT
    SSLCertificateFile /home/apache/conf/ssl.crt/ftpssl/crt.pem
    SSLCertificateKeyFile /home/apache/conf/ssl.key/ftpssl/key.pem
    SSLCertificateChainFile /home/apache/conf/ssl.crt/ftpssl/ca-crt.pem
    SuexecUserGroup ftp ftp
    suPHP_Engine on
    suPHP_UserGroup ftp ftp
    suPHP_AddHandler application/x-httpd-php
    AddType application/x-httpd-php .php
    <Location />
        Order deny,allow
        Allow from all
        AuthName "FTPSSL Admin Access"
        AuthType Basic
        AuthUserFile /home/proftpd/etc/htpasswd.users
        Require valid-user
    </Location>
</VirtualHost>
------------------------------ cut here ------------------------------

htpasswd -bc /home/proftpd/etc/htpasswd.users admin XXX

sh /usr/local/etc/rc.d/apache24 start

Install OSSEC

portmaster -d security/ossec-hids-server

rpl daniel.cid@xxx.com root@host.domain /usr/local/ossec-hids/etc/ossec.conf
rpl smtp.xxx.com. host.domain /usr/local/ossec-hids/etc/ossec.conf
rpl ossecm@ossec.xxx.com. ossecm@host.domain /usr/local/ossec-hids/etc/ossec.conf

vi /usr/local/ossec-hids/etc/ossec.conf
------------------------------ cut here ------------------------------
  <global>
    <white_list>127.0.0.1</white_list>
  </global>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/all.log</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/home/proftpd/log/server</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/home/proftpd/log/transfer</location>
  </localfile>
------------------------------ cut here ------------------------------

vi /etc/rc.conf.d/ossechids
------------------------------ cut here ------------------------------
ossechids_enable="YES"
ossechids_user="ossec"
ossechids_group="ossec"
------------------------------ cut here ------------------------------

cp /etc/localtime /usr/local/ossec-hids/var/etc/localtime
chown root:ossec /usr/local/ossec-hids/var/etc/localtime

sh /usr/local/etc/rc.d/ossec-hids start

Optionally install Wazuh agent (if you have a Wazuh manager)

portmaster -d lang/gcc

cd /root
fetch https://github.com/wang/gcczuh/wazuh/archive/v2.1.0.tar.gz
tar zxf v2.1.0.tar.gz
cd wazuh-2.1.0
./install.sh

vi /var/ossec/etc/ossec.conf
------------------------------ cut here ------------------------------
  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/all.log</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/home/proftpd/log/server</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/home/proftpd/log/transfer</location>
  </localfile>
------------------------------ cut here ------------------------------

vi /usr/local/etc/rc.d/wazuh-agent
------------------------------ cut here ------------------------------
#!/bin/sh
#
# PROVIDE: wazuhagent
# REQUIRE: DAEMON
# BEFORE:  LOGIN
# KEYWORD: shutdown

. /etc/rc.subr

name="wazuhagent"
rcvar=wazuhagent_enable

load_rc_config $name

: ${wazuhagent_enable="NO"}

start_cmd="wazuhagent_command start"
stop_cmd="wazuhagent_command stop"
restart_cmd="wazuhagent_command restart"
status_cmd="wazuhagent_command status"
reload_cmd="wazuhagent_command reload"

command="/var/ossec/bin/ossec-control"
required_files="/var/ossec/etc/ossec.conf"
extra_commands="reload"

wazuhagent_command() {
        ${command} ${rc_arg}
}

run_rc_command "$1"
------------------------------ cut here ------------------------------

vi /etc/rc.conf.d/wazuhagent
------------------------------ cut here ------------------------------
wazuhagent_enable="YES"
------------------------------ cut here ------------------------------

/var/ossec/bin/agent-auth -m wazuh_manager_ip_address

cp /etc/localtime /var/ossec/etc/localtime

sh /usr/local/etc/rc.d/wazuh-agent start