5 Steps to Install and Setup ProFTPD on Debian 9 Stretch

Install proftpd debian9In this post, I will describe how to configure FTP server using ProFTP on Debian 9. It is a free and open-source software, compatible with Unix-like systems. Along with vsftpd and Pure-FTPd, ProFTPD is among the most popular FTP servers in Fedora, Ubuntu and Unix-like environments today. It exposes plenty of configuration options to users compared to its counterparts.

Step 1 : Installation of ProFTPD

To install ProFTP, execute below commands, first command 'apt-get update' will update the packages list available in the repositories. The second command will do the actual installation.

root@b74d3d863d39:~# apt-get update
root@b74d3d863d39:~# apt-get install proftpd

You can verify the installation by executing below command. It should give its version in output.

root@b74d3d863d39:~# proftpd -v

Great! you have successfully installed proftpd on the server. Now let's configure and use the FTP service. First, we need to create Linux group and user.

Step 2 : Create FTP Group

Create a group with the name of your choice. In this article, we will use "ftpgroup" and "pradip" as a group name and usename respectively. create a group by executing following command.

root@21bcc8c5b80e:/# addgroup ftpgroup

Step 3 : Create FTP user

Create user by replacing appropriate values in command "adduser ${username} -shell /bin/false -G ${groupname} -home ${USER_HOME_DIRECTORY}". An example is shown below. It will prompt for the new password and user details. Use same groupname as we created in step 2 while creating user.

root@21bcc8c5b80e:/# adduser pradip -shell /bin/false -ingroup ftpgroup -home /ftpshare
Adding user `pradip' ...
Adding new user `pradip' (1000) with group `ftpgroup' ...
Creating home directory `/ftpshare' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for pradip
Enter the new value, or press ENTER for the default
        Full Name []: Pradip Sakhavala
        Room Number []:
        Work Phone []:
        Home Phone []:
        Other []:
Is the information correct? [Y/n] Y

Step 4 : Configure ProFTPD

Now we need to configure ProFTPD. Edit file /etc/proftpd/proftpd.conf with your favorite text editor as shown below.

root@21bcc8c5b80e:/# vi /etc/proftpd/proftpd.conf
[...]
UseIPv6 off
[...]

    RootLogin	off
    RequireValidShell off

DefaultRoot  ~

<Limit LOGIN>
    DenyGroup !ftpgroup
</Limit>

I am not using IPv6, so I have disabled it by setting 'UseIPv6' to off as show above. I am disabling root user login by RootLogon off. DefaultRoot is set to '~' to restrict users with their home folders access only. DenyGroup will allow only the users from ftpgroup access to the ftp server, all other connection will get rejected. Please note that you need to set group name same as you have created in step 2.

Step 5 : Starting ProFTP service

Now restart the proftpd service by issuing below command.

root@21bcc8c5b80e:/#service proftpd restart

Once, the service is started properly, You can start using ftp server by hitting URL ftp://{Server_IP or Server_hostname}. It will prompt for username and password. Use same details that you have configured in step 3.

ProFTPD TLS settings

To configure and run TLS, We first need to generate a certificate. To do that, First, Install openssl by executing below command.

root@21bcc8c5b80e:/#sudo apt-get install openssl

Create ssl directory under /etc/proftpd.

root@21bcc8c5b80e:/# mkdir /etc/proftpd/ssl

Generate self-signed certificate by executing below command. It will ask for some information, please provide input accordingly.

root@21bcc8c5b80e:/#openssl req -new -x509 -keyout /etc/proftpd/ssl/proftpd.key.pem -days 365 -nodes -out /etc/proftpd/ssl/proftpd.cert.pem 
Generating a 2048 bit RSA private key
...+++
............................+++
writing new private key to '/etc/proftpd/ssl/proftpd.key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:GUJ
Locality Name (eg, city) []:AMD
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Batman
Organizational Unit Name (eg, section) []:Build
Common Name (e.g. server FQDN or YOUR name) []:Pradip
Email Address []:pradip.sakhavala@gmail.com

The proftpd.key file must be readable by root only. To secure the environment, execute below command.

root@21bcc8c5b80e:/# chmod 600 /etc/proftpd/ssl/proftpd.*

Open /etc/proftpd/tls.conf and change and/or uncomment lines as shown below.

root@21bcc8c5b80e:/# vi /etc/proftpd/tls.conf
<IfModule mod_tls.c>
[::]
TLSEngine                  on
TLSLog                     /var/log/proftpd/tls.log
TLSProtocol                SSLv23
TLSOptions                 NoCertRequest AllowClientRenegotiations
TLSRSACertificateFile      /etc/proftpd/ssl/proftpd.cert.pem
TLSRSACertificateKeyFile   /etc/proftpd/ssl/proftpd.key.pem
TLSVerifyClient            off
TLSRequired                on
RequireValidShell          no
[::]
</IfModule>

After this, Restart the service as shown in step 5 above.

Conclusion

We have successfully configured ProFTPd server with basic configuration. It has plenty of features which can not be covered in this article. You must try this. If you find any difficulties in configuration or if you think that you have anything that world should know on this topic, please post it in the comment section.

About Pradip Sakhavala

Pradip is a Linux system administrator, an ardent believer in sharing and contributing to open source community. He likes to discuss technical stuff anytime. He has started sharing his experience by blogs recently.

Author Archive Page

Have anything to say?

Your email address will not be published. Required fields are marked *

All comments are subject to moderation.

4 Comments

  1. I think you can change the word "direcoty" by "directory"

    and

    "must be readable y root only" by "must be readable by root only".

    Simple and nice article !

  2. Option DenyGroup failed

    lip 05 10:03:56 storage1 proftpd[6180]: Starting ftp server: proftpd2017-07-05 10:03:56,389 storage1 proftpd[6187]: fatal: DenyGroup: directive not allowed in server config context on line 38 of '/etc/proftpd/pr
    lip 05 10:03:56 storage1 proftpd[6180]: failed!
    lip 05 10:03:56 storage1 systemd[1]: proftpd.service: Control process exited, code=exited status=1
    lip 05 10:03:56 storage1 systemd[1]: Failed to start LSB: Starts ProFTPD daemon.

    solution

    Add section LOGIN

    DenyGroup !ftpgroup

    Incoplet tutorial.

    Add user

    adduser pradip -shell /bin/false -G {group-name} -home /ftpshare/pradip
    adduser user2 -shell /bin/false -G {group-name} -home /ftpshare/user2
    adduser user3 -shell /bin/false -G {group-name} -home /ftpshare/user3

    {group-name} - ftpgroup

    1. Hi Esc,

      Thanks for drawing attention. That is was a silly mistake, I forgot to escape '' in code snippet and it went wrong. Both things are updated now.