Along with vsftpd and Pure-FTPd, ProFTPD is among the most popular FTP servers in Fedora, Ubuntu and Unix-like environments today. It is a free and open-source software, compatible with Unix-like systems. It exposes plenty of configuration options to users compared to its counterparts.
In this post, I will describe how to configure FTP server using ProFTP on Debian 9.
Step 1: Installation of ProFTPD
To install ProFTP, execute below commands, first command 'apt-get update' will update the packages list available in the repositories. The second command will do the actual installation.
root@b74d3d863d39:~# apt-get update root@b74d3d863d39:~# apt-get install proftpd
You can verify the installation by executing below command. It should give its version in output.
root@b74d3d863d39:~# proftpd -v
Great! you have successfully installed proftpd on the server. Now let's configure and use the FTP service. First, we need to create Linux group and user.
Step 2: Create FTP Group
Create a group with the name of your choice. In this article, we will use "ftpgroup" and "pradip" as a group name and usename respectively. create a group by executing following command.
root@21bcc8c5b80e:/# addgroup ftpgroup
Step 3: Create FTP user
Create user by replacing appropriate values in command "adduser ${username} -shell /bin/false -G ${groupname} -home ${USER_HOME_DIRECTORY}". An example is shown below. It will prompt for the new password and user details. Use same groupname as we created in step 2 while creating user.
root@21bcc8c5b80e:/# adduser pradip -shell /bin/false -ingroup ftpgroup -home /ftpshare
Adding user `pradip' ...
Adding new user `pradip' (1000) with group `ftpgroup' ...
Creating home directory `/ftpshare' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for pradip
Enter the new value, or press ENTER for the default
Full Name []: Pradip Sakhavala
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n] Y
Step 4: Configure ProFTPD
Now we need to configure ProFTPD. Edit file /etc/proftpd/proftpd.conf with your favorite text editor as shown below.
root@21bcc8c5b80e:/# vi /etc/proftpd/proftpd.conf
[...]
UseIPv6 off
[...]
RootLogin off
RequireValidShell off
DefaultRoot ~
<Limit LOGIN>
DenyGroup !ftpgroup
</Limit>
I am not using IPv6, so I have disabled it by setting 'UseIPv6' to off as show above. I am disabling root user login by RootLogon off. DefaultRoot is set to '~' to restrict users with their home folders access only. DenyGroup will allow only the users from ftpgroup access to the ftp server, all other connection will get rejected. Please note that you need to set group name same as you have created in step 2.
Step 5: Starting ProFTP service
Now restart the proftpd service by issuing below command.
root@21bcc8c5b80e:/#service proftpd restart
Once, the service is started properly, You can start using ftp server by hitting URL ftp://{Server_IP or Server_hostname}. It will prompt for username and password. Use same details that you have configured in step 3.
ProFTPD TLS settings
To configure and run TLS, We first need to generate a certificate. To do that, First, Install openssl by executing below command.
root@21bcc8c5b80e:/#sudo apt-get install openssl
Create ssl directory under /etc/proftpd.
root@21bcc8c5b80e:/# mkdir /etc/proftpd/ssl
Generate self-signed certificate by executing below command. It will ask for some information, please provide input accordingly.
root@21bcc8c5b80e:/#openssl req -new -x509 -keyout /etc/proftpd/ssl/proftpd.key.pem -days 365 -nodes -out /etc/proftpd/ssl/proftpd.cert.pem Generating a 2048 bit RSA private key ...+++ ............................+++ writing new private key to '/etc/proftpd/ssl/proftpd.key.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:IN State or Province Name (full name) [Some-State]:GUJ Locality Name (eg, city) []:AMD Organization Name (eg, company) [Internet Widgits Pty Ltd]:Batman Organizational Unit Name (eg, section) []:Build Common Name (e.g. server FQDN or YOUR name) []:Pradip Email Address []:pradip.sakhavala@gmail.com
The proftpd.key file must be readable by root only. To secure the environment, execute below command.
root@21bcc8c5b80e:/# chmod 600 /etc/proftpd/ssl/proftpd.*
Open /etc/proftpd/tls.conf and change and/or uncomment lines as shown below.
root@21bcc8c5b80e:/# vi /etc/proftpd/tls.conf <IfModule mod_tls.c> [::] TLSEngine on TLSLog /var/log/proftpd/tls.log TLSProtocol SSLv23 TLSOptions NoCertRequest AllowClientRenegotiations TLSRSACertificateFile /etc/proftpd/ssl/proftpd.cert.pem TLSRSACertificateKeyFile /etc/proftpd/ssl/proftpd.key.pem TLSVerifyClient off TLSRequired on RequireValidShell no [::] </IfModule>
After this, Restart the service as shown in step 5 above.
Conclusion
We have successfully configured ProFTPd server with basic configuration. It has plenty of features which can not be covered in this article. You must try this. If you find any difficulties in configuration or if you think that you have anything that world should know on this topic, please post it in the comment section.
I think you can change the word "direcoty" by "directory"
and
"must be readable y root only" by "must be readable by root only".
Simple and nice article !
Thanks for the suggestion. Updated :)
Option DenyGroup failed
lip 05 10:03:56 storage1 proftpd[6180]: Starting ftp server: proftpd2017-07-05 10:03:56,389 storage1 proftpd[6187]: fatal: DenyGroup: directive not allowed in server config context on line 38 of '/etc/proftpd/pr
lip 05 10:03:56 storage1 proftpd[6180]: failed!
lip 05 10:03:56 storage1 systemd[1]: proftpd.service: Control process exited, code=exited status=1
lip 05 10:03:56 storage1 systemd[1]: Failed to start LSB: Starts ProFTPD daemon.
solution
Add section LOGIN
DenyGroup !ftpgroup
Incoplet tutorial.
Add user
adduser pradip -shell /bin/false -G {group-name} -home /ftpshare/pradip
adduser user2 -shell /bin/false -G {group-name} -home /ftpshare/user2
adduser user3 -shell /bin/false -G {group-name} -home /ftpshare/user3
{group-name} - ftpgroup
Hi Esc,
Thanks for drawing attention. That is was a silly mistake, I forgot to escape '' in code snippet and it went wrong. Both things are updated now.
Great manual, followed it step by step, but unfortunately I get an error while connecting with Filezilla Client
Command: AUTH TLS
Response: 500 AUTH not understood
and
root@ch0001sftp10002:~# openssl s_client
140439435396352:error:0200206F:system library:connect:Connection refused:../crypto/bio/b_sock2.c:108:
140439435396352:error:2008A067:BIO routines:BIO_connect:connect error:../crypto/bio/b_sock2.c:109:
Who knows how to fix it? :-)
Hi Marc
Are you any IPv6 address?
proftpd is not install. its giving me a message saying that the proftpd-basic package has unmet dependencies of libmemcached11 and libmemcachedutil2
Hi Keneth,
I feel you are missing some repositories and try run apt-get update