Proftpd installation
- Written on: 2024-01-20
- Debian version used: 12
Installing
ProFTPD can be installed with the proftpd
package, additionally, the proftpd-mod-crypto
package should be installed to provide FTPS
sudo apt install proftpd proftpd-mod-crypto
Setting up FTPS
For security, you should consider using FTPS instead of plain FTP. Also use a signed certificate (ie: via Let's Encrypt). Steps using a self-signed certificate are provided here for reference.
Using a self-signed certificate
openssl req -x509 -newkey rsa:4096 -keyout /etc/ssl/private/proftpd.key -out /etc/ssl/certs/proftpd.crt -nodes -days 365 chmod 0600 /etc/ssl/private/proftpd.key chmod 0640 /etc/ssl/certs/proftpd.crt
Configurint mod_tls
Open /etc/proftpd/modules.conf
and uncomment the line that loads mod_tls.c
# ... lines omitted for demonstration purposes # Install proftpd-mod-crypto to use this module for TLS/SSL support. LoadModule mod_tls.c # ... lines omitted for demonstration purposes
Edit /etc/proftpd/tls.conf
and replace it's content with the following:
<IfModule mod_tls.c> TLSEngine on TLSLog /var/log/proftpd/tls.log TLSProtocol TLSv1.2 TLSv1.3 # set this to no, if you have legacy clients that can't speak TLS TLSRequired on TLSECCertificateFile /etc/ssl/certs/proftpd.crt TLSECCertificateKeyFile /etc/ssl/private/proftpd.key TLSVerifyClient off TLSRenegotiate none </IfModule>
Next, load the TLS configuration by uncommenting the line in /etc/proftpd/proftpd.conf
# # This is used for FTPS connections # Include /etc/proftpd/tls.conf
Test the config, and restart proftpd
sudo proftpd --configtest sudo systemctl restart proftpd
Now you can connect using a FTP client of your choice, like FileZilla (Linux, Mac, Windows) or Transmit (MacOS) by using the username/password of one of the users on the system.
Virtual Users
Virtual users allow you to create seperate users, that don't exist in Linux (this can be useful to give certain users access to certain projects)
Virtual users can be stored in a variety of ways, like a file, database or using LDAP, for demonstration purposes this example will be using a file.
make a new file /etc/proftpd/conf.d/virtual-users.conf
and include the following:
DefaultRoot ~ CreateHome on RequireValidShell off AuthUserFile /etc/proftpd/ftpd.passwd ## only allow virtual users AuthOrder mod_auth_file.c ## allow virtual users, and system users # AuthOrder mod_auth_file.c mod_auth_pam.c
(Optional) Creating a seperate system user
Since we need a UID/GID of a user, it's advised to make a seperate Linux user for this, but you can also use the www-data user for example.
adduser --system --shell /bin/false --gecos 'FTP Virtual users' --group --disabled-password --home /home/ftpusers ftpusers
Adding virtual users
Replace the uid and gid with the UID/GID from the user you made earlyer
udo ftpasswd --passwd --file=/etc/proftpd/ftpd.passwd --name=test --uid=104 --gid=109 --home=/home/ftpusers/test --shell=/bin/false