How to install and configure ProFTPD on Debian Wheezy and Ubuntu 14.04

This document describes how to install and configure ProFTPD on a Debian Wheezy Server, it will also work on Ubuntu 14.04. ProFTPD is an FTP daemon for unix and unix-like operating systems. ProFTPD is developed, released and distributed under the GNU Public License (GPL), which basically establishes it as free software, meaning that it may be sold, licensed and otherwise manipulated in any way desired as long as full and complete source code either accompanies any ProFTPD packages or is made available by any and all sites that distribute pre-compiled binaries. The software can be modified by anyone at anytime, as long as all derived works also are licensed under the GNU Public License.

This guide will work for both Ubuntu and Debian server.

1 Preliminary Note

This tutorial is based on a Debian 7.6 server, so you should set up a basic Debian 7.6 server installation before you continue with this tutorial. The system should have a static IP address. I use 192.168.0.100 as my IP address in this tutorial and server1.example.com as the hostname. 

2 Install ProFTPD

2.1 Installation:

We will first install the ProFTPD and OpenSSL as follows:

apt-get install proftpd openssl

It will ask for some question about ProFTPD, select standalone and press Ok.

We can check the ProFTPD version as follows:

proftpd -v
root@server1:~# proftpd -v
ProFTPD Version 1.3.4a
root@server1:~#

2.2 Creating ProFTPD Users

For this I will create a group ftpgroup and the user srijan for ProFTPD. I will restrict the user srijan with home directory as /ftpshare

addgroup ftpgroup
adduser srijan -shell /bin/false -home /ftpshare
root@server1:~# adduser srijan -shell /bin/false -home /ftpshare
Adding user `srijan' ...
Adding new group `srijan' (1002) ...
Adding new user `srijan' (1001) with group `srijan' ...
Creating home directory `/ftpshare' ...
Copying files from `/etc/skel' ...
Enter new UNIX password: <--ftppassword
Retype new UNIX password: <--ftppassword
passwd: password updated successfully
Changing the user information for srijan
Enter the new value, or press ENTER for the default<--ENTER
    Full Name []: <--ENTER
    Room Number []: <--ENTER
    Work Phone []: <--ENTER
    Home Phone []: <--ENTER
    Other []: <--ENTER
Is the information correct? [Y/n] <--Y
root@server1:~#

Now we will add the srijan user to the ftpgroup as follows:

adduser srijan ftpgroup

Next we need to make the directory protected from removing and renaming its content by any user, so we will change the directory permissions as follows:

chmod -R 1777 /ftpshare/

Next we need to configure ProFTPD as follows:

nano /etc/proftpd/proftpd.conf

Make changes like as shown

[...]
UseIPv6 off
[...]
<Global>
RootLogin off RequireValidShell off </Global> DefaultRoot ~ <Limit LOGIN> DenyGroup !ftpgroup </Limit>

I am not using IPV6 so I made off above, I am disabling root user login with ProFTPD by RootLogon off. DefaultRoot is added to restrict users with their home folders access only. DenyGroup will allow only the users from ftpgroup access to the ftp server, all other connection will get rejected.

Restart the service as:

service proftpd restart

Sometimes you will get an error while restarting the service, like

root@server1:~# service proftpd restart
[ ok ] Stopping ftp server: proftpd.
[....] Starting ftp server: proftpdserver1 proftpd[6052]: mod_tls_memcache/0.1: notice: unable to register 'memcache' SSL session cache: Memcache support not enabled
. ok
root@server1:~#

We can overcome this error by editing the file  /etc/proftpd/modules.conf and commenting the line as follows:

nano /etc/proftpd/modules.conf
[...]
#LoadModule mod_tls_memcache.c
[...]

It will sort the error.

Now we can do login with the user srijan and password at ftp://192.168.0.100



3 Enabling TLS In ProFTPD

In order to enable TLS in ProFTPD, open /etc/proftpd/proftpd.conf

nano /etc/proftpd/proftpd.conf

Make the changes as follows and un-comment the line:

[...]
Include /etc/proftpd/tls.conf
[...]

Now we will make the original file backup and then edit the file as shown below:

cp /etc/proftpd/tls.conf /etc/proftpd/tls.conf_orig
cat /dev/null > /etc/proftpd/tls.conf
nano /etc/proftpd/tls.conf

Give the entries as shown

<IfModule mod_tls.c>
TLSEngine                  on
TLSLog                     /var/log/proftpd/tls.log
TLSProtocol                SSLv23
TLSOptions                 NoCertRequest
TLSRSACertificateFile      /etc/proftpd/ssl/proftpd.cert.pem
TLSRSACertificateKeyFile   /etc/proftpd/ssl/proftpd.key.pem
TLSVerifyClient            off
TLSRequired                on
</IfModule>

In order to use TLS, we must create an SSL certificate. I will create it in /etc/proftpd/ssl, therefore I create that directory first:

mkdir /etc/proftpd/ssl

Afterwards, we can generate the SSL certificate as follows:

openssl req -new -x509 -days 365 -nodes -out /etc/proftpd/ssl/proftpd.cert.pem -keyout /etc/proftpd/ssl/proftpd.key.pem

Country Name (2 letter code) [AU]: <-- Enter your Country Name (e.g., "DE").
State or Province Name (full name) [Some-State]: 
<-- Enter your State or Province Name.
Locality Name (eg, city) []: 
<-- Enter your City.
Organization Name (eg, company) [Internet Widgits Pty Ltd]: 
<-- Enter your Organization Name (e.g., the name of your company).
Organizational Unit Name (eg, section) []: 
<-- Enter your Organizational Unit Name (e.g. "IT Department").
Common Name (eg, YOUR name) []: 
<-- Enter the Fully Qualified Domain Name of the system (e.g. "server1.example.com").
Email Address []: 
<-- Enter your Email Address.

Now for security purpose I will make the certificates only readable as follows:

chmod 0440 /etc/proftpd/ssl/proftpd.key.pem

Finally restart the ProFTPD service as follows:

service proftpd restart

We can connect to the ProFTPD server with the FileZilla software. You must have FileZilla installed at the client to connect to the server. Open FileZilla and give it the details as follows:

Details will be

Host = 192.168.0.100
Protocol = FTP
User = srijan
Port = can be blank if you have not customized it another port than 21
Password = ftppassword (just created above)

Note: Since we have encryted our connection in above step so we will be using Encryption with Require explicit FTP over TLS

If you have not configured TLS then you can use Use Plain FTP



It will ask for trusting the certificates press OK




It will be connected to the FTP shared directory.

4 Anonymous FTP access in ProFTPD

We can make anonymous FTP account in ProFTPD, just add these entries in ProFTPD configuration file:

nano /etc/proftpd/proftpd.conf

And add these entries at the last of the file,

[...]
###Anonymous share##### <Anonymous ~ftp> User ftp Group nogroup <Limit LOGIN> AllowAll </Limit> # We want clients to be able to login with "anonymous" as well as "ftp" UserAlias anonymous ftp # Cosmetic changes, all files belongs to ftp user DirFakeUser on ftp DirFakeGroup on ftp RequireValidShell off # Limit the maximum number of anonymous logins MaxClients 10 # Limit WRITE everywhere in the anonymous chroot <Directory *> <Limit WRITE> DenyAll </Limit> </Directory> </Anonymous> ~

Now connect it through FileZilla as follows:

Note: Since we have encryted our connection in above step so we will be using Encryption with Require explicit FTP over TLS

If you have not configured TLS then you can use Use Plain FTP

Press Connect:

It will ask for trusting the certificates press OK

We have successfully connected to the server with Anonymous user.

Congratulations! Now we have successfully configured ProFTPD server environment in Debian Wheezy :)

Share this page:

7 Comment(s)