FTP – File Transfer Protocol – is a protocol for file transferring between client and server. It allows you to transfer files (e.g. web sites) on the server and download them from the server via the Internet. ProFTPD is a widespread, well configurable FTP server for systems based on UNIX. In this post I will describe the installation and configuration of ProFTPD application in Debian. In the following example, TLS is configured on the FTP server to provide secure communication between FTP client (eg. FileZilla) and the FTP server – ProFTPD. The installation and configuration was done on Debian Wheezy 7.7.
ProFTPD package is included in the default repository of Debian system and can be easily installed with the following command:
sudo apt-get install proftpd-basic
During installation, you must choose whether the FTP server is running as a service from inetd or as a standalone server in a standalone mode. In this example you can select standalone mode.
Now I will show you how to configure ProFTPD. The configuration files are contained mainly in the /etc/proftpd/ directory, but it is not as it should be. We want to have maintained order in the system, because we use a different, more nice-looking mechanism.
Ideally, when some configuration files, particularly those defining the configuration of user accounts, indeed allocation are stored in the conf.d directory. This is very convenient, because update of the package will not change our configuration files.
For example, the file account.conf is used to adjust ProFTPD server. Now we can save the file and reset our FTP server.
$ sudo vi /etc/proftpd/conf.d/account.conf # Ftp user doesn't need a valid shell <Global> RequireValidShell off </Global> # If desired turn off IPv6 UseIPv6 off # Default directory is ftpusers home DefaultRoot ~ ftpuser # Limit login to the ftpuser group <Limit LOGIN> DenyGroup !ftpuser </Limit>
Encrypted by (SSL/TLS)
Encryption is extremely necessary. We do not want to logins and passwords when logging logs flew us in clear text. TLS module enables an encrypted connection to the server ProFTPD over SSL/TLS.
From what we can see by default ProFTPD supports TLS module. It is included in the configuration file /etc/proftpd/modules.conf and automatically activated. The certificate can we create ourselves, or buy a certification center, the more we recommend. Then we get two files: the certificate and key. Conf.d directory is in turn created a separate configuration file for the SSL / TLS:
$ sudo vi /etc/proftpd/conf.d/tls.conf <IfModule mod_tls.c> TLSEngine on TLSLog /var/log/proftpd/tls.log TLSProtocol TLSv1 TLSRSACertificateFile /etc/ssl/certs/name.crt TLSRSACertificateKeyFile /etc/ssl/private/name.key TLSVerifyClient off TLSRequired on </IfModule>
Then ProFTPD will be restarted.
Create FTP users
To create FTP user must create a system user. But it is a user without a valid login shell.
$ sudo adduser account --shell /bin/false --home /var/www/html Adding user `account' ... Adding new group `account' (1001) ... Adding new user `account' (1001) with group `account' ... Creating home directory `/var/www/html' ... Copying files from `/etc/skel' ... Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully [...]
We can also allow anonymous access to FTP readable. To do this, edit the file:
$ sudo vi /etc/proftpd/conf.d/anon.conf <Anonymous ~account> User ftp Group ftp # Users can also login with ftp UserAlias anonymous ftp # All files belong to ftp DirFakeUser on ftp DirFakeGroup on ftp RequireValidShell off MaxClients 10 <Directory *> <Limit WRITE> DenyAll </Limit> </Directory> </Anonymous>
To FTP user can access the anonymous FTP area must be added to the group account:
$ sudo adduser ftp account Adding user `ftp' to group `account' ... Adding user ftp to group account Done.