Hetzner - DokuWiki




This tutorial is based on Debian Squeeze. Aside from the general setting up and securing of the software the use of an explicit encryption is also described.

The guide has been compiled in good faith. For any damage to hardware and software there is of course no liability. Everything is done at your own risk. If there are any errors then please excuse this and amend the guide accordinly.


proftpd is an FTP Server for Linux which allows its users to transfer data to and from their server via an FTP client (download/upload files) - It should be noted here once again that FTP by default operates totally unencrypted and all passwords, etc. are transmitted in clear text, which makes the FTP protocol an insecure protocal.

Installation and Configuration

For the basic installation of ProFTPD we let our package manager install the package "proftpd":

apt-get install proftpd

Once the basic installation is complete we need to edit the configuration file to customize some important values.

nano /etc/proftpd/proftpd.conf

We are looking for the following values ​​and need to edit them accordingly or add them if they do not exist:

DefaultRoot ~
UseReverseDNS off
IdentLookups off
ServerName " FTP Server"
ServerType standalone
DenyFilter \*.*/
RequireValidShell on

In the event that later TLS (certificate-based encryption) is to be used, we also need to add the following at the end:

Include /etc/proftpd/tls.conf

A brief explanation of some of the above parameters:

DefaultRoot ~ -> ensures that all users are locked into their home directory and can not move freely in the folder structure on the server.
ServerName "xxx" -> the name of the server that is specified at the first request of the FTP client with the status message 220 OK.
ServerType standalone -> The server does not run with inetd, but as a standalone server.
DenyFilter \*.*/ -> is used to fix a security problem.
RequireValidShell on -> in order for a user to log in via FTP, the shell file for that client that exists in /etc/passwd should also exist in /etc/shells and be marked as "Valid Shell".

If you have not already done so, the shell /bin/false needs to be added as a "Valid Shell". This step is very simple. You open the /etc/shells file and simply add to the end of the file the following line:


If you use "nano" -> CTRl + X and confirm the save with Y. The shell /bin/false is now known to the system. Before we do anything else, we need to restart proFTPD:

/etc/init.d/proftpd restart

Creating a user for FTP

Now we create a new user. In this example we are assuming it is a simple upload user, whose home directory is located in /home/upload.

adduser –home /home/upload –shell /bin/false upload

Subsequently a password prompt appears, that must be filled out accordingly. After that we can test the connection to the server (for example with the open-source FTP client "FileZilla").

The log of the client should state something like this right after resolving the host:

220 ProFTPD 1.3.3a Server (Your server name) ::ffff:xx.xx.xx.xx]

With that our ProFTPD Server is ready for action.

Optional: Explicit Encryption via TLS

As already mentioned in the configuration section, for TLS encryption an include link needs to be made in /etc/proftpd/tls.conf:

Include /etc/proftpd/tls.conf

We then insert the appropriate file if this is not done and edit it.

touch /etc/proftpd/tls.conf && nano /etc/proftpd/tls.conf

In the file we enter the following content:

<IfModule mod_tls.c>
TLSEngine                  on
TLSLog                     /var/log/proftpd/tls.log
TLSProtocol                SSLv23
TLSOptions                 NoCertRequest
TLSRSACertificateFile      /etc/proftpd/ssl/proftpd.cert.pem
TLSRSACertificateKeyFile   /etc/proftpd/ssl/proftpd.key.pem
TLSVerifyClient            off
TLSRequired                on

Now, however, the certificate needs to be created so that ProFTPD also can work with it. If you have your own (e.g. Hetzner ordered), give the path in the config accordingly. If you do not have a certificate, which is usually very expensive and signed by a "trusted" site, you have to manage that yourself. To do this the Debian package openssl must be installed.

apt-get install openssl

Then, the following commands are used to create the certificate at said location:

mkdir /etc/proftpd/ssl
openssl req -new -x509 -days 365 -nodes -out /etc/proftpd/ssl/proftpd.cert.pem -keyout /etc/proftpd/ssl/proftpd.key.pem

After the OpenSSL command you will be asked to enter some information:

Country Name (2 letter code) [AU]: DE
State or Province Name (full name) [Some-State]: Bayern
Locality Name (eg, city) []: Munich
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Company XYZ
Organizational Unit Name (eg, section) []: IT Department
Common Name (eg, YOUR name) []: server.host.com
Email Address []: root@host.com

It is important that you input the FQDN when asked for the Common Name. If you do not have a domain, enter the host name that was assigned by Hetzner (parallel to the IP). For example: static.xx-xx-xx-xx.your-server.de

Restart ProFTPD and configure FileZilla with "Request Explicit FTP over TLS" - The configuration "TLSRequired on" means that any connection attemps via the normal FTP port (21) are automatically rejected.

© 2018. Hetzner Online GmbH. Alle Rechte vorbehalten.