Get Rewarded! We will reward you with up to €50 credit on your account for every tutorial that you write and we publish!
ProductsContributeDocsCareer

Install and Configure ProFTPD

profile picture
Author
Hetzner Online
Published
2019-03-08
Time to read
5 minutes reading time
Table of Contents

Introduction

ProFTPD is an FTP Server for Linux which allows its users to transfer data to and from their server via an FTP client (download/upload files) - It should be noted here once again that FTP by default operates totally unencrypted and all passwords, etc. are transmitted in clear text, which makes the FTP protocol an insecure protocol.

This tutorial is based on Debian Squeeze. Aside from the general setting up and securing of the software the use of an explicit encryption is also described.

Step 1 - Installation and Configuration

For the basic installation of ProFTPD we let our package manager install the package proftpd:

apt-get install proftpd

Once the basic installation is complete we need to edit the configuration file to customize some important values.

nano /etc/proftpd/proftpd.conf

We are looking for the following values and need to edit them accordingly or add them if they do not exist:

DefaultRoot ~
UseReverseDNS off
IdentLookups off
ServerName "123.123.123.123 FTP Server"
ServerType standalone
DenyFilter \*.*/
RequireValidShell on

In the event that later TLS (certificate-based encryption) is to be used, we also need to add the following at the end:

Include /etc/proftpd/tls.conf

A brief explanation of some of the above parameters:

  • DefaultRoot: ensures that all users are locked into their home directory and can not move freely in the folder structure on the server.
  • ServerName "xxx": the name of the server that is specified at the first request of the FTP client with the status message 220 OK.
  • ServerType standalone: The server does not run with inetd, but as a standalone server.
  • DenyFilter is used to fix a security problem.
  • RequireValidShell on: in order for a user to log in via FTP, the shell file for that client that exists in /etc/passwd should also exist in /etc/shells and be marked as Valid Shell.

If you have not already done so, the shell /bin/false needs to be added as a Valid Shell. This step is very simple. You open the /etc/shells file and simply add to the end of the file the following line:

/bin/false

If you use nano: Ctrl+X and confirm the save with Y. The shell /bin/false is now known to the system. Before we do anything else, we need to restart ProFTPD:

/etc/init.d/proftpd restart

Step 2 - Creating a user for FTP

Now we create a new user. In this example we are assuming it is a simple upload user, whose home directory is located in /home/upload.

adduser --home /home/upload --shell /bin/false upload

Subsequently a password prompt appears, that must be filled out accordingly. After that we can test the connection to the server (for example with the open-source FTP client "FileZilla").

The log of the client should state something like this right after resolving the host:

220 ProFTPD 1.3.3a Server (Your server name) ::ffff:xx.xx.xx.xx]

With that our ProFTPD Server is ready for action.

Step 3 - Explicit Encryption via TLS (Optional)

As already mentioned in the configuration section, for TLS encryption an include link needs to be made in /etc/proftpd/tls.conf:

Include /etc/proftpd/tls.conf

We then insert the appropriate file if this is not done already and edit it.

touch /etc/proftpd/tls.conf && nano /etc/proftpd/tls.conf

In the file we enter the following content:

<IfModule mod_tls.c>
TLSEngine                  on
TLSLog                     /var/log/proftpd/tls.log
TLSProtocol                SSLv23
TLSOptions                 NoCertRequest
TLSRSACertificateFile      /etc/proftpd/ssl/proftpd.cert.pem
TLSRSACertificateKeyFile   /etc/proftpd/ssl/proftpd.key.pem
TLSVerifyClient            off
TLSRequired                on
</IfModule>

Now, however, the certificate needs to be created so that ProFTPD also can work with it. If you have your own (e.g. Hetzner ordered), give the path in the config accordingly. If you do not have a certificate, which is usually very expensive and signed by a "trusted" site, you have to manage that yourself. To do this the Debian package openssl must be installed.

apt-get install openssl

Then, the following commands are used to create the certificate at said location:

mkdir /etc/proftpd/ssl
openssl req -new -x509 -days 365 -nodes -out /etc/proftpd/ssl/proftpd.cert.pem -keyout /etc/proftpd/ssl/proftpd.key.pem

After the OpenSSL command you will be asked to enter some information:

Country Name (2 letter code) [AU]: DE
State or Province Name (full name) [Some-State]: Bayern
Locality Name (eg, city) []: Munich
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Company XYZ
Organizational Unit Name (eg, section) []: IT Department
Common Name (eg, YOUR name) []: server.host.com
Email Address []: root@host.com

It is important that you input the FQDN when asked for the Common Name. If you do not have a domain, enter the host name that was assigned by Hetzner (parallel to the IP). For example: static.xx-xx-xx-xx.your-server.de.

Restart ProFTPD and configure FileZilla with Require explicit FTP over TLS. The configuration TLSRequired on means that any connection attempts via the normal FTP port 21 are automatically rejected.

Conclusion

By now you should have installed PROFTPD for transfering files and configured it so that you can establish a secure connection to your server.

Want to contribute?

Get Rewarded: Get up to €50 in credit! Be a part of the community and contribute. Do it for the money. Do it for the bragging rights. And do it to teach others!

Submit an articleFind out more
Report Issue

Discover our

Dedicated Servers

Configure your dream server. Top performance with an excellent connection at an unbeatable price!

Configure now
Want to contribute?

Get Rewarded: Get up to €50 credit on your account for every tutorial you write and we publish!

Find out more
Report Issue