Setup FTP Server under Debian

From Thomas-Krenn-Wiki
Jump to navigation Jump to search

ProFTPD is a widely used, well-configurable FTP server for UNIX-based operating systems. This article shows the installation and configuration of ProFTPD in version 1.3.5b-4 under Debian Linux. In the shown example, a TLS encryption is configured on the FTP server to encrypt the communication between the FTP client (e. g. FileZilla) and the FTP server ProFTPD. Debian Stretch 9 was used as the test system.

Installation

The installation of ProFTPD is quickly done via the package management integrated in Debian.

sudo apt install proftpd-basic

If the package cannot be found, update the local list of packages using:

sudo apt update

If the package still cannot be installed after that, check the file /etc/apt/sources.list, there might be a problem with the Debian mirror server.


Adjusting the Configuration

The configuration of the ProFTPD server is described below. The /etc/proftpd/ directory contains the configuration files of ProFTPD.

Your own configuration files are best stored in the conf.d directory. The files in this directory remain unaffected by package updates. All files in the conf. d directory in the proftpd.conf are included via the include directive.

In this example, the custom.conf file is used to customize the ProFTPD server so that the configuration takes effect:

$ sudo vi /etc/proftpd/conf.d/custom.conf
# Ftp user doesn't need a valid shell
<Global>
    RequireValidShell off
</Global>
# If desired turn off IPv6
UseIPv6 off
# Default directory is ftpusers home
DefaultRoot ~ ftpuser
# Limit login to the ftpuser group
<Limit LOGIN>
    DenyGroup !ftpuser
</Limit>

Afterwards, save the file and restart the ProFTPD server:

$ sudo systemctl restart proftpd.service

SSL/TLS-secured FTP-Connection with mod_tls

The TLS module enables an encrypted connection via SSL/TLS to the ProFTPD server.

Caution: Without encryption, the FTP protocol transmits both login and normal data in plain text! The use of SSL/TLS is therefore strongly recommended for production environments.

By default, ProFTPD supports the TLS module:

$ sudo proftpd -vv | grep tls
  mod_tls_memcache/0.1
  mod_tls/2.6

It is already included in /etc/proftpd/modules.conf and automatically active.

Create a Certificate

The following example uses the self-signed Snakeoil certificate of the ssl-cert Packages as a certificate:

$ sudo apt install ssl-cert
$ sudo make-ssl-cert generate-default-snakeoil --force-overwrite
$ sudo ls -la /etc/ssl/certs/ssl-cert-snakeoil.pem
-rw-r--r-- 1 root root 1021 Sep 29 12:16 /etc/ssl/certs/ssl-cert-snakeoil.pem
$ sudo ls -la /etc/ssl/private/ssl-cert-snakeoil.key
-rw-r----- 1 root ssl-cert 1704 Sep 29 12:16 /etc/ssl/private/ssl-cert-snakeoil.key

Configure TLS

The ProFTPD version 1.3.5b-4 in the Debian Stretch repository also supports TLSv1.2.[1]

In the conf.d directory, a separate configuration file for SSL/TLS is created:

$ sudo vi /etc/proftpd/conf.d/tls.conf
<IfModule mod_tls.c>
        TLSEngine on
        TLSLog /var/log/proftpd/tls.log
        TLSProtocol TLSv1.2
        TLSRSACertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
        TLSRSACertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
        TLSVerifyClient off
        TLSRequired on
</IfModule>

Please restart ProFTPD afterwards.

Create a FTP user

For FTP access an own user is created, without a valid login shell and with the home directory /var/www/upload:

$ sudo adduser ftpuser --shell /bin/false --home /var/www/upload
Adding user `ftpuser' ...
Adding new group `ftpuser' (1001) ...
Adding new user `ftpuser' (1001) with group `ftpuser' ...
Creating home directory `/var/www/upload' ...
Copying files from `/etc/skel' ...
Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully
[...]

Anonymous Connection

To allow anonymous read access, the following file is created:

$ sudo vi /etc/proftpd/conf.d/anon.conf
<Anonymous ~ftpuser>
        User    ftp
        Group   ftp
        # Users can also login with ftp
        UserAlias       anonymous       ftp
        # All files belong to ftp
        DirFakeUser on ftp
        DirFakeGroup on ftp
        RequireValidShell       off
        MaxClients      10
        <Directory *>
                <Limit WRITE>
                DenyAll
                </Limit>
        </Directory>
</Anonymous>

Add the user ftp to the ftpuser group to grant him access rights for the anonymous FTP area:

$ sudo adduser ftp ftpuser
Adding user `ftp' to group `ftpuser' ...
Adding user ftp to group ftpuser
Done.

Troubleshooting if connection issues occur

If you have problems setting up FTP connections, you can check the following things:

  1. Check if ProFTPD is running: $ sudo service proftpd status
  2. Check if ProFTPD is listening on port 21: $ sudo netstat -tlp|grep proftp
  3. Error messages in the ProFTPD logfile: $ sudo tail -20 /var/log/proftpd/proftpd.log
  4. Error messages in the ProFTPD TLS logfile: $ sudo tail -20 /var/log/proftpd/tls.log
  5. Test the connection on port 21 using telnet: $ telnet 192.0.2.10 21
  6. Test the connection on port 21 with TLS: $ openssl s_client -connect 192.0.2.10:21 -starttls ftp

Notification: memcache support not enabled

In some cases, when you restart the ProFTPD server, the following message may appear:

$ sudo service proftpd restart
[ ok ] Stopping ftp server: proftpd.
[....] Starting ftp server: proftpddebian proftpd[4856]: mod_tls_memcache/0.1: notice: unable to register 'memcache' SSL
session cache: Memcache support not enabled
. ok

The problem here is, that the Debian package is not compiled with --enable-memcache.[2]

The module can therefore be commented out - a hash sign is inserted in front of the line:

$ sudo vi /etc/proftpd/modules.conf
[...]
# LoadModule mod_tls_memcache.c
[...]

A subsequent restart will take place without the memcache message:

$ sudo service proftpd restart
[ ok ] Stopping ftp server: proftpd.
[ ok ] Starting ftp server: proftpd.

References

Additional information


Foto Thomas Niedermeier.jpg

Author: Thomas Niedermeier

Thomas Niedermeier working in the product management team at Thomas-Krenn, completed his bachelor's degree in business informatics at the Deggendorf University of Applied Sciences. Since 2013 Thomas is employed at Thomas-Krenn and takes care of OPNsense firewalls, the Thomas-Krenn-Wiki and firmware security updates.


Related articles

Hard Disk Formatting/Partitioning and Mounting in Debian Linux
Network Configuration under Debian
Perl warning Setting locale failed in Debian