Setup FTP Server under Debian
ProFTPD is a widely used, well-configurable FTP server for UNIX-based operating systems. This article shows the installation and configuration of ProFTPD in version 1.3.5b-4 under Debian Linux. In the shown example, a TLS encryption is configured on the FTP server to encrypt the communication between the FTP client (e. g. FileZilla) and the FTP server ProFTPD. Debian Stretch 9 was used as the test system.
Installation
The installation of ProFTPD is quickly done via the package management integrated in Debian.
sudo apt install proftpd-basic
If the package cannot be found, update the local list of packages using:
sudo apt update
If the package still cannot be installed after that, check the file /etc/apt/sources.list, there might be a problem with the Debian mirror server.
Adjusting the Configuration
The configuration of the ProFTPD server is described below. The /etc/proftpd/
directory contains the configuration files of ProFTPD.
Your own configuration files are best stored in the conf.d
directory. The files in this directory remain unaffected by package updates. All files in the conf. d
directory in the proftpd.conf are included via the include directive.
In this example, the custom.conf
file is used to customize the ProFTPD server so that the configuration takes effect:
$ sudo vi /etc/proftpd/conf.d/custom.conf
# Ftp user doesn't need a valid shell
<Global>
RequireValidShell off
</Global>
# If desired turn off IPv6
UseIPv6 off
# Default directory is ftpusers home
DefaultRoot ~ ftpuser
# Limit login to the ftpuser group
<Limit LOGIN>
DenyGroup !ftpuser
</Limit>
Afterwards, save the file and restart the ProFTPD server:
$ sudo systemctl restart proftpd.service
SSL/TLS-secured FTP-Connection with mod_tls
The TLS module enables an encrypted connection via SSL/TLS to the ProFTPD server.
Caution: Without encryption, the FTP protocol transmits both login and normal data in plain text! The use of SSL/TLS is therefore strongly recommended for production environments.
By default, ProFTPD supports the TLS module:
$ sudo proftpd -vv | grep tls
mod_tls_memcache/0.1
mod_tls/2.6
It is already included in /etc/proftpd/modules.conf
and automatically active.
Create a Certificate
The following example uses the self-signed Snakeoil certificate of the ssl-cert
Packages as a certificate:
$ sudo apt install ssl-cert
$ sudo make-ssl-cert generate-default-snakeoil --force-overwrite
$ sudo ls -la /etc/ssl/certs/ssl-cert-snakeoil.pem
-rw-r--r-- 1 root root 1021 Sep 29 12:16 /etc/ssl/certs/ssl-cert-snakeoil.pem
$ sudo ls -la /etc/ssl/private/ssl-cert-snakeoil.key
-rw-r----- 1 root ssl-cert 1704 Sep 29 12:16 /etc/ssl/private/ssl-cert-snakeoil.key
Configure TLS
The ProFTPD version 1.3.5b-4 in the Debian Stretch repository also supports TLSv1.2.[1]
In the conf.d
directory, a separate configuration file for SSL/TLS is created:
$ sudo vi /etc/proftpd/conf.d/tls.conf
<IfModule mod_tls.c>
TLSEngine on
TLSLog /var/log/proftpd/tls.log
TLSProtocol TLSv1.2
TLSRSACertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
TLSRSACertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
TLSVerifyClient off
TLSRequired on
</IfModule>
Please restart ProFTPD afterwards.
Create a FTP user
For FTP access an own user is created, without a valid login shell and with the home directory /var/www/upload
:
$ sudo adduser ftpuser --shell /bin/false --home /var/www/upload
Adding user `ftpuser' ...
Adding new group `ftpuser' (1001) ...
Adding new user `ftpuser' (1001) with group `ftpuser' ...
Creating home directory `/var/www/upload' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
[...]
Anonymous Connection
To allow anonymous read access, the following file is created:
$ sudo vi /etc/proftpd/conf.d/anon.conf
<Anonymous ~ftpuser>
User ftp
Group ftp
# Users can also login with ftp
UserAlias anonymous ftp
# All files belong to ftp
DirFakeUser on ftp
DirFakeGroup on ftp
RequireValidShell off
MaxClients 10
<Directory *>
<Limit WRITE>
DenyAll
</Limit>
</Directory>
</Anonymous>
Add the user ftp
to the ftpuser
group to grant him access rights for the anonymous FTP area:
$ sudo adduser ftp ftpuser
Adding user `ftp' to group `ftpuser' ...
Adding user ftp to group ftpuser
Done.
Troubleshooting if connection issues occur
If you have problems setting up FTP connections, you can check the following things:
- Check if ProFTPD is running:
$ sudo service proftpd status
- Check if ProFTPD is listening on port 21:
$ sudo netstat -tlp|grep proftp
- Error messages in the ProFTPD logfile:
$ sudo tail -20 /var/log/proftpd/proftpd.log
- Error messages in the ProFTPD TLS logfile:
$ sudo tail -20 /var/log/proftpd/tls.log
- Test the connection on port 21 using telnet:
$ telnet 192.0.2.10 21
- Test the connection on port 21 with TLS:
$ openssl s_client -connect 192.0.2.10:21 -starttls ftp
Notification: memcache support not enabled
In some cases, when you restart the ProFTPD server, the following message may appear:
$ sudo service proftpd restart
[ ok ] Stopping ftp server: proftpd.
[....] Starting ftp server: proftpddebian proftpd[4856]: mod_tls_memcache/0.1: notice: unable to register 'memcache' SSL
session cache: Memcache support not enabled
. ok
The problem here is, that the Debian package is not compiled with --enable-memcache
.[2]
The module can therefore be commented out - a hash sign is inserted in front of the line:
$ sudo vi /etc/proftpd/modules.conf
[...]
# LoadModule mod_tls_memcache.c
[...]
A subsequent restart will take place without the memcache message:
$ sudo service proftpd restart
[ ok ] Stopping ftp server: proftpd.
[ ok ] Starting ftp server: proftpd.
References
- ↑ ProFTPD 1.3.5 Release Notes (www.proftpd.org)
- ↑ #707680 proftpd-basic: mod_tls_memcache/0.1 unable to register' memcache' SSL session cache (Debian Bug Report)
Additional information
- The ProFTPD Project (www.proftpd.org)
- ProFTPD (Professional FTP Daemon) (http://www.castaglia.org)
Author: Thomas Niedermeier Thomas Niedermeier working in the product management team at Thomas-Krenn, completed his bachelor's degree in business informatics at the Deggendorf University of Applied Sciences. Since 2013 Thomas is employed at Thomas-Krenn and takes care of OPNsense firewalls, the Thomas-Krenn-Wiki and firmware security updates.
|