Transferring files through FTP (File Transfer Protocol) is probably the most popular method of uploading files to a server. ProFTPD is a popular and versatile FTP server which is available as OpenSource software and it supports TLS (SSL) for secure connections.

By default, FTP is an insecure protocol because passwords and data is transferred in clear/plain text. By using TLS, the whole communication can be encrypted, thus making FTP safer.

This article describes how to configure proftpd with TLS on Ubuntu server 16.04 LTS.

Prerequisites

  1. Ubuntu Server 16.04 64bit
  2. sudo/root privileges

What we will do in this tutorial

  1. Install ProFTPD and TLS.
  2. Configure ProFTPD.
  3. Add an FTP user.
  4. Configure TLS in ProFTPD.
  5. Testing.

Install Proftpd and OpenSSL

Proftpd and OpenSSL are available in the Ubuntu repository, so we can install them with the apt command:

sudo apt-get install -y proftpd openssl

When the installation begins, you will be asked to run ProFTPD as an inetd or standalone server. Choose the standalone option here and click Ok.

Run ProFTPD as standalone server

Configure ProFTPD

Once ProFTPD is installed, you will have to adjust the configuration to make it a fully functional and secure server. The ProFTPD configuration file is located in the /etc/proftpd/ directory – edit the file proftpd.conf.

cd /etc/proftpd/
vim proftpd.conf

In the line Servername, replace the value with your hostname or domain :

ServerName                      "My FTP-Server"

Uncomment the DefaultRoot line to enable jail for all users:

DefaultRoot   		~

and restart ProFTPD through the systemctl command in the following way.

systemctl restart proftpd

Add an FTP User

There are two types of FTP users available, the anonymous FTP user and ‘normal’ FTP users:

1. Anonymous FTP:  FTP server provides access to anyone without having to have a user account and password. This should not be used on a publicly available server, but might be an option for a home server or a company LAN.
2. FTP User: Only those who have a user account and password can access the FTP server.

Before you create a user for the FTP server, please add /bin/false to your /etc/shells file.

echo “/bin/false” >> /etc/shells

And now, create a user with a specific home directory, disable shell access, and then grant it to the FTP Server.

useradd -m -s /bin/false zenko
passwd zenko

The above command will create a new user called zenko with home directory /home/zenko/ and without shell access /bin/false.

Add FTP user and set a password

Now, configure ProFTPD to allow access for the user zenko to the FTP server.

cd /etc/proftpd/conf.d/
vim zenko.conf

Add this configuration file to allow user zenko to login and upload/download file to/from the server :

<Directory /home/zenko>
Umask 022 022
AllowOverwrite off
     <Limit LOGIN>
        AllowUser zenko
        DenyALL
     </Limit>
     <Limit ALL>
        Order Allow,Deny
        AllowUser zenko
        Deny ALL
    </Limit>
    <Limit MKD STOR DELE XMKD RNRF RNTO RMD XRMD>
    AllowUser zenko
    Deny ALL
    </Limit>
</Directory>

Save the file and exit vim. Then restart ProFTPD.

systemctl restart proftpd

You can use FTP at this stage already, but we will make it safer by using TLS in the next step.

Configure TLS with proftpd

To use TLS, you must create an SSL certificate. Generate SSL certificate with the openssl command :

openssl req -x509 -newkey rsa:1024 -keyout /etc/ssl/private/proftpd.key -out /etc/ssl/certs/proftpd.crt  -nodes -days 365

The above command will generate a certificate file proftpd.crt in the /etc/ssl/certs/ directory, and certificate key file proftpd.key in the /etc/ssl/private/ directory.

Create a SSL certificate with OpenSSL

Next, change certificate file permission to 600:

chmod 600 /etc/ssl/certs/proftpd.crt
chmod 600 /etc/ssl/private/proftpd.key

Now, come back to the /etc/proftpd directory and configure ProFTPD to use the SSL certificate that you generated.

cd /etc/proftpd/
vim proftpd.conf

Uncomment the TLS line:

Include /etc/proftpd/tls.conf

Save tls.conf file and exit.

Next, edit the TLS configuration file to enable secure authentication :

vim tls.conf

Uncomment all these lines:

TLSEngine                               on
TLSLog                                  /var/log/proftpd/tls.log
TLSProtocol                             SSLv23

TLSRSACertificateFile                   /etc/ssl/certs/proftpd.crt
TLSRSACertificateKeyFile                /etc/ssl/private/proftpd.key

TLSOptions                              NoCertRequest EnableDiags

TLSVerifyClient                         off

TLSRequired                             on

Save and exit. The last step is to restart the ProFTPD server:

systemctl restart proftpd

Testing ProFTPD

To test the configuration, try connecting to your FTP server with software like FileZilla (I’m using FileZilla here), and fill the server IP, username, password, and port:

Server IP : 192.168.1.246
username : zenko
Password ******
Port : 21

And then click Quickconnect. You will be asked about SSL certificate confirmation – just click ok.

Connect to FTP server with FileZilla

You’ll see that you have been logged in to the FTP Server with TLS/SSL certificate.

FTP server connection was successful

Links

  • The ProFTPD Software Project. Link
How to Install ProFTPD with TLS on Ubuntu 16.04 LTS