Transferring files via FTP (File Transfer Protocol) is probably still one of the most popular ways to upload files to a server. ProFTPD is a popular and versatile FTP server that is available as open-source software and supports TLS (SSL) for secure connections.
By default, FTP is an insecure protocol as passwords and data are transferred in cleartext. By using TLS, as we do in this guide, all communication can be encrypted, making FTP more secure.
This article describes how to configure proftpd with TLS on Ubuntu server 20.04 LTS.
Prerequisites
- Ubuntu Server 20.04 64bit
- sudo/root privileges
What we will do in this tutorial
- Install ProFTPD and TLS.
- Configure ProFTPD.
- Add an FTP user.
- Configure TLS in ProFTPD.
- Testing.
Install Proftpd and OpenSSL
Proftpd and OpenSSL are available in the Ubuntu repository, so we can install them with the apt command:
sudo apt-get install -y proftpd openssl
ProFTPD gets installed as shown below. The installation process will not request any input.
Now we will verify that proFTPD has been installed and started. Run this command:
sudo proftpd --version
to check the installed ProFTPD version. Next, we will check the service status, query it with the systemctl command:
sudo systemctl status proftpd
Configure ProFTPD
Once ProFTPD is installed, you will have to adjust the configuration to make it a fully functional and secure server. The ProFTPD configuration file is located in the /etc/proftpd/ directory – edit the file proftpd.conf.
sudo nano /etc/proftpd/proftpd.conf
In the line Servername, replace the value with your hostname or domain :
ServerName "My FTP-Server"
Uncomment the DefaultRoot line to enable jail for all users:
DefaultRoot ~
and restart ProFTPD through the systemctl command in the following way.
sudo systemctl restart proftpd
Add an FTP User
There are two types of FTP users available, the anonymous FTP user and ‘normal’ FTP users:
- Anonymous FTP: FTP server provides access to anyone without having to have a user account and password. This should not be used on a publicly available server, but might be an option for a home server or a company LAN.
- FTP User: Only those who have a user account and password can access the FTP server.
Before you create a user for the FTP server, please add /bin/false to your /etc/shells file.
sudo echo "/bin/false" >> /etc/shells
And now, create a user with a specific home directory, disable shell access, and then grant it to the FTP Server.
sudo useradd -m -s /bin/false tom sudo passwd tom
The above command will create a new user called tom with home directory /home/tom/ and without shell access /bin/false.
Now, configure ProFTPD to allow access for the user tom to the FTP server.
sudo nano /etc/proftpd/conf.d/tom.conf
Add this configuration file to allow user tom to login and upload/download file to/from the server :
<Directory /home/tom> Umask 022 022 AllowOverwrite off <Limit LOGIN> AllowUser tom DenyALL </Limit> <Limit ALL> Order Allow,Deny AllowUser tom Deny ALL </Limit> <Limit MKD STOR DELE XMKD RNRF RNTO RMD XRMD> AllowUser tom Deny ALL </Limit> </Directory>
The file shall look like this:
Save the file and exit nano. Then restart ProFTPD.
sudo systemctl restart proftpd
You can use FTP at this stage already, but we will make it safer by using TLS in the next step.
Configure TLS with proftpd
To use TLS, you must create an SSL certificate. Generate SSL certificate with the OpenSSL command :
sudo openssl req -x509 -newkey rsa:2048 -keyout /etc/ssl/private/proftpd.key -out /etc/ssl/certs/proftpd.crt -nodes -days 365
The above command will generate a certificate file proftpd.crt in the /etc/ssl/certs/ directory, and certificate key file proftpd.key in the /etc/ssl/private/ directory.
Next, change certificate file permission to 600:
sudo chmod 600 /etc/ssl/certs/proftpd.crt sudo chmod 600 /etc/ssl/private/proftpd.key
Now, come back to the /etc/proftpd directory and configure ProFTPD to use the SSL certificate that you generated.
nano /etc/proftpd/proftpd.conf
Uncomment the TLS line:
Include /etc/proftpd/tls.conf
Save tls.conf file and exit.
Next, edit the TLS configuration file to enable secure authentication :
nano /etc/proftpd/tls.conf
Uncomment all these lines:
TLSEngine on TLSLog /var/log/proftpd/tls.log TLSProtocol SSLv23 TLSRSACertificateFile /etc/ssl/certs/proftpd.crt TLSRSACertificateKeyFile /etc/ssl/private/proftpd.key TLSOptions NoCertRequest EnableDiags NoSessionReuseRequired TLSVerifyClient off TLSRequired on
Save and exit. The last step is to restart the ProFTPD server:
sudo systemctl restart proftpd
Testing ProFTPD
To test the configuration, try connecting to your FTP server with software like FileZilla (I’m using FileZilla here), and fill the server IP, username, password, and port:
Server IP : 192.168.0.100 username : tom Password ****** Port : 21
And then click Quickconnect.
Click ‘OK’ to confirm our self-signed SSL certificate.
You’ll see that you have been logged in to the FTP Server with TLS/SSL certificate.
Links
- The ProFTPD Software Project. Link