ProFTPD with TLS on Ubuntu 20.04

How to Install ProFTPD with TLS on Ubuntu 20.04 LTS

by

Transferring files via FTP (File Transfer Protocol) is probably still one of the most popular ways to upload files to a server. ProFTPD is a popular and versatile FTP server that is available as open-source software and supports TLS (SSL) for secure connections.

By default, FTP is an insecure protocol as passwords and data are transferred in cleartext. By using TLS, as we do in this guide, all communication can be encrypted, making FTP more secure.

This article describes how to configure proftpd with TLS on Ubuntu server 20.04 LTS.

Prerequisites

  1. Ubuntu Server 20.04 64bit
  2. sudo/root privileges

What we will do in this tutorial

  1. Install ProFTPD and TLS.
  2. Configure ProFTPD.
  3. Add an FTP user.
  4. Configure TLS in ProFTPD.
  5. Testing.

Install Proftpd and OpenSSL

Proftpd and OpenSSL are available in the Ubuntu repository, so we can install them with the apt command:

sudo apt-get install -y proftpd openssl

ProFTPD gets installed as shown below. The installation process will not request any input.

ProFTPD Installation

Now we will verify that proFTPD has been installed and started. Run this command:

sudo proftpd --version

ProFTPD Version

to check the installed ProFTPD version. Next, we will check the service status, query it with the systemctl command:

sudo systemctl status proftpd

ProFTPD Service Status

Configure ProFTPD

Once ProFTPD is installed, you will have to adjust the configuration to make it a fully functional and secure server. The ProFTPD configuration file is located in the /etc/proftpd/ directory – edit the file proftpd.conf.

sudo nano /etc/proftpd/proftpd.conf

In the line Servername, replace the value with your hostname or domain :

ServerName                      "My FTP-Server"

Uncomment the DefaultRoot line to enable jail for all users:

DefaultRoot   		~

and restart ProFTPD through the systemctl command in the following way.

sudo systemctl restart proftpd

Add an FTP User

There are two types of FTP users available, the anonymous FTP user and ‘normal’ FTP users:

  1. Anonymous FTP:  FTP server provides access to anyone without having to have a user account and password. This should not be used on a publicly available server, but might be an option for a home server or a company LAN.
  2. FTP User: Only those who have a user account and password can access the FTP server.

Before you create a user for the FTP server, please add /bin/false to your /etc/shells file.

sudo echo "/bin/false" >> /etc/shells

And now, create a user with a specific home directory, disable shell access, and then grant it to the FTP Server.

sudo useradd -m -s /bin/false tom
sudo passwd tom

The above command will create a new user called tom with home directory /home/tom/ and without shell access /bin/false.

Add an FTP user

Now, configure ProFTPD to allow access for the user tom to the FTP server.

sudo nano /etc/proftpd/conf.d/tom.conf

Add this configuration file to allow user tom to login and upload/download file to/from the server :

<Directory /home/tom>
  Umask 022 022
  AllowOverwrite off
  <Limit LOGIN>
    AllowUser tom
    DenyALL
  </Limit>
  <Limit ALL>
    Order Allow,Deny
    AllowUser tom
    Deny ALL
  </Limit>
  <Limit MKD STOR DELE XMKD RNRF RNTO RMD XRMD>
    AllowUser tom
    Deny ALL
  </Limit>
</Directory>

The file shall look like this:

ProFTPD per user configuration file

Save the file and exit nano. Then restart ProFTPD.

sudo systemctl restart proftpd

You can use FTP at this stage already, but we will make it safer by using TLS in the next step.

Configure TLS with proftpd

To use TLS, you must create an SSL certificate. Generate SSL certificate with the OpenSSL command :

sudo openssl req -x509 -newkey rsa:2048 -keyout /etc/ssl/private/proftpd.key -out /etc/ssl/certs/proftpd.crt -nodes -days 365

The above command will generate a certificate file proftpd.crt in the /etc/ssl/certs/ directory, and certificate key file proftpd.key in the /etc/ssl/private/ directory.

Generate SSL cert

Next, change certificate file permission to 600:

sudo chmod 600 /etc/ssl/certs/proftpd.crt
sudo chmod 600 /etc/ssl/private/proftpd.key

Now, come back to the /etc/proftpd directory and configure ProFTPD to use the SSL certificate that you generated.

nano /etc/proftpd/proftpd.conf

Uncomment the TLS line:

Include /etc/proftpd/tls.conf

Save tls.conf file and exit.

Next, edit the TLS configuration file to enable secure authentication :

nano /etc/proftpd/tls.conf

Uncomment all these lines:

TLSEngine                               on
TLSLog                                  /var/log/proftpd/tls.log
TLSProtocol                             SSLv23

TLSRSACertificateFile                   /etc/ssl/certs/proftpd.crt
TLSRSACertificateKeyFile                /etc/ssl/private/proftpd.key

TLSOptions                      NoCertRequest EnableDiags NoSessionReuseRequired

TLSVerifyClient                         off

TLSRequired                             on

Save and exit. The last step is to restart the ProFTPD server:

sudo systemctl restart proftpd

Testing ProFTPD

To test the configuration, try connecting to your FTP server with software like FileZilla (I’m using FileZilla here), and fill the server IP, username, password, and port:

Server IP : 192.168.0.100
username : tom
Password ******
Port : 21

And then click Quickconnect.

FileZilla Quick Connect

Click ‘OK’ to confirm our self-signed SSL certificate.

Accept Self-Signed SSL cert

You’ll see that you have been logged in to the FTP Server with TLS/SSL certificate.

Links

  • The ProFTPD Software Project. Link