The File Transfer Protocol (FTP) is still a widely used technology to move files over a computer network. It is famous for being lightweight, and easy to set up and use. FTP has a bad reputation as an insecure protocol because it transmits passwords and data in plain text. However, modern FTP servers like ProFTPD support FTP over TLS, so the connection is encrypted using TLS/SSL. In this tutorial, I will show you how to configure ProFTPD so that the connection is encrypted using TLS.
ProFTPd is an open-source FTP server application that allows you to set up your own FTP servers on Linux machines, even more so if they are dedicated servers or cloud instances. We are going to install the latest version of ProFTPD on an Ubuntu 22.04 machine using Focal Fossa repositories, but it should work fine on most Debian-based distributions as well. We also set up TLS to secure the FTP connections.
- A fresh server instance, with Ubuntu 22.04 ( Focal Fossa ) installed.
- Sudo/root privileges for installing/configuring applications.
Updating your system
It is always a good idea to update your system before installing any packages or software, especially when it comes from external repositories. We will use the “apt-get” utility for that:
sudo apt-get update -y sudo apt-get upgrade -y
Reboot your server if there are any kernel updates to apply the changes
sudo reboot now
Installing ProFTPD Server
Now that your system is up to date, we can continue with the installation of ProFTPD.
By default, ProFTPD is available on Focal Fossa repositories, which you can install with the following command:
sudo apt install proftpd -y
Once the installation is completed, you can start the proftpd service and enable it to start automatically a boot time.
sudo systemctl start proftpd sudo systemctl enable proftpd
Now that the service is running, we can check its status using:
sudo systemctl status proftpd
You can see the active (running) in green so that it’s safe to conclude that the proftpd daemon is working as expected.
The default configuration files of ProFTPD are available on the /etc/proftpd/proftpd.conf directory.
You can view the content of the configuration file by running:
sudo nano /etc/proftpd/proftpd.conf
The configuration is broken down into a number of sections of directives. Let’s take a look at those directives.
The DefaultRoot directive tells the FTP server where to serve files by default. The value of DefaultRoot can be either an absolute or relative path. When the DefaultRoot directive is set to ~ (the tilde character), the users will be restricted to their home directories. You can change the path to another folder for example:
You can use various directives to set each user to a specific directory. For example:
DefaultRoot /home/linux A
DefaultRoot / B
Those lines indicate that user A will be logged in to the /home/linux directory and user B will be logged in to the entire system.
The ServerName directive is used to define a name for the FTP server. This directive can be used in logs and notifications, so you should set it to a descriptive name that is meaningful to you.
The Port directive defines the port number on which the FTP server will be listening for connections. The default value of this directive is 21.
Creating ProFTPD Users
For security reasons, you should create a dummy user account, with restricted permission, that only has access to their home directory. This is good practice to follow when you allow users to upload or download files on your FTP server.
The installed version of ProFTPD doesn’t come with pre-created users and configuration options out of the box. We will need to add a new user for this purpose.
Let’s create an FTP user vitux with the folder /home/vitux as the home folder.
sudo useradd -m vitux
Create a new password for the new user.
sudo passwd vitux
Now you can test the FTP connection using the user “vitux”. Open your preferred FTP client (FileZilla, WinSCP, CoreFTP or any others), fill in the details such as IP address, username, password, and Port and click on Quick Connect.
As you can see we can now access the FTP with the newly created user. The ProFTPd server is running and working as expected.
In case you want to add more users, simply create them using the useradd command with your desired username. You can also grant root privileges to an FTP user if needed.
Configure TLS for ProFTPD
In order to secure FTP connection, you can use TLS. In this section, we will configure ProFTPD with a TLS certificate from Let’s Encrypt (a free SSL provider) and activate the newly created certificate within the configuration file.
First, install OpenSSL
sudo apt-get install openssl -y
Now that we have OpenSSL installed, let’s generate an SSL certificate.
sudo openssl req -x509 -newkey rsa:1024 -keyout /etc/ssl/private/proftpd.key -out /etc/ssl/certs/proftpd.crt -nodes -days 365
Let’s take a quick look at what is happening here. We are creating the directory where the SSL certificates will be created (/etc/ssl), generating the certificate request and granting it a validity of one year (365 days). We are also specifying the private key file and the certificate file. You will have to answer some questions about your organization like the one below. Just type in the answer and hit Enter
The above command will create two files: proftpd.key and proftpd.crt that we will need to configure ProFTPD.
Change the permission of the key files and to 600.
sudo chmod 600 /etc/ssl/private/proftpd.key sudo chmod 600 /etc/ssl/certs/proftpd.crt
Now we need to edit the main configuration file, located at /etc/proftpd/proftpd.conf, and add some information about our newly created certificate files.
sudo nano /etc/proftpd/proftpd.conf
Uncomment the SSL and TLS section by deleting the “#” at the beginning of the line, so you can use FTP over SSL.
Save and close the file. Now let’s configure the tls.conf file
sudo nano /etc/proftpd/tls.conf
Find and uncomment the following lines by deleting the “#” at the beginning of each line.
Save and close the file. Don’t forget to restart the service.
sudo systemctl restart proftpd
If you want to check if everything is working as expected, use an FTP client and connect to your server with SSL enabled. You should be presented with a TLS warning from your FTP client
It is common to get TLS warnings from FTP clients. After you allow or OK the warning, the SSL connection should be established and you can continue to use the FTP client as usual.
In this tutorial, we have installed ProFTPD on our Ubuntu 20.04 server, created a user for FTP connection and tested its functionality. We have also configured TLS to secure the FTP connection from eavesdropping or tampering with data in transit. In case you need more information about ProFTPD configuration options, make sure to check their official documentation.