From vWiki
Revision as of 09:15, 22 May 2012 by Sstrutt (talk | contribs) (Enable TLS Encryption (FTPS): typo fix)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

All procedures etc on this page have been created by me, with usage of the ProFTPD manual, unless otherwise stated.


On Ubuntu the basic install is incredibly taxing, as you'd expect...

  1. Start installation
    • apt-get install proftpd
  2. When prompted, select the following options
    • Accept "unable to authenticate"
    • Select "standalone"

This will provide access to existing users of the server (no anonymous access). Users will be directed to their home directory, but able to change into any other directory on the system (so the same permissions as is they were SSH'ed to the system).

Suggested config changes (edit /etc/proftpd/proftpd.conf )...

  • ServerName "name"
    • This is displayed during login, and can be useful to remind/verify that you've logged into the correct server (though isn't shown if you enable DeferWelcome )
  • DeferWelcome on
    • Prevents welcome message being displayed until after successful login, which restricts what information might be given away to unwanted probers, such as local IP address. Note that the fact that its a ProFTPD serer and the running version is still displayed unless you set in ServerIdent!
  • ServerIdent on "FTP Server ready"
    • Sets the message displayed on initial connect (on by default)
  • DefaultRoot ~

To limit which systems users are allowing to login, use the following in /etc/proftpd/proftpd.conf ...

<Limit LOGIN>
  AllowUser usera, userb

Enable TLS Encryption (FTPS)

Unlike HTTPS, where a different TCP port is used to differentiate from HTTPS; this is not required for FTPS, which can use the same default ports as for FTP (TCP 20 and 21).

  1. Obtain / create appropriate certificates (see Create Self-Signed Certificate for info), required files...
    • Certificate Authority certificate (eg self-ca.crt )
    • Server Private Key (eg my-server.key )
    • Server Site Certificate (eg ftp-my-server.crt )
  2. Edit master config file, /etc/proftpd/tls.conf and uncomment TLS config include
    • Include /etc/proftpd/tls.conf
  3. Edit /etc/proftpd/tls.conf as shown below
  4. Restart the ProFTPD service
    • service proftpd restart
TLSEngine                               on
TLSLog                                  /var/log/proftpd/tls.log
TLSProtocol                             SSLv3 TLSv1

TLSRSACertificateFile                   /etc/proftpd/ftp-my-server.crt
TLSRSACertificateKeyFile                /etc/apache2/ssl/web2-server.key
TLSCACertificateFile                    /etc/apache2/ssl/self-ca.crt

TLSVerifyClient                         off
TLSRequired                             off

Create Locked Down User

The following example creates a user with access to a specific (home) directory only.

The example creates the user ftp-user , with access tied to an existing folder /var/www/wp (which could be the root of a WordPress blog, allowing one-click updating of the software from the WordPress interface)

  1. Create a dummy (non existent) shell, by editing /etc/shells
    • /bin/false
  2. Create user account with home dir, and no shell
    • useradd ftp-user -p ftp-password -d /var/www/wp -s /bin/false

Note that unless the user (ftp-user in the above example) has access to write in the folder already, that user will not be able to write. Assuming that the group ownership for the files in folder is www-data, then the user will need to be added to the www-data group. To determine which group has rights over the files, do a ls -l in the directory, the second name is the group, so in the example below, the user is me and the group is www-data...

root@server:/var/www/wp# ls -l
total 332
-rw-rw-r-- 1 me     www-data  4268 2010-10-20 15:40 wp-activate.php
drwxrwxr-x 9 me     www-data  4096 2011-01-03 20:53 wp-admin
-rw-rw-r-- 1 me     www-data 40272 2010-10-28 16:48 wp-app.php
-rw-rw-r-- 1 me     www-data   274 2010-11-20 21:44 wp-blog-header.php

To add user ftp-user to group www-data...

  1. Edit vi /etc/group
  2. Append www-data to the end of the line for www-data
    • EG www-data:x:34:wibble,ftp-user