How to install Proftpd with TLS on Ubuntu 14 LTS, Trusty Tahr

ProFTPd (Professional File Transfer Protocol daemon) is widely used for the purpose of file transfer between server / client or two peer servers, therefor we’ve decided to cover this topic in which we will learn how to install ProFTPD with support of SSL/TLS encryption. To accomplish this goal we will follow the steps given below:

  • Prerequisites
  • Installing Proftpd and OpenSSL
  • Configuration of Proftpd
  • Adding a FTP User
  • Configuration of TLS in Proftpd
  • Testing installation

Prerequisites

  • Ubuntu 14.04.2 LTS, Trusty Tahr
  • sudo or root privileges

What we accomplish in this tutorial:

  • Installation of Proftpd and OpenSSL
  • Configuration of Proftpd
  • Configuration of User
  • Configuration of TLS with proftpd
  • Testing

Installing Proftpd and OpenSSL

ProFTPD and OpenSSL can be easily installed using apt-get command because they’re available repository of Ubuntu 14.x

 sudo apt-get install -y proftpd openssl 

During installation you will be asked whether to run ProFTPD as an Inetd or as Standalone Service. Choose the standalone option and proceed.

Configuration of Proftpd

After successful installation of ProFTPD, we will make some changes in the configuration files. Config file for ProFTPD is located in /etc/proftpd/ directory. Let’s edit proftpd.conf file with nano editor.

 nano /etc/proftpd/proftpd.conf 

Search for the line containing ‘Servername’, then change it to the name of your hostname or domain:

ServerName yourhostname

Look for and uncomment DefaultRoot:

 # Use this to jail all users in their homes
DefaultRoot   		~ 

Now let’s restart Proftpd service:

 service proftpd restart 

Adding a FTP User

FTP Server is usually access through two common ways:

1. Anonymous FTP Access, this provides access to anyone without the need to have a user account and password entered.
2. Access with username and password, this way only authentic users can access the ftp server.

We will configure option 2 here because it’s more secure and recommended.

Before we could create a user for Proftpd, we will add /bin/false to /etc/shells file.

 echo "/bin/false" >> /etc/shells 

And now we will create a user with a home directory where he will get access to FTP Server. We will disable shell access for this user by assigning the “/bin/false” shell to him to make sure that he can not login by SSH. For this instance we will use the username “alice”, please feel free to replace Alice with the username of your choice.

 adduser --home /home/alice --shell /bin/false alice 
 adduser --home /home/alice --shell /bin/false alice 

This above command will create a new user called ‘Alice’ with home directory /home/alice/ and without shell access /bin/false.

And now we will configure Proftpd to allow the user ‘Alice’ to access the FTP server.

 nano /etc/proftpd/proftpd.conf 
 <Directory /home/alice>
Umask 022 022
AllowOverwrite off
     <Limit LOGIN>
        AllowUser alice
        DenyALL
     </Limit>
     <Limit ALL>
        Order Allow,Deny
        AllowUser alice
        Deny ALL
    </Limit>
    <Limit MKD STOR DELE XMKD RNRF RNTO RMD XRMD>
    AllowUser alice
    Deny ALL
    </Limit>
</Directory> 
 service proftpd stop
service proftpd start 

Configuration of TLS in Proftpd

In order to use TLS we will have to create an SSL certificate. Here we will generate the SSL certificate using the openssl command:

 openssl req -x509 -newkey rsa:1024 -keyout /etc/ssl/private/proftpd.key -out /etc/ssl/certs/proftpd.crt  -nodes -days 365 

This command will generate a certificate file by the name proftpd.crt in directory /etc/ssl/certs/ , and a certificate key fileproftpd.key in the /etc/ssl/private/ directory.

Now, let’s change the file permissions of the certificate files to 600 so that we can disallow access by other users

chmod 600 /etc/ssl/certs/proftpd.crt
chmod 600 /etc/ssl/private/proftpd.key

Now we’ll go back to the ProFTPD configuration file to use SSL the certificate that we generated

 nano /etc/proftpd/proftpd.conf 

Then we will uncomment the TLS line:

 Include /etc/proftpd/tls.conf 

After saving the file we will open the TLS config file:

 nano /etc/proftpd/tls.conf 

Now, we will uncomment all the lines shown below:

 TLSEngine                               on
TLSLog                                  /var/log/proftpd/tls.log
TLSProtocol                             SSLv23
TLSRSACertificateFile                   /etc/ssl/certs/proftpd.crt
TLSRSACertificateKeyFile                /etc/ssl/private/proftpd.key
TLSOptions                              NoCertRequest
TLSVerifyClient                         off
TLSRequired                             on 

After saving the file, the last step would be restarting the ProFTPD service:

 service proftpd restart 

Note: If your ProFTPD service is some how not restarted, then we will follow this manual method.

Testing installation

To test the configuration, try connect to your ftp server with an FTP client. We’ll use simple ftp-ssl command to verify that encryption is enabled. When asked for username type ‘Alice’ (or the username you created) and its corresponding password.

 ftp-ssl -v -v domainnameofyourftp.com 

A successful connection should look similar to this:

Feel free to contact us if you believe you’re still facing issues following these steps. Rackhansa Professionals are always ready to help their customers in making their online presence smooth and uninterrupted. Our free webhosting services have also been devised mainly for those entrepreneurs who have just jumped into online business. To know more about our services, please visit our products page to enjoy the cheap hosting plans.