Vincent's Weblog

Configuring ProFTPD on Debian12

ProFTPD is a FTP server that is very versatile. It allows for virtual users, supports SFTP and more. In this post (that I'll mostly have for my own future reference) I'll go over the process of configuring ProFTPd with: - TLS support - Virtual user support


I'll be using a debian bookworm (12) system:

sudo apt install proftpd proftpd-mod-crypto -y

That's it, now we'll need to configure it.

Setting up TLS

Generating the certificate

First, we'll need to generate certificates to use. In this example I'll use a snakeoil certificate, but, you can use a certificate from Let's Encrypt as well.

openssl req -x509 -newkey rsa:4096 -keyout /etc/ssl/private/proftpd.key -out /etc/ssl/certs/proftpd.crt -nodes -days 365
chmod 0600 /etc/ssl/private/proftpd.key
chmod 0640 /etc/ssl/certs/proftpd.crt

Configuring ProFTPd to use TLS

Since Encryption is the most important step, we'll configure this first. open /etc/proftpd/modules.conf and make sure to uncomment the line that loads the mod_tls.c module:

# ... lines omitted for demonstration purposes
# Install proftpd-mod-crypto to use this module for TLS/SSL support.
LoadModule mod_tls.c
# ... lines omitted for demonstration purposes

Next we'll need to modify /etc/proftpd/tls.conf. We can remove all the contents and replace it with the following

<IfModule mod_tls.c>
        TLSEngine on
        TLSLog /var/log/proftpd/tls.log
        TLSProtocol TLSv1.2 TLSv1.3
        # set this to no, if you have legacy clients that can't speak TLS
        TLSRequired on
        TLSECCertificateFile /etc/ssl/certs/proftpd.crt
        TLSECCertificateKeyFile /etc/ssl/private/proftpd.key
        TLSVerifyClient off
        TLSRenegotiate none

Next, we need to load this configuration. this can be done by uncommenting a line in /etc/proftpd/proftpd.conf

# This is used for FTPS connections
Include /etc/proftpd/tls.conf

Now, we can test the configuration and restart proftpd

sudo proftpd --configtest
sudo systemctl restart proftpd

Next, we can test this using a FTP client of our choice, on windows/linux/macos, Filezilla is a good choice. I use Transmit on MacOS myself.

Use the login credentials of a system user to test.

Virtual users

Since a lot of times you want to make separate FTP accounts for projects, virtual users can do the trick for us. These users can't log in into the system, but can only connect via FTP.

These users can be stored in a variety of ways: in a file, in a database, using LDAP, ... I will be using a file in my example.

make a new file /etc/proftpd/conf.d/virtual-users.conf and include the following:

DefaultRoot ~
CreateHome on
RequireValidShell off
AuthUserFile /etc/proftpd/ftpd.passwd
## only allow virtual users
AuthOrder mod_auth_file.c
## allow virtual users, and system users
# AuthOrder mod_auth_file.c mod_auth_pam.c

It is important to note that virtual users also need a UID/GID, you can use the UID/GID of your user, the www-data user, or you can create a separate system user and assign that UID/GID. It is entirely up to you.

Creating a seperate system user

adduser --system --shell /bin/false --gecos 'FTP Virtual users' --group --disabled-password --home /home/ftpusers ftpusers

Note down the UID/GID

Adding virtual users

sudo ftpasswd --passwd --file=/etc/proftpd/ftpd.passwd --name=test --uid=104 --gid=109 --home=/home/ftpusers/test --shell=/bin/false

This will create a virtual user 'test', with a home in /home/ftpusers/test