ProFTPD is a FTP server that is very versatile. It allows for virtual users, supports SFTP and more. In this post (that I'll mostly have for my own future reference) I'll go over the process of configuring ProFTPd with: - TLS support - Virtual user support
I'll be using a debian bookworm (12) system:
sudo apt install proftpd proftpd-mod-crypto -y
That's it, now we'll need to configure it.
Setting up TLS
Generating the certificate
First, we'll need to generate certificates to use. In this example I'll use a snakeoil certificate, but, you can use a certificate from Let's Encrypt as well.
openssl req -x509 -newkey rsa:4096 -keyout /etc/ssl/private/proftpd.key -out /etc/ssl/certs/proftpd.crt -nodes -days 365 chmod 0600 /etc/ssl/private/proftpd.key chmod 0640 /etc/ssl/certs/proftpd.crt
Configuring ProFTPd to use TLS
Since Encryption is the most important step, we'll configure this first. open
/etc/proftpd/modules.conf and make sure to uncomment the line that loads the
# ... lines omitted for demonstration purposes # Install proftpd-mod-crypto to use this module for TLS/SSL support. LoadModule mod_tls.c # ... lines omitted for demonstration purposes
Next we'll need to modify
/etc/proftpd/tls.conf. We can remove all the contents and replace it with the following
<IfModule mod_tls.c> TLSEngine on TLSLog /var/log/proftpd/tls.log TLSProtocol TLSv1.2 TLSv1.3 # set this to no, if you have legacy clients that can't speak TLS TLSRequired on TLSECCertificateFile /etc/ssl/certs/proftpd.crt TLSECCertificateKeyFile /etc/ssl/private/proftpd.key TLSVerifyClient off TLSRenegotiate none </IfModule>
Next, we need to load this configuration. this can be done by uncommenting a line in
# # This is used for FTPS connections # Include /etc/proftpd/tls.conf
Now, we can test the configuration and restart proftpd
sudo proftpd --configtest sudo systemctl restart proftpd
Next, we can test this using a FTP client of our choice, on windows/linux/macos, Filezilla is a good choice. I use Transmit on MacOS myself.
Use the login credentials of a system user to test.
Since a lot of times you want to make separate FTP accounts for projects, virtual users can do the trick for us. These users can't log in into the system, but can only connect via FTP.
These users can be stored in a variety of ways: in a file, in a database, using LDAP, ... I will be using a file in my example.
make a new file
/etc/proftpd/conf.d/virtual-users.conf and include the following:
DefaultRoot ~ CreateHome on RequireValidShell off AuthUserFile /etc/proftpd/ftpd.passwd ## only allow virtual users AuthOrder mod_auth_file.c ## allow virtual users, and system users # AuthOrder mod_auth_file.c mod_auth_pam.c
It is important to note that virtual users also need a UID/GID, you can use the UID/GID of your user, the www-data user, or you can create a separate system user and assign that UID/GID. It is entirely up to you.
Creating a seperate system user
adduser --system --shell /bin/false --gecos 'FTP Virtual users' --group --disabled-password --home /home/ftpusers ftpusers
Note down the UID/GID
Adding virtual users
sudo ftpasswd --passwd --file=/etc/proftpd/ftpd.passwd --name=test --uid=104 --gid=109 --home=/home/ftpusers/test --shell=/bin/false
This will create a virtual user 'test', with a home in /home/ftpusers/test