Wiki > Userland ProFTPD
Setup
Intro
ProFTPD is an FTP server that can be used to offer FTP access to friends and family without revealing your slot's username and password. Instead, custom usernames and passwords can be set for each friend or family member.
Important: Because your slot's username and password won't be used to log in to your personal FTP server, any downloads taking place will count towards your traffic usage.
A random port number between 10000 and 65535 is needed and will be used to access your FTP server once setup is complete. The port number 22185
has automatically been generated and will be used throughout this article, but can be changed if needed.
Main configuration file
Create a directory for the configuration. mkdir -p ~/.config/proftpd
and edit the main configuration file nano -w ~/.config/proftpd/proftpd.conf
with the following:
User user
Group user
Port 22185
Umask 022
MaxInstances 10
DefaultServer on
AuthPAM off
AuthUserFile /home/user/.config/proftpd/proftpd.passwd
PidFile /home/user/.config/proftpd/proftpd.pid
ScoreboardFile /home/user/.config/proftpd/proftpd.scoreboard
DelayTable /home/user/.config/proftpd/proftpd.delay
SystemLog /home/user/.config/proftpd/proftpd.log
WtmpLog off
Save the file by pressing Ctrl+x
, y
and then enter
.
Authentication
You can create users with the following command. Replace username
with the username you want them to use:
ftpasswd --passwd --file="$HOME/.config/proftpd/proftpd.passwd" --home=$HOME --shell=$SHELL --uid=$UID --gid=`id -g user` --name=username
If you want to use permissions, you will need to specify their home directory directly. For example, if you want them to only access ~/files
:
ftpasswd --passwd --file="$HOME/.config/proftpd/proftpd.passwd" --home=$HOME/files --shell=$SHELL --uid=$UID --gid=`id -g user` --name=username
Enter the password for the account when prompted and press enter
.
If you want to remove a user: ftpasswd --delete-user --passwd --file="$HOME/.config/proftpd/proftpd.passwd" --name=user
Change permissions of proftpd.passwd
so ProFTPD will start correctly:
chmod o-rwx ~/.config/proftpd/proftpd.passwd
Installing the daemon
Fetch the binary and compile ProFTPD.
wget -4 ftp://ftp.proftpd.org/distrib/source/proftpd-1.3.8.tar.gz
tar xvfz proftpd-*.tar.gz
cd proftpd-*/
./configure --with-modules=mod_tls
make
And move it to a place to save it.
mkdir -p ~/bin
mv ./proftpd ~/bin/proftpd
(Optional) Remove the source code:
cd ..
rm -r proftpd-*
Starting the daemon
-
Create the file that will start the webserver.
touch ~/.config/proftpd/start
-
Make the start file able to be executed.
chmod +x ~/.config/proftpd/start
-
Place the contents of the box below into the
start
file.#!/bin/bash /home/user/bin/proftpd -c ~/.config/proftpd/proftpd.conf &> /dev/null
From then on, the server can be started using ~/.config/proftpd/start
as a command.
In case you need to troubleshoot the start command, you can get more verbose output by appending the -nd5
argument to the actual proftpd command in the start file.
Starting the daemon on boot
To ensure proftpd is automatically started each time your server is rebooted. You can add the following line to the crontab using crontab -e
:
@reboot /home/user/bin/proftpd -c ~/.config/proftpd/proftpd.conf
Accessing it
You will now be able to access your home directory using the username and password you defined from ftp://server.whatbox.ca:22185/
Stopping the daemon
Kill the process with this command:
kill -15 `cat /home/user/.config/proftpd/proftpd.pid`
Permissions (optional)
By default, ProFTPD will allow all created users access to all the directories your user has access to. By setting up permissions, you can limit their access to only specific directories that you defined as their home.
To set up permissions, you will need to deny access to everything except logging in to the FTP server. A global <Limit ALL>
will do this - the ALL
permission does not include logging in. You will override these permissions with specific directories as explained later. Add the following to the bottom of .config/proftpd/proftpd.conf
:
<Limit ALL>
DenyAll
</Limit>
In ProFTPD, ~
is the FTP user's home directory. This can be different from your actual home directory. The following additional configuration will allow all FTP users full access to their FTP home directory:
<Directory ~>
<Limit ALL>
AllowAll
</Limit>
</Directory>
You can change the limited commands by replacing ALL
with specific commands or groups of commands as listed on ProFTPD's <Limit> documentation. You can also add subdirectories by copying the entire block and changing ~
to ~/directory
where directory
is the subdirectory you want to modify permissions.
You want to copy the two blocks above verbatim if you want your users limited to the directory that you specified as their home.
Restart ProFTPD with the following command for the configuration changes to take effect:
kill -15 `cat /home/user/.config/proftpd/proftpd.pid`; ~/.config/proftpd/start
Setting up TLS (optional)
FTP doesn't send the username/password or files via a secure connection. ProFTPD can be configured for userland TLS which will encrypt the control stream (the commands send to the FTP server) as well as the file transfers themselves.
Generating your certificates
In order for TLS to work you will need a private key and a self-signed certificate.
The following command will generate your private key
openssl genrsa -des3 -out ~/.config/proftpd/server.key 2048
You will be asked for pass phrase for your private key. Enter a short phrase. You will be asked for this pass phrase during the creation of the certificate later on.
The following command will generate a certificate signing request. You will be asked for a bunch of information. Just hit enter past all this information as it is not required for what we are doing since the certificate will be self signed.
openssl req -new -key ~/.config/proftpd/server.key -out ~/.config/proftpd/server.csr
Having a passkey on the certificate will prevent the service from auto starting as you would need to enter your passkey. The following commands will remove that requirement.
cp ~/.config/proftpd/server.key ~/.config/proftpd/server.key.org
openssl rsa -in ~/.config/proftpd/server.key.org -out ~/.config/proftpd/server.key
Finally, the following command will generate your self-signed certificate.
openssl x509 -req -days 365 -in ~/.config/proftpd/server.csr -signkey ~/.config/proftpd/server.key -out ~/.config/proftpd/server.crt
Adding the TLS configuration
Once you have created your certificate you need to tell ProFTPD to use TLS for FTP connections. In ~/.config/proftpd/proftpd.conf
add the following lines:
TLSEngine on
TLSProtocol TLSv1.2
#The following line sets TLS to be required for connections.
TLSRequired on
TLSRSACertificateFile /home/user/.config/proftpd/server.crt
TLSRSACertificateKeyFile /home/user/.config/proftpd/server.key
TLSVerifyClient off
TLSOptions NoSessionReuseRequired
At this point save your config file and reload ProFTPd. This integrates with the commands above and nothing additional needs to be done. Now when you wish to connect to your ProFTPd setup you will need to use FTP with explicit TLS instead of standard FTP.