lördag 31 mars 2012


apt-get install proftpd-basic

HOWTO : Create a FTP server with user
access (proftpd)

There's some support for this guide in the hoary
Some questions are already answered in the OLD
THREAD ,if you need support you should read it
before posting here.
I created this How to for people who want to share
files with friends using FTP protocol, like FTPservU
under windows. The way i give you is not the only
one, I hope my How to is enough clear.
This FTP server will allow only users with the good
password (persons to whom you gave the password
and username). So you will be sure that only known
persons will access your FTP server.
A- The GUI way (for beginners only)
For those who are new to linux and don't want to
use a FTP server without GUI, or just for those who
don't use often their FTP server and wish to set it
quickly without a high level of security, there is a
GTK GUI for proftpd.
Be careful, it's less secure than configuring yourself
your server.
1- Install proftpd and gproftpd with synaptic or
with this command :
sudo apt-get install proftpd gproftpd 2-Play with
the GUI and set up quickly your server.
Beware no support is offered here for this tool but
it shouldn't be too hard to use.
sudo apt-get install proftpd 2- Add this line in /etc/
shells file (sudo gedit /etc/shells to open the file) :
Create a /home/FTP-shared directory :
cd /home sudo mkdir FTP-shared Create a user na-
med userftp which will be used only for ftp access.
This user don't need a valid shell (more secure) the-
refore select /bin/false shell for userftp and /home/
FTP-shared as home directory (property button in
user and group window).
To make this section clearer, i give you the equiva-
lent command line to create the user, but it would
be better to use the GUI (System > Administration
> User & Group) to create the user since users here
often got problems with the user creation and the
password (530 error) with the command line, so i
really advice to use the GUI :
sudo useradd userftp -p your_password -d /home/
FTP-shared -s /bin/false sudo passwd userftp In FTP-
shared directory create a download and an upload
directory :
cd /home/FTP-shared/ sudo mkdir download sudo
mkdir uploadNow we have to set the good permis-
sions for these directories :
B- The secure way
Love this
1- Install proftpd with synaptic or with this com-
mand :
Add it to your Reading List! 4 joliprint.com/mag
Page 1
11/03/2012 05:11
HOWTO : Create a FTP server with user access (proftpd)
cd /home sudo chmod 755 FTP-shared cd FTP-shared
sudo chmod 755 download sudo chmod 777 upload
3- OK, now go to the proftpd configuration file :
sudo gedit /etc/proftpd.confor for edgy eft (ubuntu
6.10) :
sudo gedit /etc/proftpd/proftpd.confand edit your
proftpd.conf file like that if it fit to your need :
# To really apply changes reload proftpd after mo-
difications. AllowOverwrite on AuthAliasOnly on
# Choose here the user alias you want !!!! UserA-
lias sauron userftp ServerName «ChezFrodon»
ServerType standalone DeferWelcome on Multi-
lineRFC2228 on DefaultServer on ShowSymlinks
off TimeoutNoTransfer 600 TimeoutStalled 100
TimeoutIdle 2200 DisplayChdir .message ListOp-
tions «-l» RequireValidShell off TimeoutLogin 20
RootLogin off # It's better for debug to create log
files ;-) ExtendedLog /var/log/ftp.log TransferLog /
var/log/xferlog SystemLog /var/log/syslog.log #De-
nyFilter \*.*/ # I don't choose to use /etc/ftpusers file
(set inside the users you want to ban, not useful for
me) UseFtpUsers off # Allow to restart a download
AllowStoreRestart on # Port 21 is the standard FTP
port, so you may prefer to use another port for se-
curity reasons (choose here the port you want) Port
1980 # To prevent DoS attacks, set the maximum
number of child processes # to 30. If you need to
allow more than 30 concurrent connections # at
once, simply increase this value. Note that this ONLY
works # in standalone mode, in inetd mode you
should use an inetd server # that allows you to limit
Love this
maximum number of processes per service # (such
as xinetd) MaxInstances 8 # Set the user and group
that the server normally runs at. User nobody Group
nogroup # Umask 022 is a good standard umask to
prevent new files and dirs # (second parm) from
being group and world writable. Umask 022 022 Per-
sistentPasswd off MaxClients 8 MaxClientsPerHost 8
MaxClientsPerUser 8 MaxHostsPerUser 8 # Display
a message after a successful login AccessGrantMsg
«welcome !!!» # This message is displayed for each
access good or not ServerIdent on «you're at home»
# Lock all the users in home directory, ***** really
important ***** DefaultRoot ~ MaxLoginAttempts 5
#VALID LOGINS <Limit LOGIN> AllowUser userftp
DenyALL </Limit> <Directory /home/FTP-shared>
Umask 022 022 AllowOverwrite off <Limit MKD
</Limit> </Directory> <Directory /home/FTP-shared/
download/*> Umask 022 022 AllowOverwrite off
XRMD> DenyAll </Limit> </Directory> <Directory /
home/FTP-shared/upload/> Umask 022 022 AllowO-
verwrite on <Limit READ RMD DELE> DenyAll </
Limit> <Limit STOR CWD MKD> AllowAll </Limit> </
Directory>Ok you have done proftpd configuration.
Your server is on port 1980 (in this exemple) and
the access parameters are
user : sauron
password : the one you've set for userftp
4- To start/stop/restart your server :
sudo /etc/init.d/proftpd start sudo /etc/init.d/proftpd
stop sudo /etc/init.d/proftpd restartTo perform a syn-
tax check of your proftpd.conf file :
sudo proftpd -td5To know who is connected on your
server in realtime use «ftptop» command (use «t»
caracter to swich to rate display), you can also use
Add it to your Reading List! 4 joliprint.com/mag
Page 2
11/03/2012 05:11
HOWTO : Create a FTP server with user access (proftpd)
the «ftpwho» command.
other informations here
<IfModule mod_tls.c> TLSEngine on TLSLog /var/
ftpd/tls.log TLSProtocol TLSv1 # Are clients required
to use FTP over TLS when talking to this server?
TLSRequired off # Server's certificate TLSRSACer-
tificateFile /etc/ftpcert/server.crt TLSRSACertifica-
teKeyFile /etc/ftpcert/server.key # CA the server
trusts TLSCACertificateFile /etc/ftpcert/ca.crt # Au-
thenticate clients that want to use FTP over TLS?
TLSVerifyClient off </IfModule>If you use edgy or
proftpd 1.3 in general add this line at the beginning
of your proftpd.conf file, it will load all the extra
modules like mod_tls.c :
C- Advanced tricks
1- Enable TLS/SSL encryption (FTPS)
** Inportant note : proftpd versions before 1.3.2-rc2
may not work with latest filezilla versions using TLS
encryption. See raymond.szebin's post for details.

The FTP file sharing protocol is an old protocol which
was created when internet was still a secure place,
therefore the default FTP protocol is not that secure.
For example the password and username for login
are transmitted in plain text which obviously isn't
Include /etc/proftpd/modules.confNote - Use TLSRe-
That why, to fit the needs of our generation, encryp-
quired ON to force the use of TLS. OFF means that
tion solutions were developed and one of them is
the use of TLS is optional.
TLS/SSH encryption.
This will encrypt the username and password and
Optional step:
all the data you send, obviously to use it the FTP
You will notice that you will be asked for the
client must support SFTP protocol.
password you set for the server.key file each time
you start/stop/restart the server, it is because the
here are the steps to enable TLS/SSH encryption
RSA private key is encrypted in the server.key file.

The solution is to remove the encryption of the RSA
Paste these commands in a terminal :
private key but it makes the key readable in the ser-
ver.key file which is obviously less secure, anyway
if you do that make sure that the server.key is
readable only by root.
sudo apt-get install build-essential sudo apt-get ins-
Once you know that it's less secure here are the
tall libssl-dev cd /etc sudo mkdir ftpcert cd ftpcert/
command lines to remove the encryption of the
sudo openssl genrsa -des3 -out server.key 1024 sudo
RSA private key :
openssl req -new -key server.key -out server.csr sudo
openssl genrsa -des3 -out ca.key 1024 sudo openssl
req -new -x509 -days 365 -key ca.key -out ca.crt **
download the sign.sh file (at the bottom of the post)
cd /etc/ftpcert cp server.key server.key.org openssl
and put it in ftpcert directory ** sudo chmod +x sign.
rsa -in server.key.org -out server.keyHere are some
sh sudo ./sign.sh server.csrThen add this section to
links to read in case of problems or just to get more
yout proftpd.conf file :
informations :
Love this
Add it to your Reading List! 4 joliprint.com/mag
Page 3
11/03/2012 05:11
HOWTO : Create a FTP server with user access (proftpd)

To use your TLS encrypted FTP server you will need
a FTP client which support it like the latest versions
of filezilla (the one present in the feisty repository
has the TLS support).
In filezilla the option to use is called FTPES.
Thanks to nix4me for the help he provided and for
the instructions.
2- Restrict access for some users
Some of you wish, for different reasons, to create
more than one user and give a different access de-
pending on the user.
For example if i create 2 users, one called user1
and the second called user2 and then want to deny
access to the download directory for user2, You can
do it as following :
First create the 2 users like userftp in the guide and
give them alias names if you use aliases. Then allow
your 2 users in the general LIMIT LOGIN section :
LOGINS <Limit LOGIN> AllowUser user1
AllowUser user2 DenyALL </Limit>Once done here
is how to modify the directory sections to chose who
is able to use which directory :
<Directory /home/FTP-shared/download/*> Umask
022 022 AllowOverwrite off <Limit ALL> Order
Allow,Deny AllowUser user1 Deny ALL </Limit>
XRMD> DenyAll </Limit> </Directory> <Directory>
/home/FTP-shared/upload/> Umask 022 022 Al-
lowOverwrite on <Limit ALL> Order Allow,Deny
AllowUser user1 AllowUser user2 Deny ALL </
Limit> <Limit READ RMD DELE> DenyAll </Li-
mit> <Limit STOR CWD MKD> AllowAll </Limit>
</Directory>Note - user2 will see the download di-
Love this
rectory but will not be able to enter the directory.
That's all
Best Common Practices - Everyone should read

ProftpTools 1.0.1
ProftpTools is a script I wrote thanks to swoop's
feedback. This script allow you to start/stop proftpd,
mount/unmount auto/manually directories, show
your IP, ... and all of that with a GUI in order to use
proftpd in a really easy way !
To install ProftpTools, download ProftpTools-
v1.0.2.tar.gz (at the bottom of the page) and untar
it where you want and then move the ProftpTools
file in /usr/bin :
tar -xzvf ProftpTools-v1.0.2.tar.gz cd ProftpTools-
v1.0.2/ sudo mv ProftpTools /usr/bin/Then add these
lines in your .bashrc (it's in your home directory
: gedit /home/username/.bashrc) file in order to
specify what is the ProftpTools directory path, YOU
the path. I give you an exemple if your ProftpTools
directory is in your home directory :
v1.0.2 export ProftpTools_dirNow all you have to
do is to type ProftpTools in a terminal and .... enjoy

You need zenity installed to use this script.
Don't hesitate to post in this thread or send me PM
to report bugs, ask new features, correct my english,
suggest improvement and thank you to give me
feedback about this tool.
Add it to your Reading List! 4 joliprint.com/mag
Page 4
11/03/2012 05:11
HOWTO : Create a FTP server with user access (proftpd)
useful trick :
This trick is integrated in ProftpTools.
If you don't want (like me ) to use space in your
/home directory, and use space on another hard
drive, or if you just want to share a directory from
another partition ... you can mount the directory
you want in your download or upload directory
without changing anything in proftpd.conf file, use
these commands :
sudo mount -o bind the_directory_you_want_to_
share /home/FTP-shared/download or sudo mount
-o bind the_directory_you_want_to_use_for_upload
/home/FTP-shared/uploadThis command will not
overwrite the directory, the idea is just to mount a
directory in another one without overwritng any-
thing, so when someone will log in your server he
will see and use the mounted directory if you have
mounted one. To unmout a directory (download
directory for exemple):
If you have a dynamic DNS have a look here, you
can also use ddclient(maybe easier for newbies).
If you have Unbindable port 21 issue please refer
to this post from mustacheride.
Most of informations you're looking for are here
To get more debug informations : http://www.proft-
You can specify a specific passive port range using
PassivePorts command, it's very useful when you
use a firewall in order to know which ports to allow.
For those who have a firewall/router i advice to read
this excelent post from mssm
Thanks for feedback, and sorry if my english is so-
metimes really bad
Don't hesitate to post questions about proftpd in
this thread.
Last edited by frodon; October 4th, 2010 at 09:32
AM.. Reason: Updated - keep only one DefaultRoot
sudo umount /home/FTP-shared/download Perma-
nent mount :
If you don't want to re-mount your directories after
a reboot you can add a line in fstab file like that
(sudo gedit /etc/fstab to open the file) :
the_directory_to_mount /home/FTP-shared/down-
load vfat bind 0 0thanks reet
If you want to create other directories in FTP-sha-
red, think to add it in proftpd.conf file.
Don't hesitate to test yourself your server using gFTP
for exemple, it's really helpful to debug your server.
Other stuff/Troubleshooting/FAQ
If you have a router you should read that, it des-
cribe the 2 commands to add in proftpd.conf and
Love this
Add it to your Reading List! 4 joliprint.com/mag
Page 5
Skicka en kommentar