{{tag>ftp}}

====== Proftpd setup ======
===== Install ProFTPD (as standalone) =====

  apt-get install proftpd

===== Edit /etc/proftpd/proftpd.conf =====

  UseIPv6 off
  # limit user to their home dir (/var/www in this case)
  DefaultRoot ~ ftpgrp
  RequireValidShell off
  PassivePorts 65504 65534
    
  <Limit LOGIN>
      DenyGroup !ftpgroup
  </Limit>

===== Open port 21 and passive ports =====


  iptables -A INPUT -p tcp --dport 21 -j ACCEPT
  iptables -A INPUT -p tcp --dport 65504:65534 -j ACCEPT

===== Create FTP group "ftpgroup" =====

  addgroup ftpgrp

===== Create FTP user "ftpuser" =====

  useradd --home-dir /var/www --groups ftpgrp,www-data --shell /bin/false ftpuser
  passwd ftpuser

===== Add user to group(s) =====

  adduser ftpuser ftpgroup

For document root:

  chown -R www-data:www-data /var/www/ OR chgrp -R www-data /var/www/
  chmod -R g+w /var/www/
  chmod g+s /var/www/ OR find . -type d | xargs chmod g+s


===== Enable TLS in ProFTPd =====

  mkdir /etc/proftpd/ssl
  openssl req -new -x509 -days 3650 -nodes -out /etc/proftpd/ssl/proftpd.cert.pem -keyout /etc/proftpd/ssl/proftpd.key.pem

Uncomment the Include /etc/proftpd/tls.conf line in /etc/proftpd/proftpd.conf

  [...]
  #
  # This is used for FTPS connections
  #
  Include /etc/proftpd/tls.conf
  [...]

Then open /etc/proftpd/tls.conf and make it look as follows:

  <IfModule mod_tls.c>
  TLSEngine                  on
  TLSLog                     /var/log/proftpd/tls.log
  TLSProtocol TLSv1.2
  TLSCipherSuite AES128+EECDH:AES128+EDH
  TLSOptions                 NoCertRequest AllowClientRenegotiations
  TLSRSACertificateFile      /etc/proftpd/ssl/proftpd.cert.pem
  TLSRSACertificateKeyFile   /etc/proftpd/ssl/proftpd.key.pem
  TLSVerifyClient            off
  TLSRequired                on
  RequireValidShell          no
  </IfModule>

===== Restart ProFTPD =====

   service proftpd restart

===== HINTS =====

If no TLS disable module in /etc/proftpd/modules.conf

  #LoadModule mod_tls_memcache.c

Some clients (like php ftp function) doesn't handle hosts behind NAT well. You get this error:

  PHP Warning:  ftp_put(): Entering Passive Mode (10,10,6,169,255,243). in php-ftp-client/FtpClient/FtpWrapper.php on line 85

In ''/etc/proftpd/proftpd.conf'' just set the //MasqueradeAddress// to public IP of proftpd host.

====== Tested on ======
  * Debian 8

====== See also ======

====== References ======
  * https://www.howtoforge.com/tutorial/install-proftpd-with-tls-on-ubuntu-16-04/
  * http://www.rackspace.com/knowledge_center/article/how-to-add-linux-user-with-document-root-permissions
  * http://wiki.linuxquestions.org/wiki/Set_up_FTP_server
  * https://www.thomas-krenn.com/de/wiki/FTP-Server_unter_Debian_einrichten
  * https://www.thomas-krenn.com/en/wiki/Setup_FTP_Server_under_Debian
  * https://www.howtoforge.com/tutorial/proftpd-installation-on-debian-and-ubuntu/