apt-get install proftpd
UseIPv6 off
# limit user to their home dir (/var/www in this case)
DefaultRoot ~ ftpgrp
RequireValidShell off
PassivePorts 65504 65534
<Limit LOGIN>
DenyGroup !ftpgroup
</Limit>
iptables -A INPUT -p tcp --dport 21 -j ACCEPT iptables -A INPUT -p tcp --dport 65504:65534 -j ACCEPT
addgroup ftpgrp
useradd --home-dir /var/www --groups ftpgrp,www-data --shell /bin/false ftpuser passwd ftpuser
adduser ftpuser ftpgroup
For document root:
chown -R www-data:www-data /var/www/ OR chgrp -R www-data /var/www/ chmod -R g+w /var/www/ chmod g+s /var/www/ OR find . -type d | xargs chmod g+s
mkdir /etc/proftpd/ssl openssl req -new -x509 -days 3650 -nodes -out /etc/proftpd/ssl/proftpd.cert.pem -keyout /etc/proftpd/ssl/proftpd.key.pem
Uncomment the Include /etc/proftpd/tls.conf line in /etc/proftpd/proftpd.conf
[...] # # This is used for FTPS connections # Include /etc/proftpd/tls.conf [...]
Then open /etc/proftpd/tls.conf and make it look as follows:
<IfModule mod_tls.c> TLSEngine on TLSLog /var/log/proftpd/tls.log TLSProtocol TLSv1.2 TLSCipherSuite AES128+EECDH:AES128+EDH TLSOptions NoCertRequest AllowClientRenegotiations TLSRSACertificateFile /etc/proftpd/ssl/proftpd.cert.pem TLSRSACertificateKeyFile /etc/proftpd/ssl/proftpd.key.pem TLSVerifyClient off TLSRequired on RequireValidShell no </IfModule>
service proftpd restart
If no TLS disable module in /etc/proftpd/modules.conf
#LoadModule mod_tls_memcache.c
Some clients (like php ftp function) doesn't handle hosts behind NAT well. You get this error:
PHP Warning: ftp_put(): Entering Passive Mode (10,10,6,169,255,243). in php-ftp-client/FtpClient/FtpWrapper.php on line 85
In /etc/proftpd/proftpd.conf just set the MasqueradeAddress to public IP of proftpd host.