Table of Contents

Proftpd setup

Install ProFTPD (as standalone)

apt-get install proftpd

Edit /etc/proftpd/proftpd.conf

UseIPv6 off
# limit user to their home dir (/var/www in this case)
DefaultRoot ~ ftpgrp
RequireValidShell off
PassivePorts 65504 65534
  
<Limit LOGIN>
    DenyGroup !ftpgroup
</Limit>

Open port 21 and passive ports

iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 65504:65534 -j ACCEPT

Create FTP group "ftpgroup"

addgroup ftpgrp

Create FTP user "ftpuser"

useradd --home-dir /var/www --groups ftpgrp,www-data --shell /bin/false ftpuser
passwd ftpuser

Add user to group(s)

adduser ftpuser ftpgroup

For document root:

chown -R www-data:www-data /var/www/ OR chgrp -R www-data /var/www/
chmod -R g+w /var/www/
chmod g+s /var/www/ OR find . -type d | xargs chmod g+s

Enable TLS in ProFTPd

mkdir /etc/proftpd/ssl
openssl req -new -x509 -days 3650 -nodes -out /etc/proftpd/ssl/proftpd.cert.pem -keyout /etc/proftpd/ssl/proftpd.key.pem

Uncomment the Include /etc/proftpd/tls.conf line in /etc/proftpd/proftpd.conf

[...]
#
# This is used for FTPS connections
#
Include /etc/proftpd/tls.conf
[...]

Then open /etc/proftpd/tls.conf and make it look as follows:

<IfModule mod_tls.c>
TLSEngine                  on
TLSLog                     /var/log/proftpd/tls.log
TLSProtocol TLSv1.2
TLSCipherSuite AES128+EECDH:AES128+EDH
TLSOptions                 NoCertRequest AllowClientRenegotiations
TLSRSACertificateFile      /etc/proftpd/ssl/proftpd.cert.pem
TLSRSACertificateKeyFile   /etc/proftpd/ssl/proftpd.key.pem
TLSVerifyClient            off
TLSRequired                on
RequireValidShell          no
</IfModule>

Restart ProFTPD

 service proftpd restart

HINTS

If no TLS disable module in /etc/proftpd/modules.conf

#LoadModule mod_tls_memcache.c

Some clients (like php ftp function) doesn't handle hosts behind NAT well. You get this error:

PHP Warning:  ftp_put(): Entering Passive Mode (10,10,6,169,255,243). in php-ftp-client/FtpClient/FtpWrapper.php on line 85

In /etc/proftpd/proftpd.conf just set the MasqueradeAddress to public IP of proftpd host.

Tested on

See also

References