ProFTPD is an FTP server that can be used to offer FTP access to friends and family without revealing your slot's username and password. Instead, custom usernames and passwords can be set for each friend or family member.
Important: Because your slot's username and password won't be used to log in to your personal FTP server, any downloads taking place will count towards your traffic usage.
A random port number between 10000 and 65535 is needed and will be used to access your FTP server once setup is complete. The port number
45343 has automatically been generated and will be used throughout this article, but can be changed if needed.
Main configuration file
Create a directory for the configuration.
mkdir -p ~/.config/proftpd
and edit the main configuration file
nano -w ~/.config/proftpd/proftpd.conf with the following:
User user Group user Port 45343 Umask 022 MaxInstances 10 DefaultServer on AuthPAM off AuthUserFile /home/user/.config/proftpd/proftpd.passwd PidFile /home/user/.config/proftpd/proftpd.pid ScoreboardFile /home/user/.config/proftpd/proftpd.scoreboard DelayTable /home/user/.config/proftpd/proftpd.delay SystemLog /home/user/.config/proftpd/proftpd.log WtmpLog off
Save the file by pressing
y and then
You can create users with the following command. Replace
username with the username you want them to use:
ftpasswd --passwd --file="$HOME/.config/proftpd/proftpd.passwd" --home=$HOME --shell=$SHELL --uid=$UID --gid=`id -g user` --name=username
If you want to use permissions, you will need to specify their home directory directly. For example, if you want them to only access
ftpasswd --passwd --file="$HOME/.config/proftpd/proftpd.passwd" --home=$HOME/files --shell=$SHELL --uid=$UID --gid=`id -g user` --name=username
Enter the password for the account when prompted and press
If you want to remove a user:
ftpasswd --delete-user --passwd --file="$HOME/.config/proftpd/proftpd.passwd" --name=user
Change permissions of
proftpd.passwd so ProFTPD will start correctly:
chmod o-rwx ~/.config/proftpd/proftpd.passwd
Installing the daemon
Fetch the binary and compile ProFTPD.
wget ftp://ftp.proftpd.org/distrib/source/proftpd-1.3.5e.tar.gz tar xvfz proftpd-*.tar.gz cd proftpd-*/ ./configure --with-modules=mod_tls make
And move it to a place to save it.
mkdir -p ~/bin mv ./proftpd ~/bin/proftpd
(Optional) Remove the source code:
cd .. rm -r proftpd-*
Starting the daemon
Create the file that will start the webserver.
Make the start file able to be executed.
chmod +x ~/.config/proftpd/start
Place the contents of the box below into the
#!/bin/bash /home/user/bin/proftpd -c ~/.config/proftpd/proftpd.conf &> /dev/null
From then on, the server can be started using
~/.config/proftpd/start as a command.
In case you need to troubleshoot the start command, you can get more verbose output by appending the
-nd5 argument to the actual proftpd command in the start file.
Starting the daemon on boot
To ensure proftpd is automatically started each time your server is rebooted. You can add the following line to the crontab using
@reboot /home/user/bin/proftpd -c ~/.config/proftpd/proftpd.conf
You will now be able to access your home directory using the username and password you defined from
Stopping the daemon
Kill the process.
By default, ProFTPD will allow all created users access to all the directories your user has access to. By setting up permissions, you can limit their access to only specific directories that you defined as their home.
To set up permissions, you will need to deny access to everything except logging in to the FTP server. A global
<Limit ALL> will do this - the
ALL permission does not include logging in. You will override these permissions with specific directories as explained later. Add the following to the bottom of
<Limit ALL> DenyAll </Limit>
~ is the FTP user's home directory. This can be different from your actual home directory. The following additional configuration will allow all FTP users full access to their FTP home directory:
<Directory ~> <Limit ALL> AllowAll </Limit> </Directory>
You can change the limited commands by replacing
ALL with specific commands or groups of commands as listed on ProFTPD's <Limit> documentation. You can also add subdirectories by copying the entire block and changing
directory is the subdirectory you want to modify permissions.
Restart ProFTPD for the configuration changes to take effect.
killall proftpd; ~/.config/proftpd/start
Setting up TLS (optional)
FTP doesn't send the username/password or files via a secure connection. ProFTPD can be configured for userland TLS which will encrypt the control stream (the commands send to the FTP server) as well as the file transfers themselves.
Generating your certificates
In order for TLS to work you will need a private key and a self-signed certificate.
The following command will generate your private key
openssl genrsa -des3 -out ~/.config/proftpd/server.key 1024
You will be asked for pass phrase for your private key. Enter a short phrase. You will be asked for this pass phrase during the creation of the certificate later on.
The following command will generate a certificate signing request. You will be asked for a bunch of information. Just hit enter past all this information as it is not required for what we are doing since the certificate will be self signed.
openssl req -new -key ~/.config/proftpd/server.key -out ~/.config/proftpd/server.csr
Having a passkey on the certificate will prevent the service from auto starting as you would need to enter your passkey. The following commands will remove that requirement.
cp ~/.config/proftpd/server.key ~/.config/proftpd/server.key.org openssl rsa -in ~/.config/proftpd/server.key.org -out ~/.config/proftpd/server.key
Finally, the following command will generate your self-signed certificate.
openssl x509 -req -days 365 -in ~/.config/proftpd/server.csr -signkey ~/.config/proftpd/server.key -out ~/.config/proftpd/server.crt
Adding The TLS Configuration
Once you have created your certificate you need to tell ProFTPD to use TLS for FTP connections. In
~/.config/proftpd/proftpd.conf add the following lines:
TLSEngine on TLSProtocol TLSv1.2 #The following line sets TLS to be required for connections. TLSRequired on TLSRSACertificateFile /home/user/.config/proftpd/server.crt TLSRSACertificateKeyFile /home/user/.config/proftpd/server.key TLSVerifyClient off
Note: If you will be using CuteFTP version 9.0.5, or earlier, to connect to your server, change
TLSProtocol TLSv1.2 to:
And add the line:
At this point save your config file and reload ProFTPd. This integrates with the commands above and nothing additional needs to be done. Now when you wish to connect to your ProFTPd setup you will need to use FTP w/Explicit TLS instead of standard FTP.