Whatbox Logo
Login for certain variables to be updated with your slot's information

Wiki > Userland ProFTPD

Setup

Intro

ProFTPD is an FTP server that can be used to offer FTP access to friends and family without revealing your slot's username and password. Instead, custom usernames and passwords can be set for each friend or family member.

Important: Because your slot's username and password won't be used to log in to your personal FTP server, any downloads taking place will count towards your traffic usage.

A random port number between 10000 and 65535 is needed and will be used to access your FTP server once setup is complete. The port number 24080 has automatically been generated and will be used throughout this article, but can be changed if needed.

Main configuration file

Create a directory for the configuration. mkdir -p ~/.config/proftpd
and edit the main configuration file nano -w ~/.config/proftpd/proftpd.conf with the following:

User                    user
Group                   user

Port                    24080
Umask                   022
MaxInstances            10
DefaultServer           on

AuthPAM                 off
AuthUserFile            /home/user/.config/proftpd/proftpd.passwd

PidFile                 /home/user/.config/proftpd/proftpd.pid
ScoreboardFile          /home/user/.config/proftpd/proftpd.scoreboard
DelayTable              /home/user/.config/proftpd/proftpd.delay
SystemLog               /home/user/.config/proftpd/proftpd.log
WtmpLog                 off

Save the file by pressing Ctrl+x, y and then enter.

Authentication

You can create users with the following command. Replace username with the username you want them to use:

ftpasswd --passwd --file="$HOME/.config/proftpd/proftpd.passwd" --home=$HOME --shell=$SHELL --uid=$UID --gid=`id -g user` --name=username

If you want to use permissions, you will need to specify their home directory directly. For example, if you want them to only access ~/files:

ftpasswd --passwd --file="$HOME/.config/proftpd/proftpd.passwd" --home=$HOME/files --shell=$SHELL --uid=$UID --gid=`id -g user` --name=username

Enter the password for the account when prompted and press enter.

If you want to remove a user: ftpasswd --delete-user --passwd --file="$HOME/.config/proftpd/proftpd.passwd" --name=user

Change permissions of proftpd.passwd so ProFTPD will start correctly:

chmod o-rwx ~/.config/proftpd/proftpd.passwd

Installing the daemon

Fetch the binary and compile ProFTPD.

wget -4 ftp://ftp.proftpd.org/distrib/source/proftpd-1.3.8.tar.gz
tar xvfz proftpd-*.tar.gz
cd proftpd-*/
./configure --with-modules=mod_tls
make

And move it to a place to save it.

mkdir -p ~/bin
mv ./proftpd ~/bin/proftpd

(Optional) Remove the source code:

cd ..
rm -r proftpd-* 

Starting the daemon

  1. Create the file that will start the webserver. touch ~/.config/proftpd/start

  2. Make the start file able to be executed. chmod +x ~/.config/proftpd/start

  3. Place the contents of the box below into the start file.

     #!/bin/bash
     /home/user/bin/proftpd -c ~/.config/proftpd/proftpd.conf &> /dev/null
    

From then on, the server can be started using ~/.config/proftpd/start as a command.

In case you need to troubleshoot the start command, you can get more verbose output by appending the -nd5 argument to the actual proftpd command in the start file.

Starting the daemon on boot

To ensure proftpd is automatically started each time your server is rebooted. You can add the following line to the crontab using crontab -e:

@reboot /home/user/bin/proftpd -c ~/.config/proftpd/proftpd.conf

Accessing it

You will now be able to access your home directory using the username and password you defined from ftp://server.whatbox.ca:24080/

Stopping the daemon

Kill the process with this command:

kill -15 `cat /home/user/.config/proftpd/proftpd.pid`

Permissions (optional)

By default, ProFTPD will allow all created users access to all the directories your user has access to. By setting up permissions, you can limit their access to only specific directories that you defined as their home.

To set up permissions, you will need to deny access to everything except logging in to the FTP server. A global <Limit ALL> will do this - the ALL permission does not include logging in. You will override these permissions with specific directories as explained later. Add the following to the bottom of .config/proftpd/proftpd.conf:

<Limit ALL>
    DenyAll
</Limit>

In ProFTPD, ~ is the FTP user's home directory. This can be different from your actual home directory. The following additional configuration will allow all FTP users full access to their FTP home directory:

<Directory ~>
    <Limit ALL>
        AllowAll
    </Limit>
</Directory>

You can change the limited commands by replacing ALL with specific commands or groups of commands as listed on ProFTPD's <Limit> documentation. You can also add subdirectories by copying the entire block and changing ~ to ~/directory where directory is the subdirectory you want to modify permissions.

You want to copy the two blocks above verbatim if you want your users limited to the directory that you specified as their home.

Restart ProFTPD with the following command for the configuration changes to take effect:

kill -15 `cat /home/user/.config/proftpd/proftpd.pid`; ~/.config/proftpd/start

Setting up TLS (optional)

FTP doesn't send the username/password or files via a secure connection. ProFTPD can be configured for userland TLS which will encrypt the control stream (the commands send to the FTP server) as well as the file transfers themselves.

Generating your certificates

In order for TLS to work you will need a private key and a self-signed certificate.

The following command will generate your private key

openssl genrsa -des3 -out ~/.config/proftpd/server.key 2048

You will be asked for pass phrase for your private key. Enter a short phrase. You will be asked for this pass phrase during the creation of the certificate later on.

The following command will generate a certificate signing request. You will be asked for a bunch of information. Just hit enter past all this information as it is not required for what we are doing since the certificate will be self signed.

openssl req -new -key ~/.config/proftpd/server.key -out ~/.config/proftpd/server.csr

Having a passkey on the certificate will prevent the service from auto starting as you would need to enter your passkey. The following commands will remove that requirement.

cp ~/.config/proftpd/server.key ~/.config/proftpd/server.key.org

openssl rsa -in ~/.config/proftpd/server.key.org -out ~/.config/proftpd/server.key

Finally, the following command will generate your self-signed certificate.

openssl x509 -req -days 365 -in ~/.config/proftpd/server.csr -signkey ~/.config/proftpd/server.key -out ~/.config/proftpd/server.crt

Adding the TLS configuration

Once you have created your certificate you need to tell ProFTPD to use TLS for FTP connections. In ~/.config/proftpd/proftpd.conf add the following lines:

TLSEngine on
TLSProtocol TLSv1.2
#The following line sets TLS to be required for connections.  
TLSRequired on 
TLSRSACertificateFile /home/user/.config/proftpd/server.crt
TLSRSACertificateKeyFile /home/user/.config/proftpd/server.key
TLSVerifyClient off
TLSOptions NoSessionReuseRequired

At this point save your config file and reload ProFTPd. This integrates with the commands above and nothing additional needs to be done. Now when you wish to connect to your ProFTPd setup you will need to use FTP with explicit TLS instead of standard FTP.