Userland ProFTPD



ProFTPD is an FTP server that can be used to offer FTP access to friends and family without revealing your slot's username and password. Instead, custom usernames and passwords can be set for each friend or family member.

Important: Because your slot's username and password won't be used to log in to your personal FTP server, any downloads taking place will count towards your traffic usage.

A random port number between 10000 and 65535 is needed and will be used to access your FTP server once setup is complete. The port number 29542 has automatically been generated and will be used throughout this article, but can be changed if needed.

Main configuration file

Create a directory for the configuration. mkdir -p ~/.config/proftpd
and create the main configuration file touch ~/.config/proftpd/proftpd.conf with the following:

User                    user
Group                   user

Port                    29542
Umask                   022
MaxInstances            10

AuthPAM                 off
AuthUserFile            /home/user/.config/proftpd/proftpd.passwd

PidFile                 /home/user/.config/proftpd/
ScoreboardFile          /home/user/.config/proftpd/proftpd.scoreboard
DelayTable              /home/user/.config/proftpd/proftpd.delay
SystemLog               /home/user/.config/proftpd/proftpd.log
WtmpLog                 off


You can create users with the following command. Replace user with the username you want them to use:

ftpasswd --passwd --file="$HOME/.config/proftpd/proftpd.passwd" --home=$HOME --shell=$SHELL --uid=$UID --gid=`id -g $USER` --name=user

If you want to use permissions, you will need to specify their home directory directly. For example, if you want them to only access ~/files:

ftpasswd --passwd --file="$HOME/.config/proftpd/proftpd.passwd" --home=$HOME/files --shell=$SHELL --uid=$UID --gid=`id -g $USER` --name=user

Enter the password for the account when prompted and press enter.

If you want to remove a user: ftpasswd --delete-user --passwd --file="$HOME/.config/proftpd/proftpd.passwd" --name=user

Change permissions of proftpd.passwd so ProFTPD will start correctly:

chmod o-rwx ~/.config/proftpd/proftpd.passwd

Installing the daemon

Fetch the binary and compile ProFTPD.

tar xvfz proftpd-*.tar.gz
cd proftpd-*

And move it to a place to save it.

mkdir -p ~/bin
mv ./proftpd ~/bin/proftpd

(Optional) Remove the source code:

cd ..
rm -r proftpd-* 

Starting the daemon

  1. Create the file that will start the webserver. touch ~/.config/proftpd/start

  2. Make the start file able to be executed. chmod +x ~/.config/proftpd/start

  3. Place the contents of the box below into the start file.

     /home/user/bin/proftpd -c ~/.config/proftpd/proftpd.conf &> /dev/null

From then on, the server can be started using ~/.config/proftpd/start as a command.

In case you need to troubleshoot the start command, you can get more verbose output by appending the -nd5 argument to the actual proftpd command in the start file.

Starting the daemon on boot

To ensure proftpd is automatically started each time your server is rebooted. You can add the following line to the crontab using crontab -e:

@reboot /home/user/bin/proftpd -c ~/.config/proftpd/proftpd.conf

Accessing it

You will now be able to access your home directory using the username and password you defined from

Stopping the daemon

Kill the process. killall proftpd

Permissions (optional)

By default, ProFTPD will allow all created users access to all the directories your user has access to. By setting up permissions, you can limit their access to only specific directories that you defined as their home.

To set up permissions, you will need to deny access to everything except logging in to the FTP server. A global <Limit ALL> will do this - the ALL permission does not include logging in. You will override these permissions with specific directories as explained later. Add the following to the bottom of .config/proftpd/proftpd.conf:

<Limit ALL>

If you would like to only limit specific users instead of every user, replace DenyAll with DenyUser <user> where <user> is the username you wsh to limit.

In ProFTPD, ~ is the FTP user's home directory. This can be different from your actual home directory. The following additional configuration will allow all FTP users full access to their FTP home directory:

<Directory ~>
    <Limit ALL>

You can change the limited commands by replacing ALL with specific commands or groups of commands as listed on ProFTPD's <Limit> documentation. You can also add subdirectories by copying the entire block and changing ~ to ~/directory where directory is the subdirectory you want to modify permissions.

Restart ProFTPD for the configuration changes to take effect. killall proftpd; ~/.config/proftpd/start

Setting up TLS

FTP doesn't send the username/password or files via a secure connection. ProFTPd can be configured for userland TLS which will encrypt the control stream (the commands send to the FTP server) as well as the file transfers themselves.

Compiling ProFTPd

To compile ProFTPd with TLS support use the following command:

./configure --with-modules=mod_tls

This replaces the configure command from above. The rest of the "Installing the daemon" section is identical

Generating your certificates

In order for TLS to work you will need a private key and a self-signed certificate.

The following command will generate your private key

openssl genrsa -des3 -out ~/.config/proftpd/server.key 1024

You will be asked for pass phrase for your private key. Enter a short phrase. You will be asked for this pass phrase during the creation of the certificate later on.

The following command will generate a certificate signing request. You will be asked for a bunch of information. Just hit enter past all this information as it is not required for what we are doing since the certificate will be self signed.

openssl req -new -key ~/.config/proftpd/server.key -out ~/.config/proftpd/server.csr

Having a passkey on the certificate will prevent the service from auto starting as you would need to enter your passkey. The follow commands will remove that requirement.

cp ~/.config/proftpd/server.key ~/.config/proftpd/
openssl rsa -in ~/.config/proftpd/ -out ~/.config/proftpd/server.key

Finally the following command will generate your self-signed certificate.

openssl x509 -req -days 365 -in ~/.config/proftpd/server.csr -signkey ~/.config/proftpd/server.key -out ~/.config/proftpd/server.crt

Adding The TLS Configuration

Once you have created your certificate you need to tell ProFTPd to use TLS for FTP connections. In ~/.config/proftpd/proftpd.conf add the following lines:

TLSEngine on
TLSProtocol SSLv3 TLSv1
#The following line sets TLS to be required for connections.  
TLSRequired on 
TLSRSACertificateFile /home/user/.config/proftpd/server.crt
TLSRSACertificateKeyFile /home/user/.config/proftpd/server.key
TLSVerifyClient off

At this point save your config file and reload ProFTPd. This integrates with the commands above and nothing additional needs to be done. Now when you wish to connect to your ProFTPd setup you will need to use FTP w/Explicit TLS instead of standard FTP.