ProFTPD is a widely-used, well-configurable FTP server for UNIX-based operating systems. This article shows the installation and configuration of ProFTPD in version 1.3.5b-4 on Debian Linux. In the example shown, a TLS encryption is configured on the FTP server to encrypt the communication between the FTP client (eg FileZilla) and the FTP server ProFTPD. Debian Stretch 9 was used as a test system.


The installation of ProFTPD is done quickly by the package administration integrated in Debian.

sudo apt install proftpd-basic

If the package can not be found, update the package sources:

sudo apt update

If the package still fails to install, check the /etc/apt/sources.list file , there may be a problem with the configured Debian Mirror Server.


The configuration of the ProFTPD server is described below. The directory /etc/proftpd/contains the configuration files of ProFTPD.

However, your own configuration files are best conf.dstored in the directory . Package updates do not affect the files in this directory. The include directive includes all files in the conf.ddirectory in the proftpd.conf.

In this example, the file custom.conffor the customizations of the ProFTPD server is used for the configuration to take effect:

$ sudo vi /etc/proftpd/conf.d/custom.conf
 # Ftp user does not need a valid shell
    RequireValidShell off
</ Global>
# If desired turn off IPv6
UseIPv6 off
# Default directory is ftpusers home
DefaultRoot ~ ftpuser
# Limit login to the ftpuser group
<Limit LOGIN>
    DenyGroup! Ftpuser
</ Limit>

The file is then saved and the ProFTPD Server is restarted:

$ sudo systemctl restart proftpd.service

SSL / TLS encrypted FTP connection with mod_tls

The TLS module allows an encrypted connection over SSL / TLS to the ProFTPD server.

Attention: Without encryption, the FTP protocol transfers both login and normal data in the plaintext! The use of SSL / TLS is strongly recommended for productive environments.

By default, ProFTPD supports the TLS module:

$ sudo proftpd -vv | grep tls
  mod_tls_memcache / 0.1
  mod_tls / 2.6

It is /etc/proftpd/modules.confalready included in and automatically active.

Create Certificate

The following example uses the self-signed Snakeoil certificate of the ssl-certpackage as a certificate (see Ubuntu default snakeoil SSL Certificate renew ):

$ sudo apt install ssl-cert
$ sudo make-ssl-cert create-default-snakeoil -force-overwrite
$ sudo ls -la /etc/ssl/certs/ssl-cert-snakeoil.pem
-rw -r - r-- 1 root root 1021 Sep 29 12:16 /etc/ssl/certs/ssl-cert-snakeoil.pem
$ sudo ls -la /etc/ssl/private/ssl-cert-snakeoil.key
-rw-r ----- 1 root ssl-cert 1704 Sep 29 12:16 /etc/ssl/private/ssl-cert-snakeoil.key

Configure TLS

The ProFTPD package available in the package sources of Debian Stretch version 1.3.5b-4 also supports TLSv1.2. [1]

In the conf.ddirectory its own configuration file for SSL / TLS is again created:

$ sudo vi /etc/proftpd/conf.d/tls.conf
<IfModule mod_tls.c>
        TLSEngine on
        TLSLog /var/log/proftpd/tls.log
        TLSProtocol TLSv1.2
        TLSRSACertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
        TLSRSACertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
        TLSVerifyClient off
        TLSRequired on
</ IfModule>

ProFTPD is then restarted.

Create FTP user

A separate user is created for FTP access without a valid login shell and with the home directory /var/www/upload:

$ sudo adduser ftpuser --shell / bin / false --home / var / www / upload
Adding user ` ftpuser '... 
Adding new group` ftpuser'  ( 1001 ) ...
Adding new user ` ftpuser '(1001) with group` ftpuser' ...
Creating home directory ` / var / www / upload '... 
Copying files from` / etc / skel' ...
Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated tracks
[ ... ]

Anonymous access

To allow anonymous read access, the following file is created:

$ sudo vi /etc/proftpd/conf.d/anon.conf
<Anonymous ~ ftpuser>
        User ftp
        Group ftp
        # Users can also login with ftp
        UserAlias ​​anonymous ftp
        # All files belong to ftp
        DirFakeUser on ftp
        DirFakeGroup on ftp
        RequireValidShell off
        MaxClients 10
        <Directory *>
                <Limit WRITE>
                </ Limit>
        </ Directory>
</ Anonymous>

To ftpallow the user to access the anonymous FTP area, it must be ftpuseradded to the group :

$ sudo adduser ftp ftpuser
Adding user ` ftp 'to group` ftpuser' ...
Adding user ftp to group ftpuser

Analysis of connection problems

In case of problems with the structure of the FTP connections the following things can be checked:

  1. ProFTPD service runs: $ sudo service proftpd status
  2. ProFTPD listens on port 21: $ sudo netstat -tlp|grep proftp
  3. Error messages in the ProFTPD log: $ sudo tail -20 /var/log/proftpd/proftpd.log
  4. Error messages in the ProFTPD TLS log: $ sudo tail -20 /var/log/proftpd/tls.log
  5. Connection test on port 21 with telnet: $ telnet 21
  6. Connection test on port 21 with TLS: $ openssl s_client -connect -starttls ftp

Message: memcache support not enabled

In some cases, the following message may appear when the ProFTPD server is restarted:

$ sudo service proftpd restart
 [ ok ] Stopping ftp server: proftpd.
[ .... ] Starting ftp server: proftpddebian proftpd [ 4856 ] : mod_tls_memcache / 0.1: notice: unable to register 'memcache' SSL
sessionCache: Memcache support not enabled
, OK

Here is the problem that the Debian package is not --enable-memcachecompiled with . [2]

The module can therefore be taken out – a diamond is inserted before the line:

$ sudo vi /etc/proftpd/modules.conf
 [ ... ] 
# LoadModule mod_tls_memcache.c 
[ ... ]

A subsequent restart occurs without the memcache message:

$ sudo service proftpd restart
 [ ok ] Stopping ftp server: proftpd.
[ ok ] Starting ftp server: proftpd.
Categories: Tutorials


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: