There are many ftp server packages available for Ubuntu server such as pure-ftpd, proftpd and vsftpd. Proftpd ftp server has been around quite some times in Linux. It is known for its stability and highly configurable. This tutorial is a complete guide on how to setup proftpd as a ftp server in Ubuntu server. Here are the topics covered in this tutorial:

1. Install proftpd package in Ubuntu server using apt-get
2. Configure proftpd in Ubuntu server
3. Restart proftpd service
4. Troubleshooting tips for proftpd error
5. Setup AuthUserFile for proftpd authentication

Install proftpd package in Ubuntu server using apt-get

Here is an example of how to install proftpd package in Ubuntu Server using apt-get package manager:

luzar@ubuntu:~$ sudo apt-get install proftpd
[sudo] password for luzar:
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  libmysqlclient15off libpq5 mysql-common proftpd-basic proftpd-mod-ldap
  proftpd-mod-mysql proftpd-mod-pgsql update-inetd
Suggested packages:
  proftpd-doc
The following NEW packages will be installed:
  libmysqlclient15off libpq5 mysql-common proftpd proftpd-basic
  proftpd-mod-ldap proftpd-mod-mysql proftpd-mod-pgsql update-inetd
0 upgraded, 9 newly installed, 0 to remove and 0 not upgraded.
Need to get 3704kB of archives.
After this operation, 8045kB of additional disk space will be used.
Do you want to continue [Y/n]? Y

Apt-get package manager pause the proftpd installation process waiting for your confirmation. Proftpd would use 8045kB of additional disk space. If you have no problem with that, answer Y and apt-get will continue the installation.

The second time apt-get pause the installation process is when it needs your confirmation again for proftpd service configuration. Apt-get needs to know whether you want to run proftpd service (or daemon) as inetd or as a standalone service. Normally, ftp service is included in the super server, inetd. If you choose to run proftpd in inetd, it will save resources but will be effected every time inetd is stop or restart. Note that inetd holds many Linux services. It's recommended to run proftpd as a standalone service if you have a higher traffic and resources is not a problem for your server.

Make your choice and press OK to continue. You should get something like the example below when apt-get finished the installation:

 * Starting ftp server proftpd                       [ OK ]

Setting up proftpd-mod-mysql (1.3.1-12ubuntu1) ...
Setting up proftpd-mod-pgsql (1.3.1-12ubuntu1) ...
Setting up proftpd-mod-ldap (1.3.1-12ubuntu1) ...
Setting up proftpd (1.3.1-12ubuntu1) ...
Processing triggers for libc6 ...
ldconfig deferred processing now taking place
luzar@ubuntu:~$ 

Configure proftpd in Ubuntu server

Proftpd configuration file can be found in /etc/proftpd/ directory. See the example below:

luzar@ubuntu:~$ cd /etc/proftpd/
luzar@ubuntu:/etc/proftpd$ ls -l
total 24
-rw-r--r-- 1 root root  665 2009-02-14 15:51 ldap.conf
-rw-r--r-- 1 root root 1453 2009-02-14 15:51 modules.conf
-rw-r--r-- 1 root root 5046 2009-02-14 15:51 proftpd.conf
-rw-r--r-- 1 root root  864 2009-02-14 15:51 sql.conf
-rw-r--r-- 1 root root 1717 2009-02-14 15:51 tls.conf
luzar@ubuntu:/etc/proftpd$  

The main configuration file is proftpd.conf file. You can see that proftpd includes configuration files for other modules that its support. Now let's configure the proftpd.conf file.

As usual, good practice before we start editing any configuration file is to back up the original file. Here is the command to make a duplicate copy of proftpd.conf file:

luzar@ubuntu:/etc/proftpd$ sudo cp proftpd.conf proftpd.conf.ori
[sudo] password for luzar:
luzar@ubuntu:/etc/proftpd$ ls
ldap.conf  modules.conf  proftpd.conf  proftpd.conf.ori  sql.conf  tls.conf
luzar@ubuntu:/etc/proftpd$

Open proftpd.conf file with vim editor or whatever text editor that you are familiar with. You are going to activate, deactivate and change default configuration to match your ftp server needs.

Before begin modifying proftpd.conf file, you should know the common format of proftpd.conf. Here is the basic format:

• Syntax: [directive-name] [some arguments]
• Default: [directive-name] [default-value]
• Context: [context-list] such as <VirtualHost>, <Global>, <Anonymous>, <Directory>
• Module: module-name
• Compatibility: compatibility notes

A full directives list can be found in the proftpd user's guide, under References in proftpd official website. The description and usage of each directive is also explained in the manual. Here is the link:

A list of all configuration directives.

The proftpd.conf file is pre-configured and should be working by default when we start the daemon. However, the default configuration only allows Linux system users and block anonymous. The example below shows a basic ftp server configuration for a system users and anonymous. Remember, to activate a directive, just remove # at the beginning of the line. To deactivate a directive, add # at the beginning of the line. The modified directives and options are in red colored font. There is a simple explanation about each modification while the directives which has been marked default configuration is left with its original option.

Default configuration.

#
# /etc/proftpd/proftpd.conf -- This is a basic ProFTPD configuration file.
# To really apply changes reload proftpd after modifications.
#

# Includes DSO modules
Include /etc/proftpd/modules.conf

Perhaps you should consider this line if you only use ipv4:

# Set off to disable IPv6 support which is annoying on IPv4 only boxes.
UseIPv6                         off

Default configuration.

# If set on you can experience a longer connection delay in many cases.
IdentLookups                    off

Change ServerName according to your server system. Change ServerType according to what you chose during proftpd installation, inetd or standalone:

ServerName                      "Ubuntu"
ServerType                      standalone
DeferWelcome                    off

Default configuration.

MultilineRFC2228                on
DefaultServer                   on
ShowSymlinks                    on

TimeoutNoTransfer               600
TimeoutStalled                  600
TimeoutIdle                     1200

You can announce rules for ftp user by editing welcome.msg which is located in /home/ftp.

DisplayLogin                    welcome.msg

Default configuration.

DisplayChdir                    .message true
ListOptions                     "-l"

DenyFilter                      \*.*/

Uncomment this to restrict Ubuntu users to their own account home directory. That means Ubuntu users were prevented to navigate outside of their home directory. The term always used for this is chroot jail.

# Use this to jail all users in their homes
DefaultRoot                   ~

Default configuration.

# Users require a valid shell listed in /etc/shells to login.
# Use this directive to release that constrain.
# RequireValidShell             off

Port 21 is the standard FTP port. You can change the port to improve security.

# Port 21 is the standard FTP port.
Port                            21

Default configuration.

# In some cases you have to specify passive ports range to by-pass
# firewall limitations. Ephemeral ports can be used for that, but
# feel free to use a more narrow range.
# PassivePorts                  49152 65534

# If your host was NATted, this option is useful in order to
# allow passive tranfers to work. You have to use your public
# address and opening the passive ports used on your firewall as well.
# MasqueradeAddress             1.2.3.4

# This is useful for masquerading address with dynamic IPs:
# refresh any configured MasqueradeAddress directives every 8 hours
<IfModule mod_dynmasq.c>
# DynMasqRefresh 28800
</IfModule>

# To prevent DoS attacks, set the maximum number of child processes
# to 30.  If you need to allow more than 30 concurrent connections
# at once, simply increase this value.  Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances                    30

Normally, when installing a server, a nobody user would be used by default. Proftpd, however, creates its own user and group to manages the daemon after switched by root during startup. That's ok already but if you have your reason to change the default user and group that manages proftpd, you can change it here:

# Set the user and group that the server normally runs at.
User                            proftpd
Group                           nogroup

The Umask format is Umask [file permission] [directory permission]. For example, Umask 133 for file permission means 644 equal to rw-r--r-- in normal file permission. While Umask 022 for directory permission means 755 equal to rwxr-xr-x in normal directory permission.

# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
Umask                           022  022

Default configuration.

# Normally, we want files to be overwriteable.
AllowOverwrite                  on

# Uncomment this if you are using NIS or LDAP via NSS to retrieve passwords:
# PersistentPasswd              off

# This is required to use both PAM-based authentication and local passwords
# AuthOrder                     *mod_auth_pam.c mod_auth_unix.c

# Be warned: use of this directive impacts CPU average load!
# Uncomment this if you like to see progress and transfer rate with ftpwho
# in downloads. That is not needed for uploads rates.
#
# UseSendFile                   off

# Choose a SQL backend among MySQL or PostgreSQL.
# Both modules are loaded in default configuration, so you have to 
# specify the backend
# or comment out the unused module in /etc/proftpd/modules.conf.
# Use 'mysql' or 'postgres' as possible values.
#
#<IfModule mod_sql.c>
# SQLBackend                    mysql
#</IfModule>

Proftpd creates log directory and files in default installation. Here is the location:

TransferLog /var/log/proftpd/xferlog
SystemLog   /var/log/proftpd/proftpd.log

Default configuration.

<IfModule mod_quotatab.c>
QuotaEngine off
</IfModule>

<IfModule mod_ratio.c>
Ratios off
</IfModule>

# Delay engine reduces impact of the so-called Timing Attack described in
# http://security.lss.hr/index.php?page=details&ID=LSS-2004-10-02
# It is on by default.
<IfModule mod_delay.c>
DelayEngine on
</IfModule>

<IfModule mod_ctrls.c>
ControlsEngine        off
ControlsMaxClients    2
ControlsLog           /var/log/proftpd/controls.log
ControlsInterval      5
ControlsSocket        /var/run/proftpd/proftpd.sock
</IfModule>

<IfModule mod_ctrls_admin.c>
AdminControlsEngine off
</IfModule>

#
# Alternative authentication frameworks
#
#Include /etc/proftpd/ldap.conf
#Include /etc/proftpd/sql.conf

#
# This is used for FTPS connections
#
#Include /etc/proftpd/tls.conf

The section below is the proftpd configuration for anonymous user. We are going to allow anonymous access, so remove # at the beginning of the line to enable anonymous user directive configuration.

# A basic anonymous configuration, no upload directories.

# <Anonymous ~ftp>
   User                                ftp
   Group                               nogroup

   # We want clients to be able to login with "anonymous" as well as "ftp"
   UserAlias                   anonymous ftp
   # Cosmetic changes, all files belongs to ftp user

   DirFakeUser on ftp
   DirFakeGroup on ftp

   RequireValidShell           off
   # Limit the maximum number of anonymous logins
   MaxClients                  10

   # We want 'welcome.msg' displayed at login, and '.message' displayed
   # in each newly chdired directory.

   DisplayLogin               welcome.msg
   DisplayFirstChdir           .message

   # Limit WRITE everywhere in the anonymous chroot

   <Directory *>
     <Limit WRITE>
       DenyAll
     </Limit>
   </Directory>

   # Uncomment this if you're brave.
   # <Directory incoming>
   #   # Umask 022 is a good standard umask to prevent new files and dirs
   #   # (second parm) from being group and world writable.
   #   Umask                           022  022
   #            <Limit READ WRITE>
   #            DenyAll
   #            </Limit>
   #            <Limit STOR>
   #            AllowAll
   #            </Limit>
   # </Directory>

 </Anonymous>
(END)   

Save changes you made in proftpd and exit.

Restart proftpd service

We need to restart the proftpd service to allow all changes we made to the configuration file to take effect. Restart proftpd service with this command:

sudo /etc/init.d/proftpd restart

Unfortunately proftpd cannot start and I got this error:

luzar@ubuntu:/home/ftp$ sudo /etc/init.d/proftpd restart
 * Stopping ftp server proftpd                           [ OK ]
 * Starting ftp server proftpd                                                   
- warning: the DisplayFirstChdir directive is deprecated and will be
 removed in a future release.  Please use the DisplayChdir directive.
 - Fatal: <Directory>: relative path not allowed in non-<Anonymous>
sections on line 161 of '/etc/proftpd/proftpd.conf'
                                                      [fail]

Troubleshooting tips for proftpd error

Proftpd works fine with default setting. If you got error after editing the proftpd.conf file, that means you leave a mistake in the configuration file. For example, I got the error above because I forgot to remove a comment (#) for anonymous configuration. So, open proftpd.conf again and fix the error:

sudo vim +161 /etc/proftpd/proftpd.conf

Remove # at the beginning of <Anonymous ~ftp> and change DisplayFirstChdir directive to DisplayChdir directive.

<Anonymous ~ftp>
   User                                ftp
   Group                               nogroup
   # We want clients to be able to login with "anonymous" as well as "ftp"
   UserAlias                   anonymous ftp
   # Cosmetic changes, all files belongs to ftp user
   DirFakeUser on ftp
   DirFakeGroup on ftp

   RequireValidShell           off
   # Limit the maximum number of anonymous logins
   MaxClients                  10

   # We want 'welcome.msg' displayed at login, and '.message' displayed
   # in each newly chdired directory.
   DisplayLogin                        welcome.msg
   DisplayChdir                  .message

   # Limit WRITE everywhere in the anonymous chroot
   <Directory *>
     <Limit WRITE>
       DenyAll
     </Limit>
   </Directory>

Restart proftpd daemon again:

luzar@ubuntu:/home/ftp$ sudo /etc/init.d/proftpd restart
 * Stopping ftp server proftpd                                 [ OK ]
 * Starting ftp server proftpd                                 [ OK ]
luzar@ubuntu:/home/ftp$

Test login to proftpd FTP server with Ubuntu user and anonymous user:

luzar@hitam:~$ ftp 172.16.153.129
Connected to 172.16.153.129.
220 ProFTPD 1.3.1 Server (Ubuntu) [::ffff:172.16.153.129]
Name (172.16.153.129:luzar):
331 Password required for luzar
Password:
230 User luzar logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
-rw-r--r--   1 luzar    luzar     3903990 Jan 26 16:19 UserManual.pdf
-rw-r--r--   1 luzar    luzar      376028 Feb  3 19:23 netfilter.pdf
226 Transfer complete

Let's try moving to two upper directory:

ftp> cd ../..
250 CWD command successful
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
-rw-r--r--   1 luzar    luzar     3903990 Jan 26 16:19 UserManual.pdf
-rw-r--r--   1 luzar    luzar      376028 Feb  3 19:23 netfilter.pdf
226 Transfer complete
ftp> bye
221 Goodbye.

We can't move to the upper directory because chroot jail has been enabled. Let's try login to the ftp server as anonymous user:

luzar@hitam:~$ ftp 172.16.153.129
Connected to 172.16.153.129.
220 ProFTPD 1.3.1 Server (Ubuntu) [::ffff:172.16.153.129]
Name (172.16.153.129:luzar): anonymous
331 Anonymous login ok, send your complete email address as your password
Password:
230-Welcome, archive user anonymous@::ffff:172.16.153.1 !
230-
230-The local time is: Sun Feb 15 10:17:03 2009
230-
230-This is an additional FTP server.  You only have permission 
230-to download files. If you have any unusual problems,
230-please report them via e-mail to .
230-
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
-rw-r--r--   1 ftp      ftp           170 Aug 16  2008 welcome.msg
226 Transfer complete

Let's try moving to two upper directory:

ftp> cd ../..
250 CWD command successful
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
-rw-r--r--   1 ftp      ftp           170 Aug 16  2008 welcome.msg
226 Transfer complete
ftp>  

Great, anonymous user also cannot move to the upper directory. So that probably covers some basic security in proftpd configuration for local used. This configuration however is not recommended for external used because of the security reason.

Other options to make proftpd more secure is to block system users login to the ftp server. Proftpd includes many authentication modules such as ldap, sql and AuthUserFile which is a virtual user account. If you haven't had ldap setup, then setup AuthUserFile is a good choice. It is easy and we can do this straight away.

Setup AuthUserFile for proftpd authentication

AuthUserFile uses a virtual user account to authenticate login into the proftpd ftp server. To create virtual user account, we can use ftpasswd tool, which is a perl script included with proftpd package. Ftpasswd installed by default during proftpd installation. So we can use it right away.

If we invoke man ftpasswd, we can see that ftpasswd manipulates proftpd authentication files. Ftpasswd creates AuthUserFile and AuthGroupFile, which contains virtual user accounts information to allow them access ftp server.

We are going to create AuthUserFile and AuthGroupFile in /etc/proftpd directory. Change directory to /etc/proftpd and run ftpasswd. Below is ftpasswd example used to create a user account. The format is the same as you can see in the ftpasswd manual page:

luzar@ubuntu:/etc/proftpd$ sudo ftpasswd --passwd --name=labu 
--uid=1010 --home=/home/ftp --shell=/bin/false
ftpasswd: --passwd: missing --gid argument: default gid set to uid
ftpasswd: creating passwd entry for user labu

ftpasswd: /bin/false is not among the valid system shells.  Use of
ftpasswd: "RequireValidShell off" may be required, and the PAM
ftpasswd: module configuration may need to be adjusted.

Password:Enter password
Re-type password:Re-enter password

ftpasswd: entry created

We've got two warning there, the first paragraph is gid and the second paragraph concerns proftpd.conf file. Let's fix the first warning first and the proftpd warning later. So this time we create a second user with gid included:

luzar@ubuntu:/etc/proftpd$ sudo ftpasswd --passwd --name=aura --uid=1011 
--gid=1010 --home=/home/ftp --shell=/bin/false
ftpasswd: creating passwd entry for user aura

ftpasswd: /bin/false is not among the valid system shells.  Use of
ftpasswd: "RequireValidShell off" may be required, and the PAM
ftpasswd: module configuration may need to be adjusted.

Password:Enter password
Re-type password:Re-enter password

ftpasswd: entry created

The ftpasswd --passwd option creates username entry in ftpd.passwd file. The ftpd.passwd format is the same as /etc/passwd system file. Here is the format:

username:password:uid:gid:gecos:homedir:shell

luzar@ubuntu:/etc/proftpd$ cat ftpd.passwd
labu:$1$PtmsJf5A$R2vNdkSrVl9de.:1010:1010::/home/ftp:/bin/false
aura:$1$svlH3xco$tLhC/J97iBB2h:1011:1010::/home/aura:/bin/false

This is how to create AuthGroupFile:

luzar@ubuntu:/etc/proftpd$ sudo ftpasswd --group --name=ftpd 
--gid=1010 --member=labu --member=aura
ftpasswd: updating group entry for group ftpd
ftpasswd: entry updated

The ftpasswd --group option creates a group entry in ftpd.group file. The format is the same as /etc/group file.

luzar@ubuntu:/etc/proftpd$ cat ftpd.group
ftpd:x:1010:labu,aura

Now we need to add AuthUserFile in /etc/proftpd/proftpd.conf file. Use text editor and open the file:

luzar@ubuntu:/etc/proftpd$ sudo vim proftpd.conf

Add these lines:

# Authentication using AuthUserFile
AuthUserFile                    /etc/proftpd/ftpd.passwd

# AuthOrder to use mod_auth_file.c only, no local user allowed
AuthOrder                       mod_auth_file.c

Save and exit. Restart proftpd daemon:

luzar@ubuntu:/etc/proftpd$ sudo /etc/init.d/proftpd restart
 * Stopping ftp server proftpd                                    [ OK ]
 * Starting ftp server proftpd                                    [ OK ]

Test login to the ftp server with AuthUserFile:

luzar@hitam:~$ ftp 172.16.153.129
Connected to 172.16.153.129.
220 ProFTPD 1.3.1 Server (Ubuntu FTP server) [172.16.153.129]
Name (172.16.153.129:luzar): labu
331 Password required for labu
Password:
230-Welcome, archive user labu@172.16.153.1 !
230-
230-The local time is: Mon Feb 16 16:06:04 2009
230-
230-This is an additional FTP server. You only have permission
230-to download files. If you have any unusual problems,
230-please report them via e-mail to .
230-
230 User labu logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> bye
221 Goodbye.
luzar@hitam:~$

Test login to the ftp server with local user account:

luzar@hitam:~$ ftp 172.16.153.129
Connected to 172.16.153.129.
220 ProFTPD 1.3.1 Server (Ubuntu FTP server) [172.16.153.129]
Name (172.16.153.129:luzar):
331 Password required for luzar
Password:
530 Login incorrect.
Login failed.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

That's all. Good luck configuring your proftp server.