Linux network - Install and configure proftpd in Ubuntu Server

There are many ftp server packages available for Ubuntu server such as pure-ftpd, proftpd and vsftpd. Proftpd ftp server has been around quite some times in Linux. It is known for its stability and highly configurable. This tutorial is a complete guide on how to setup proftpd as a ftp server in Ubuntu server. Here are the topics covered in this tutorial:

  1. Install proftpd package in Ubuntu server using apt-get
  2. Configure proftpd in Ubuntu server
  3. Restart proftpd service
  4. Troubleshooting tips for proftpd error
  5. Setup AuthUserFile for proftpd authentication

Install proftpd package in Ubuntu server using apt-get

Here is an example of how to install proftpd package in Ubuntu Server using apt-get package manager:

[email protected]:~$ sudo apt-get install proftpd
[sudo] password for luzar:
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
libmysqlclient15off libpq5 mysql-common proftpd-basic proftpd-mod-ldap
proftpd-mod-mysql proftpd-mod-pgsql update-inetd
Suggested packages:
proftpd-doc
The following NEW packages will be installed:
libmysqlclient15off libpq5 mysql-common proftpd proftpd-basic
proftpd-mod-ldap proftpd-mod-mysql proftpd-mod-pgsql update-inetd
0 upgraded, 9 newly installed, 0 to remove and 0 not upgraded.
Need to get 3704kB of archives.
After this operation, 8045kB of additional disk space will be used.
Do you want to continue [Y/n]? Y

Apt-get package manager pause the proftpd installation process waiting for your confirmation. Proftpd would use 8045kB of additional disk space. If you have no problem with that, answer Y and apt-get will continue the installation.

The second time apt-get pause the installation process is when it needs your confirmation again for proftpd service configuration. Apt-get needs to know whether you want to run proftpd service (or daemon) as inetd or as a standalone service. Normally, ftp service is included in the super server, inetd. If you choose to run proftpd in inetd, it will save resources but will be effected every time inetd is stop or restart. Note that inetd holds many Linux services. It's recommended to run proftpd as a standalone service if you have a higher traffic and resources is not a problem for your server.

proftpd run service configuration screenshot image

Make your choice and press OK to continue. You should get something like the example below when apt-get finished the installation:

* Starting ftp server proftpd [ OK ]

Setting up proftpd-mod-mysql (1.3.1-12ubuntu1) ...
Setting up proftpd-mod-pgsql (1.3.1-12ubuntu1) ...
Setting up proftpd-mod-ldap (1.3.1-12ubuntu1) ...
Setting up proftpd (1.3.1-12ubuntu1) ...
Processing triggers for libc6 ...
ldconfig deferred processing now taking place
[email protected]:~$

Configure proftpd in Ubuntu server

Proftpd configuration file can be found in /etc/proftpd/ directory. See the example below:

[email protected]:~$ cd /etc/proftpd/
[email protected]:/etc/proftpd$ ls -l
total 24
-rw-r--r-- 1 root root 665 2009-02-14 15:51 ldap.conf
-rw-r--r-- 1 root root 1453 2009-02-14 15:51 modules.conf
-rw-r--r-- 1 root root 5046 2009-02-14 15:51 proftpd.conf
-rw-r--r-- 1 root root 864 2009-02-14 15:51 sql.conf
-rw-r--r-- 1 root root 1717 2009-02-14 15:51 tls.conf
[email protected]:/etc/proftpd$

The main configuration file is proftpd.conf file. You can see that proftpd includes configuration files for other modules that its support. Now let's configure the proftpd.conf file.

As usual, good practice before we start editing any configuration file is to back up the original file. Here is the command to make a duplicate copy of proftpd.conf file:

[email protected]:/etc/proftpd$ sudo cp proftpd.conf proftpd.conf.ori
[sudo] password for luzar:
[email protected]:/etc/proftpd$ ls
ldap.conf modules.conf proftpd.conf proftpd.conf.ori sql.conf tls.conf
[email protected]:/etc/proftpd$

Open proftpd.conf file with vim editor or whatever text editor that you are familiar with. You are going to activate, deactivate and change default configuration to match your ftp server needs.

Before begin modifying proftpd.conf file, you should know the common format of proftpd.conf. Here is the basic format:

  • Syntax: [directive-name] [some arguments]
  • Default: [directive-name] [default-value]
  • Context: [context-list] such as <VirtualHost>, <Global>, <Anonymous>, <Directory>
  • Module: module-name
  • Compatibility: compatibility notes

A full directives list can be found in the proftpd user's guide, under References in proftpd official website. The description and usage of each directive is also explained in the manual. Here is the link:

A list of all configuration directives.

The proftpd.conf file is pre-configured and should be working by default when we start the daemon. However, the default configuration only allows Linux system users and block anonymous. The example below shows a basic ftp server configuration for a system users and anonymous. Remember, to activate a directive, just remove # at the beginning of the line. To deactivate a directive, add # at the beginning of the line. The modified directives and options are in red colored font. There is a simple explanation about each modification while the directives which has been marked default configuration is left with its original option.

Default configuration.

# /etc/proftpd/proftpd.conf -- This is a basic ProFTPD configuration file.
# To really apply changes reload proftpd after modifications.
#

# Includes DSO modules
Include /etc/proftpd/modules.conf

Perhaps you should consider this line if you only use ipv4:

# Set off to disable IPv6 support which is annoying on IPv4 only boxes.
UseIPv6 off

Default configuration.

# If set on you can experience a longer connection delay in many cases.
IdentLookups off

Change ServerName according to your server system. Change ServerType according to what you chose during proftpd installation, inetd or standalone:

ServerName "Ubuntu"
ServerType standalone
DeferWelcome off

Default configuration.

MultilineRFC2228 on
DefaultServer on
ShowSymlinks on

TimeoutNoTransfer 600
TimeoutStalled 600
TimeoutIdle 1200

You can announce rules for ftp user by editing welcome.msg which is located in /home/ftp.

DisplayLogin welcome.msg

Default configuration.

DisplayChdir .message true
ListOptions "-l"

DenyFilter \*.*/

Uncomment this to restrict Ubuntu users to their own account home directory. That means Ubuntu users were prevented to navigate outside of their home directory. The term always used for this is chroot jail.

# Use this to jail all users in their homes
DefaultRoot ~

Default configuration.

# Users require a valid shell listed in /etc/shells to login.
# Use this directive to release that constrain.
# RequireValidShell off

Port 21 is the standard FTP port. You can change the port to improve security.

# Port 21 is the standard FTP port.
Port 21

Default configuration.

# In some cases you have to specify passive ports range to by-pass
# firewall limitations. Ephemeral ports can be used for that, but
# feel free to use a more narrow range.
# PassivePorts 49152 65534

# If your host was NATted, this option is useful in order to
# allow passive tranfers to work. You have to use your public
# address and opening the passive ports used on your firewall as well.
# MasqueradeAddress 1.2.3.4

# This is useful for masquerading address with dynamic IPs:
# refresh any configured MasqueradeAddress directives every 8 hours
<IfModule mod_dynmasq.c>
# DynMasqRefresh 28800
</IfModule>

# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 30

Normally, when installing a server, a nobody user would be used by default. Proftpd, however, creates its own user and group to manages the daemon after switched by root during startup. That's ok already but if you have your reason to change the default user and group that manages proftpd, you can change it here:

# Set the user and group that the server normally runs at.
User proftpd
Group nogroup

The Umask format is Umask [file permission] [directory permission]. For example, Umask 133 for file permission means 644 equal to rw-r--r-- in normal file permission. While Umask 022 for directory permission means 755 equal to rwxr-xr-x in normal directory permission.

# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
Umask 022 022

Default configuration.

# Normally, we want files to be overwriteable.
AllowOverwrite on

# Uncomment this if you are using NIS or LDAP via NSS to retrieve passwords:
# PersistentPasswd off

# This is required to use both PAM-based authentication and local passwords
# AuthOrder *mod_auth_pam.c mod_auth_unix.c

# Be warned: use of this directive impacts CPU average load!
# Uncomment this if you like to see progress and transfer rate with ftpwho
# in downloads. That is not needed for uploads rates.
#
# UseSendFile off

# Choose a SQL backend among MySQL or PostgreSQL.
# Both modules are loaded in default configuration, so you have to
# specify the backend
# or comment out the unused module in /etc/proftpd/modules.conf.
# Use 'mysql' or 'postgres' as possible values.
#
#<IfModule mod_sql.c>
# SQLBackend mysql
#</IfModule>

Proftpd creates log directory and files in default installation. Here is the location:

TransferLog /var/log/proftpd/xferlog
SystemLog /var/log/proftpd/proftpd.log

Default configuration.

<IfModule mod_quotatab.c>
QuotaEngine off
</IfModule>

<IfModule mod_ratio.c>
Ratios off
</IfModule>

# Delay engine reduces impact of the so-called Timing Attack described in
# http://security.lss.hr/index.php?page=details&ID=LSS-2004-10-02
# It is on by default.
<IfModule mod_delay.c>
DelayEngine on
</IfModule>

<IfModule mod_ctrls.c>
ControlsEngine off
ControlsMaxClients 2
ControlsLog /var/log/proftpd/controls.log
ControlsInterval 5
ControlsSocket /var/run/proftpd/proftpd.sock
</IfModule>

<IfModule mod_ctrls_admin.c>
AdminControlsEngine off
</IfModule>

#
# Alternative authentication frameworks
#
#Include /etc/proftpd/ldap.conf
#Include /etc/proftpd/sql.conf

#
# This is used for FTPS connections
#
#Include /etc/proftpd/tls.conf

The section below is the proftpd configuration for anonymous user. We are going to allow anonymous access, so remove # at the beginning of the line to enable anonymous user directive configuration.

# A basic anonymous configuration, no upload directories.

# <Anonymous ~ftp>
User ftp
Group nogroup

# We want clients to be able to login with "anonymous" as well as "ftp"
UserAlias anonymous ftp
# Cosmetic changes, all files belongs to ftp user

DirFakeUser on ftp
DirFakeGroup on ftp

RequireValidShell off

# Limit the maximum number of anonymous logins
MaxClients 10

# We want 'welcome.msg' displayed at login, and '.message' displayed
# in each newly chdired directory.

DisplayLogin welcome.msg
DisplayFirstChdir .message

# Limit WRITE everywhere in the anonymous chroot

<Directory *>
<Limit WRITE>
DenyAll
</Limit>
</Directory>

# Uncomment this if you're brave.
# <Directory incoming>
# # Umask 022 is a good standard umask to prevent new files and dirs
# # (second parm) from being group and world writable.
# Umask 022 022
# <Limit READ WRITE>
# DenyAll
# </Limit>
# <Limit STOR>
# AllowAll
# </Limit>
# </Directory>

</Anonymous>
(END)

Save changes you made in proftpd and exit.

Restart proftpd service

We need to restart the proftpd service to allow all changes we made to the configuration file to take effect. Restart proftpd service with this command:

sudo /etc/init.d/proftpd restart

Unfortunately proftpd cannot start and I got this error:

[email protected]:/home/ftp$ sudo /etc/init.d/proftpd restart
* Stopping ftp server proftpd [ OK ]
* Starting ftp server proftpd
- warning: the DisplayFirstChdir directive is deprecated and will be
removed in a future release. Please use the DisplayChdir directive.
- Fatal: <Directory>: relative path not allowed in non-<Anonymous>
sections on line 161 of '/etc/proftpd/proftpd.conf'

[fail]

Troubleshooting tips for proftpd error

Proftpd works fine with default setting. If you got error after editing the proftpd.conf file, that means you leave a mistake in the configuration file. For example, I got the error above because I forgot to remove a comment (#) for anonymous configuration. So, open proftpd.conf again and fix the error:

sudo vim +161 /etc/proftpd/proftpd.conf

Remove # at the beginning of <Anonymous ~ftp> and change DisplayFirstChdir directive to DisplayChdir directive.

<Anonymous ~ftp>
User ftp
Group nogroup
# We want clients to be able to login with "anonymous" as well as "ftp"
UserAlias anonymous ftp
# Cosmetic changes, all files belongs to ftp user
DirFakeUser on ftp
DirFakeGroup on ftp

RequireValidShell off
# Limit the maximum number of anonymous logins
MaxClients 10

# We want 'welcome.msg' displayed at login, and '.message' displayed
# in each newly chdired directory.
DisplayLogin welcome.msg
DisplayChdir .message

# Limit WRITE everywhere in the anonymous chroot
<Directory *>
<Limit WRITE>
DenyAll
</Limit>
</Directory>

Restart proftpd daemon again:

[email protected]:/home/ftp$ sudo /etc/init.d/proftpd restart
* Stopping ftp server proftpd [ OK ]
* Starting ftp server proftpd [ OK ]
[email protected]:/home/ftp$

Test login to proftpd FTP server with Ubuntu user and anonymous user:

[email protected]:~$ ftp 172.16.153.129
Connected to 172.16.153.129.
220 ProFTPD 1.3.1 Server (Ubuntu) [::ffff:172.16.153.129]
Name (172.16.153.129:luzar):
331 Password required for luzar
Password:
230 User luzar logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
-rw-r--r-- 1 luzar luzar 3903990 Jan 26 16:19 UserManual.pdf
-rw-r--r-- 1 luzar luzar 376028 Feb 3 19:23 netfilter.pdf
226 Transfer complete

Let's try moving to two upper directory:

ftp> cd ../..
250 CWD command successful
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
-rw-r--r-- 1 luzar luzar 3903990 Jan 26 16:19 UserManual.pdf
-rw-r--r-- 1 luzar luzar 376028 Feb 3 19:23 netfilter.pdf
226 Transfer complete
ftp> bye
221 Goodbye.

We can't move to the upper directory because chroot jail has been enabled. Let's try login to the ftp server as anonymous user:

[email protected]:~$ ftp 172.16.153.129
Connected to 172.16.153.129.
220 ProFTPD 1.3.1 Server (Ubuntu) [::ffff:172.16.153.129]
Name (172.16.153.129:luzar): anonymous
331 Anonymous login ok, send your complete email address as your password
Password:
230-Welcome, archive user [email protected]::ffff:172.16.153.1 !
230-
230-The local time is: Sun Feb 15 10:17:03 2009
230-
230-This is an additional FTP server. You only have permission
230-to download files. If you have any unusual problems,
230-please report them via e-mail to .
230-
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
-rw-r--r-- 1 ftp ftp 170 Aug 16 2008 welcome.msg
226 Transfer complete

Let's try moving to two upper directory:

ftp> cd ../..
250 CWD command successful
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
-rw-r--r-- 1 ftp ftp 170 Aug 16 2008 welcome.msg
226 Transfer complete
ftp>

Great, anonymous user also cannot move to the upper directory. So that probably covers some basic security in proftpd configuration for local used. This configuration however is not recommended for external used because of the security reason.

Other options to make proftpd more secure is to block system users login to the ftp server. Proftpd includes many authentication modules such as ldap, sql and AuthUserFile which is a virtual user account. If you haven't had ldap setup, then setup AuthUserFile is a good choice. It is easy and we can do this straight away.

Setup AuthUserFile for proftpd authentication

AuthUserFile uses a virtual user account to authenticate login into the proftpd ftp server. To create virtual user account, we can use ftpasswd tool, which is a perl script included with proftpd package. Ftpasswd installed by default during proftpd installation. So we can use it right away.

If we invoke man ftpasswd, we can see that ftpasswd manipulates proftpd authentication files. Ftpasswd creates AuthUserFile and AuthGroupFile, which contains virtual user accounts information to allow them access ftp server.

We are going to create AuthUserFile and AuthGroupFile in /etc/proftpd directory. Change directory to /etc/proftpd and run ftpasswd. Below is ftpasswd example used to create a user account. The format is the same as you can see in the ftpasswd manual page:

[email protected]:/etc/proftpd$ sudo ftpasswd --passwd --name=labu
--uid=1010 --home=/home/ftp --shell=/bin/false

ftpasswd: --passwd: missing --gid argument: default gid set to uid
ftpasswd: creating passwd entry for user labu

ftpasswd: /bin/false is not among the valid system shells. Use of
ftpasswd: "RequireValidShell off" may be required, and the PAM
ftpasswd: module configuration may need to be adjusted.

Password:Enter password
Re-type password:Re-enter password

ftpasswd: entry created

We've got two warning there, the first paragraph is gid and the second paragraph concerns proftpd.conf file. Let's fix the first warning first and the proftpd warning later. So this time we create a second user with gid included:

[email protected]:/etc/proftpd$ sudo ftpasswd --passwd --name=aura --uid=1011
--gid=1010 --home=/home/ftp --shell=/bin/false

ftpasswd: creating passwd entry for user aura

ftpasswd: /bin/false is not among the valid system shells. Use of
ftpasswd: "RequireValidShell off" may be required, and the PAM
ftpasswd: module configuration may need to be adjusted.

Password:Enter password
Re-type password:Re-enter password

ftpasswd: entry created

The ftpasswd --passwd option creates username entry in ftpd.passwd file. The ftpd.passwd format is the same as /etc/passwd system file. Here is the format:

username:password:uid:gid:gecos:homedir:shell

[email protected]:/etc/proftpd$ cat ftpd.passwd
labu:$1$PtmsJf5A$R2vNdkSrVl9de.:1010:1010::/home/ftp:/bin/false
aura:$1$svlH3xco$tLhC/J97iBB2h:1011:1010::/home/aura:/bin/false

This is how to create AuthGroupFile:

[email protected]:/etc/proftpd$ sudo ftpasswd --group --name=ftpd
--gid=1010 --member=labu --member=aura

ftpasswd: updating group entry for group ftpd
ftpasswd: entry updated

The ftpasswd --group option creates a group entry in ftpd.group file. The format is the same as /etc/group file.

[email protected]:/etc/proftpd$ cat ftpd.group
ftpd:x:1010:labu,aura

Now we need to add AuthUserFile in /etc/proftpd/proftpd.conf file. Use text editor and open the file:

[email protected]:/etc/proftpd$ sudo vim proftpd.conf

Add these lines:

# Authentication using AuthUserFile
AuthUserFile /etc/proftpd/ftpd.passwd

# AuthOrder to use mod_auth_file.c only, no local user allowed
AuthOrder mod_auth_file.c

Save and exit. Restart proftpd daemon:

[email protected]:/etc/proftpd$ sudo /etc/init.d/proftpd restart
* Stopping ftp server proftpd [ OK ]
* Starting ftp server proftpd [ OK ]

Test login to the ftp server with AuthUserFile:

[email protected]:~$ ftp 172.16.153.129
Connected to 172.16.153.129.
220 ProFTPD 1.3.1 Server (Ubuntu FTP server) [172.16.153.129]
Name (172.16.153.129:luzar): labu
331 Password required for labu
Password:
230-Welcome, archive user [email protected] !
230-
230-The local time is: Mon Feb 16 16:06:04 2009
230-
230-This is an additional FTP server. You only have permission
230-to download files. If you have any unusual problems,
230-please report them via e-mail to .
230-
230 User labu logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> bye
221 Goodbye.
[email protected]:~$

Test login to the ftp server with local user account:

[email protected]:~$ ftp 172.16.153.129
Connected to 172.16.153.129.
220 ProFTPD 1.3.1 Server (Ubuntu FTP server) [172.16.153.129]
Name (172.16.153.129:luzar):
331 Password required for luzar
Password:
530 Login incorrect.
Login failed.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

That's all. Good luck configuring your proftp server.

Add new comment

Filtered HTML

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
By submitting this form, you accept the Mollom privacy policy.