How to Create a Secure FTP Server with ProFTPD on Ubuntu/Debian

FTP servers are the piece of software that allows you to create an FTP connection between your local computer and a web server. ProFTPD is an FTP server for Unix/Linux servers, very configurable and very effective, it is free & open-sourced, and released under the GPL license.

In this article, we’ll walk you through how to install and configure ProFTPD on Ubuntu and Debian systems. We’ll cover installing the server, setting up user accounts, configuring it for security, and testing the setup.

Step 1: Install ProFTPD Server in Ubuntu

Of course, you need to install the software in order to use it. First, make sure that all your system packages are up-to-date by running the following apt commands in the terminal.

sudo apt update
sudo apt upgrade

Once the system has the latest security patches and software updates, install the ProFTPD server by running the following command.

sudo apt install proftpd
Install Proftpd in Ubuntu
Install Proftpd in Ubuntu

While installing, it will ask you to choose the usage type you want for your ProFTPD server, you may choose the best mode that fits your needs.

  • Standalone: ProFTPD runs independently and handles all connections.
  • inetd: ProFTPD runs as a service under the inetd super-server.

For most setups, Standalone mode is recommended as it allows for better performance and easier management.

Install Proftpd in Debian
Install Proftpd Server

After the installation is complete, ProFTPD will automatically start and you can verify that the service is running by using:

sudo systemctl status proftpd
Check Proftpd Status
Check Proftpd Status

If ProFTPD is running correctly, you’ll see its status as “active (running)“.

Step 2: Configure ProFTPD Server in Ubuntu

Before start using it, we’ll need to edit some files, the /etc/proftpd/proftpd.conf is the default configuration file for Ubuntu/Debian servers, to start editing it using the nano editor as shown.

sudo nano /etc/proftpd/proftpd.conf

Here are a few basic configuration settings you might want to change to suit your needs:

1. The ServerName is the name of your FTP server, you can use your domain name or a custom name for easy identification.

ServerName "MyFTPServer"

2. The DefaultRoot to ensure FTP users are confined to their home directories and can’t navigate the entire filesystem, uncomment this line by removing the # in front:

DefaultRoot ~

3. By default, FTP operates on port 21. If you want to use a different port (for example, for security reasons), change the port number here:

Port 2121

4. The MaxInstances setting controls how many clients can be connected at the same time. You can adjust this according to your needs:

MaxInstances 30

5. If you want to disable anonymous access for security reasons, ensure the Anonymous section looks like this:

<Anonymous ~ftp>
  User ftp
  Group nogroup
  # We want clients to be able to login with "anonymous" as well as "ftp"
  UserAlias anonymous ftp
  # Limit the maximum number of anonymous logins
  MaxClients 10
  # Disallow login
  <Limit LOGIN>
    DenyAll
  </Limit>
</Anonymous>

After making these changes, save the file and restart the ProFTPD service to apply the changes:

sudo systemctl restart proftpd

During ProFTPD installation, a default “proftpd” user is created automatically, but we’ll need to create a password for it, to do so, run.

sudo passwd proftpd

Step 3: Creating ProFTPD Users

ProFTPD can use your system’s regular user accounts for FTP access, which means you don’t need to create separate FTP accounts if your users already have accounts on the server.

To create a new user for FTP access, use the following adduser command:

sudo adduser ftpuser

You’ll be prompted to enter a password and some optional information for the new user. This account will now be able to log into the FTP server using their username and password.

If you want this user to be restricted to their home directory, ensure the DefaultRoot ~ option is set in the proftpd.conf file, as mentioned earlier.

Step 4: Secure ProFTPD Server

FTP is inherently insecure because it transmits data, including usernames and passwords, in plain text. To enhance security, you should configure ProFTPD to use FTPS, which adds encryption using SSL/TLS.

If you don’t have SSL certificates, you can generate a self-signed certificate for testing purposes. For a production environment, it’s recommended to use a certificate from a trusted Certificate Authority (CA).

To generate a self-signed SSL certificate:

sudo openssl req -x509 -newkey rsa:2048 -keyout /etc/ssl/private/proftpd.key -out /etc/ssl/certs/proftpd.crt -days 365 -nodes

After generating the certificate, edit the proftpd.conf file again to enable FTPS.

sudo nano /etc/proftpd/proftpd.conf

Add or uncomment the following lines:

<IfModule mod_tls.c>
   TLSEngine on
   TLSLog /var/log/proftpd/tls.log
   TLSProtocol SSLv23
   TLSRSACertificateFile /etc/ssl/certs/proftpd.crt
   TLSRSACertificateKeyFile /etc/ssl/private/proftpd.key
   TLSVerifyClient off
   TLSRequired on
</IfModule>

After making these changes, restart ProFTPD:

sudo systemctl restart proftpd

Step 5: Test FTPS Connection

To test your FTPS setup, you can use an FTP client like FileZilla or any other client that supports FTPS.

  • Open your FTP client and create a new site profile.
  • Enter the FTP server’s IP address or domain name, username, and password.
  • In the connection settings, choose FTPS or FTP over SSL/TLS.

If everything is set up correctly, you should be able to connect securely to your ProFTPD server.

Step 6: Manage Firewall Settings

If you are running a firewall (like UFW), you’ll need to allow FTP traffic through the firewall.

To allow standard FTP:

sudo ufw allow 21/tcp

For FTPS (if you’re using it on a different port), you’ll need to allow that port too. For example, if you changed the port to 2121:

sudo ufw allow 2121/tcp

After making these changes, restart the firewall:

sudo ufw reload

Step 7: Testing the FTP Server

To test if your ProFTPD server is working, use a browser or FTP client. You can connect to your FTP server with the following syntax:

ftp://<server-ip-or-domain>

Log in with the FTP user account you created earlier. You should be able to upload, download, and manage files on the server.

Step 8: Troubleshooting ProFTPD

Any available error messages will be stored in /var/log/proftpd/proftpd.log by default, you may check this file if your ProFTPD server installation isn’t working.

You must also note that sometimes it happens that the ProFTPD server lags and you can’t access the server due to the “Connection Refused” message, it is not a problem, all you have to do is to keep restart the ProFTPD server until it works (in case if there were no other errors).

Conclusion

You’ve successfully installed and configured ProFTPD on Ubuntu and Debian systems. This guide covered the basic installation, configuration, security setup with SSL/TLS, and firewall adjustments. You now have a flexible and secure FTP server for your file transfer needs.

For advanced configuration, such as limiting bandwidth, setting up virtual users, or enabling anonymous uploads, consult the ProFTPD documentation. Always make sure to secure your server and keep your software up to date for maximum security.

Hey TecMint readers,

Exciting news! Every month, our top blog commenters will have the chance to win fantastic rewards, like free Linux eBooks such as RHCE, RHCSA, LFCS, Learn Linux, and Awk, each worth $20!

Learn more about the contest and stand a chance to win by sharing your thoughts below!

Hanny Helal
A Linux & Foss user since 2010, working on many projects in the field of Free Software.

Each tutorial at TecMint is created by a team of experienced Linux system administrators so that it meets our high-quality standards.

Join the TecMint Weekly Newsletter (More Than 156,129 Linux Enthusiasts Have Subscribed)
Was this article helpful? Please add a comment or buy me a coffee to show your appreciation.

12 Comments

Leave a Reply
  1. Which is better, a ftp://youripaddress type FTP or a ftp://yourdomian.com type FTP? And if a ftp://yourdomian.com type is better, how do you make a domain/website in Linux?

    Reply
  2. How do I lock the user so he cannot go back to the www or var directory, and even the core? For the user to be able to send files and delete file, what do I have to do?

    Reply
  3. Command: PASS *******
    Response: 530 Login incorrect.
    Error: Critical error: Could not connect to server
    Status: Disconnected from server
    Status: Connecting to 162.243.205.246:21…
    Status: Connection established, waiting for welcome message…
    Status: Insecure server, it does not support FTP over TLS.
    Command: USER sankapr
    Response: 331 Password required for sankapr
    Command: PASS *******
    Response: 530 Login incorrect.
    Error: Critical error: Could not connect to server

    I set all the setting correctly. But This error occurred. Pls anyone tell me the solution for this

    Reply
    • @Priynkara,

      Have you restarted vsftpd after making configuration? if not do:

      $ sudo /etc/init.d/vsftpd
      

      If you still gets the same error, another important thing to verify that the user shell present in /etc/shells? Could you share your vsftpd configuration here?

      Reply
  4. I confgure on ubunu 14 runing on aws servers I get this:
    Status: Resolving address of ec2-54-213-162-181.us-west-2.compute.amazonaws.com
    Status: Connecting to 54.213.162.181:21…
    Status: Connection established, waiting for welcome message…
    Response: 220 ProFTPD 1.3.5rc3 Server (ec2-54-213-162-181.us-west-2.compute.amazonaws.com) [172.31.25.20]
    Command: USER userftp
    Response: 331 Password required for userftp
    Command: PASS ********
    Response: 230 User userftp logged in
    Command: OPTS UTF8 ON
    Response: 200 UTF8 set to on
    Status: Connected
    Status: Retrieving directory listing…
    Command: PWD
    Response: 257 “/var/www” is the current directory
    Command: TYPE I
    Response: 200 Type set to I
    Command: PASV
    Error: Connection timed out
    Error: Failed to retrieve directory listing

    Reply
    • @Rami,

      Try to add these following lines to vsftpd.conf file.

      pasv_enable=YES
      pasv_min_port=10000
      pasv_max_port=10000
      

      will solve your problem…

      Reply
  5. hi, for RequireValidShell, you said to put ON instead on OFF in your example :

    RequireValidShell: Uncomment this line and make it “On” to enable logging in for users, even for those who doesn’t have a valid shell in /etc/shells to log in.

    to enable logging without shell, you have to put on Off, not on On

    Reply

Got Something to Say? Join the Discussion...

Thank you for taking the time to share your thoughts with us. We appreciate your decision to leave a comment and value your contribution to the discussion. It's important to note that we moderate all comments in accordance with our comment policy to ensure a respectful and constructive conversation.

Rest assured that your email address will remain private and will not be published or shared with anyone. We prioritize the privacy and security of our users.