In this tutorial, we'll learn how to install and secure a ProFTPD server on Ubuntu 24.04.
ProFTPD is a popular open-source FTP server used for securely transferring files over the network.
Prerequisites
- A Ubuntu 24.04 installed dedicated server or KVM VPS.
- A root user or normal user with administrative privileges.
Install and Secure a ProFTPD Server on Ubuntu
1. Update Your System
Before starting any installation, it’s always good practice to ensure your system is up to date. This ensures compatibility with the latest security patches and software versions.
Open a terminal and execute the following commands:
sudo apt update
sudo apt upgrade -y
- sudo apt update: This fetches the latest package information.
- sudo apt upgrade -y: This installs the latest available packages and dependencies.
Once done, your system is up to date, and you're ready to install ProFTPD.
2. Install ProFTPD
ProFTPD is available in Ubuntu’s default repository, making the installation process straightforward. To install it, simply run:
sudo apt install proftpd proftpd-mod-crypto -y
After installation, ProFTPD should start automatically. You can check the status to ensure it's running:
sudo systemctl status proftpd
This command shows the ProFTPD service’s status. If everything is set up correctly, you should see something like “active (running).”
3. Configure ProFTPD for Basic Settings
Now that ProFTPD is installed and running, we can configure the server settings. The main configuration file for ProFTPD is located at /etc/proftpd/proftpd.conf.
Let’s edit this file to adjust some basic settings:
sudo nano /etc/proftpd/proftpd.conf
Within the configuration file, there are a few critical things we should adjust:
ServerName: This sets the hostname or IP address of your FTP server. Example:
ServerName "My FTP Server"
DefaultRoot: This restricts users to their home directory when they connect. It's an essential security feature to ensure users cannot access other parts of the server. Uncomment and set it as follows:
DefaultRoot ~
4. Enable Passive Mode (Optional, But Recommended)
In many networking environments, passive mode is required for FTP to function properly, especially if the server is behind a firewall or NAT (Network Address Translation). Let’s configure the passive mode range:
Edit the ProFTPD configuration file again:
sudo nano /etc/proftpd/proftpd.conf
Add or uncomment the following lines in the file:
PassivePorts 60000 65535
These lines define the range of ports used for passive FTP connections. Save and exit the file.
Open the firewall ports to allow the passive mode range. If you use ufw (Uncomplicated Firewall), you can open the range with:
sudo ufw allow 60000:65535/tcp
This ensures that passive FTP connections are allowed through the firewall.
5. Secure ProFTPD with TLS/SSL Encryption
FTP sends data, including usernames and passwords, in plain text, which makes it vulnerable to man-in-the-middle attacks. To secure FTP transfers, you need to enable TLS/SSL encryption.
Install OpenSSL (if not installed)
ProFTPD uses OpenSSL for encrypting connections. Install OpenSSL with:
sudo apt install openssl -y
Create SSL Certificates
You’ll need an SSL certificate for encrypting traffic. If you don’t have a signed certificate from a certificate authority (CA), you can create a self-signed certificate. Run the following command to generate one:
sudo openssl req -new -newkey rsa:2048 -days 365 -nodes -keyout /etc/ssl/private/proftpd.key -out /etc/ssl/certs/proftpd.crt
This command creates a new 2048-bit RSA key pair and stores the private key and certificate in the /etc/ssl/private/ and /etc/ssl/certs/ directories, respectively.
Configure ProFTPD to Use TLS
Enable mod_tls in ProFTPD
Open the ProFTPD configuration file:
sudo nano /etc/proftpd/proftpd.conf
Ensure the following line is present or uncommented:
Include /etc/proftpd/tls.conf
This line tells ProFTPD to load the TLS configuration file.
Save and exit the file (CTRL + X, then Y, then ENTER).
Configure TLS in /etc/proftpd/tls.conf
If the file /etc/proftpd/tls.conf does not exist, create it:
sudo nano /etc/proftpd/tls.conf
Add the following configuration:
<IfModule mod_tls.c>
TLSEngine on
TLSLog /var/log/proftpd/tls.log
TLSProtocol TLSv1.2 TLSv1.3
TLSCipherSuite HIGH
TLSCertificateFile /etc/ssl/certs/proftpd.crt
TLSCertificateKeyFile /etc/ssl/private/proftpd.key
TLSVerifyClient off
TLSRequired on
</IfModule>
- TLSEngine on → Enables TLS support.
- TLSProtocol TLSv1.2 TLSv1.3 → Allows only secure TLS versions.
- TLSCipherSuite HIGH → Ensures only strong encryption is used.
- TLSCertificateFile and TLSCertificateKeyFile → These should point to your SSL certificate and key files.
- TLSRequired on → Forces clients to use TLS encryption.
Save the file and exit.
Restart ProFTPD
After making the changes, restart the ProFTPD service to apply them:
sudo systemctl restart proftpd
6. Create FTP User Accounts
Now that your ProFTPD server is installed and secured with encryption, let’s create FTP user accounts. Use the following command to create a new user:
sudo adduser ftpuser
Replace ftpuser with the desired username for the FTP account.
Follow the prompts to set a password and user details.
Once the user is created, you can set permissions on their home directory to control access. For example:
sudo chmod 755 /home/ftpuser
This command grants read, write, and execute permissions to the user while limiting others.
7. Secure ProFTPD with Stronger Authentication
You can further strengthen ProFTPD security by disabling anonymous FTP login and enforcing stronger authentication methods:
Edit the ProFTPD configuration file:
sudo nano /etc/proftpd/proftpd.conf
Disable anonymous login by ensuring that the following lines are set:
<Anonymous ~ftp>
User ftp
Group nogroup
AnonRequirePassword off
</Anonymous>
The line AnonRequirePassword off ensures anonymous FTP access is disabled, which is critical for security.
Enforce strong passwords:
Edit /etc/pam.d/proftpd to enable password complexity checks.
nano /etc/pam.d/proftpd
Add the following line:
password requisite pam_pwquality.so retry=3 minlen=8
This enforces strong passwords with a minimum length of 8 characters.
8. Test Your ProFTPD Server
After completing the installation and configuration, it's time to test your FTP server. From a client machine, you can use an FTP client (like FileZilla, Cyberduck, or even the ftp command) to connect securely to your server using the following details:
If you're testing from another computer, replace your-server-ip with your actual server's IP:
ftp your-server-ip
To test FTPS (FTP Secure) with TLS, use:
lftp -u your_ftp_user your-server-ip
Once connected, try listing files:
ls
To exit lftp:
exit
Ensure that your client connects using FTPS (FTP Secure), which encrypts the connection.
10. Monitor and Maintain Your Server
Security doesn’t end after installation. Regularly monitor your ProFTPD server for unusual activity. You can check the logs for security incidents using:
sudo tail -f /var/log/proftpd/proftpd.log
You should also check the TLS logs:
sudo tail -f /var/log/proftpd/tls.log
Finally, always keep your server and ProFTPD updated. Set up automatic security updates or perform manual updates regularly:
sudo apt install unattended-upgrades
This command ensures that critical security updates are applied automatically.
Conclusion
In this tutorial, we've seen how to install and secure a ProFTPD server on Ubuntu 24.04. Your FTP server is now capable of hosting secure file transfers with strong encryption, user management, and firewall settings. Regular monitoring and maintenance are key to keeping your server secure and efficient.
