Anyone looking to learn about Linux operating systems will come across Debian soon enough. The GNU/Linux distribution was one of the first of its kind and is still one of the most widely used today. Over 1,000 community members work on the Debian project, furthering the development of the collection. But how did Debian become so successful? And what makes this system software so interesting to [...]
Debian FTP server: how to install and configure your own
If you want to regularly store and retrieve larger files from a server, then you need suitable transmission technology. Among the possible solutions, file transfer via the File Transfer Protocol (FTP) is still one of the most sought-after today. In addition to transporting data via TCP ports 20 and 21, the transmission protocol for IP networks acting on the application layer also offers the options to create directories and structure them as required. Since you only need to access the FTP server with a client software this way, and a networking of both components via the internet is sufficient, the transfer technology is often used for uploading and downloading files to and from web spaces.
As a tenant of such website resources, you usually receive specific log-in data that can be used to connect to the hosting provider’s FTP server. Of course, as a self-host you can also use the file transfer technology by installing and configuring your own server. This guide explains how you can set up such an FTP server using Debian (including TLS encryption).
- Installation of a Debian FTP server
- Debian FTP server tutorial: the most important configuration steps
- Setting up a Debian FTP server made easy: configuration via GUI
- Possible server configuration errors
Installation of a Debian FTP server
Before you can grapple with the setup and configuration, you first need to find and install the appropriate server software. For Linux, various FTP servers exist, which are largely open source and usually found in the package management of the respective distribution. One of the most popular applications is the GPL-licenced ProFTPD, which is highly extensible thanks to its modular structure. The main configuration file functions on the basis of directives and directive groups that may already be familiar to any administrator who knows Apache web servers. By default, Debian also runs ProFTPD in the software repository. The installation is done the usual way via the terminal and with the following command:
sudo apt-get install proftpd
To finish the installation, you have to decide whether you want to use ProFTPD in server mode (standalone) or as a service controlled by inetd. In the first case, the FTP server takes care of incoming requests independently. With the second option, the “superserver” inetd/xinetd takes the requests and forwards them to the FTP server (this is only worthwhile if very little FTP traffic is expected).
Debian FTP server tutorial: the most important configuration steps
After the installation, you can start to configure ProFTPD. The configuration file required for this, proftpd.conf, is located in the /etc/proftpd/ directory. To edit it, simple open it with whichever editor you want. With the Debian standard program nano, for example, this can be done by using the following terminal command:
sudo nano /etc/proftpd/proftpd.conf
In the various lines, you’ll find the most important setting options and functions of the Debian FTP server. Each component has its own line and requires firmly defined values: For example, if a function is to be used, either the value “on” (function enabled) or the value “off” (function disabled) are possible. In addition, the hashtag character (#) can be placed in front of a line to “comment out” the line. The ProFTPD server then completely ignores the line, since this notation also represents the option of disabling functions. The main purpose of the hashtag is to make comments on the various settings to improve the readability of proftpd.conf.
Instead of the proftpd.conf file, you can also use your own configuration file and store it in the /etc/proftpd/conf.d/ directory. This directory remains unaffected when updating the FTP software – you can easily reduce the risk of losing your settings through one simple step. The server specifications stored in the conf.d folder can then be easily integrated into the main file by means of an include directive (automatic with the standard configuration).
Basic settings: server name, FTP directory, and co.
Before going into detail when configuring your Debian FTP server, you first have to customise the basic setup. This includes elementary settings like the specification of server host names or directories that you want to provide for the upload and download of files. Furthermore, you have various configuration possibilities that refer to potential FTP users, as the following example configuration illustrates:
# Specification of host name and welcome message ServerName "hostname/ipaddress" DisplayLogin "Your login to the Debian FTP server was successful!" # General login guidelines <Global> # Only allow access with shells defined in /etc/shells RequireValidShell on # Deny root login RootLogin off # Specification of FTP directories which the user can access DefaultRoot Directory </Global> # Define authorised user/user groups for the FTP login <Limit LOGIN> # Login only possible for users of the example group ftpuser # Instead of a long listing, the permitted group is simply negated (!) DenyGroup !ftpuser </Limit>
In this base configuration, users are given access to a specific directory. This makes sense, for example, if they’re involved in the maintenance of a website and therefore require extensive access rights. If the function of the Linux FTP server is to provide users with only one save location for their files, you should set up ProFTPD to restrict access to the home directory:
# Only allow users access to their home directory DefaultRoot ~
Create FTP user
If you create a new ProFTPD user, you should always define /bin/false as the login shell. This way, you make sure that the user only has access to the FTP server and not to the entire system. With the following terminal command, first enter /bin/false in the file of authorised shells:
sudo echo "/bin/false" >> /etc/shells
Now you can create your first user:
sudo adduser user1 --shell /bin/false --home /home/user1
In this example, you create a user account with the name “user1” and create their home directory in the same step. Finally, you assign a password for the new user account and confirm the profile. So that this newly created user can now actually connect to the Debian FTP server and upload files to (and later download them from) their exclusive directory, specify the home directory in proftpd.conf:
<Directory /home /user1> Umask 022 AllowOverwrite off <Limit LOGIN> AllowUser user1 DenyAll </Limit> <Limit ALL> AllowUser user1 DenyAll </Limit> </Directory>
This code example limits the directory in different ways to make it a private storage location for user1’s files: With the umask command (022), the directory owner is equipped with all rights first. Other users may only read the files and then are only allowed to execute them if the owner grants the necessary authorisation. The disabled directive AllowOverwrite prevents the uploading of files that could overwrite previously saved data. Finally, with the FTP login (Limit LOGIN) and Run FTP (Limit ALL) commands are blocked for all users other than user1.
Instead of disallowing all FTP commands, you can also prohibit individual operations. This way you can also create a directory, for example, in which users can only upload files. A detailed overview of the various possible settings can be found in the online manual.
Allow anonymous access
If you want to set up your Debian FTP server so that it serves as a platform for public downloads, then you usually will also want to allow users to anonymously access the existing files. For this, you first define the necessary access rights with the help of chmod for the later download directory, in this example called /home/ftpdownload:
sudo chmod 755 -R /home/ftpdownload
The owner of the directory also has complete rights (7 = Read, Write, and Run) while the group users and all other users can only read and run (5). Once the rights are defined, anonymous access is configured in the proftpd.conf file:
<Anonymous ~ftp> User ftp Group ftpgroup # Possible login profile for clients UserAlias anonymous ftp # Conceal user and group properties and set maximum number of clients DirFakeUser on ftp DirFakeGroup on ftp RequireValidShell off MaxClients 10 <Directory *> <Limit WRITE> DenyAll </Limit> </Directory> </Anonymous>
To be able to log on to the Debian FTP server with the ftp profile, you have to add it to the ftpuser group:
sudo adduser ftp ftpgroup
Set up SSL/TLS encryption
The FTP protocol transfers login information as well as sent data in cleartext. If you want to set up a private ProFTPD server that’s not accessible by everyone, it’s then also recommended to encrypt the login. The most common solution is encryption via SSL/TLS, which can be set up with minimal effort using the free OpenSSL software. The cryptography toolkit is included by default in the Debian package management, and comes pre-installed. It’s also possible to run the installation by the familiar means:
apt-get install openssl
Step 1: Generate certificate and key
Once OpenSSL is open, use it to create a certificate. Since you need to store it somewhere, first create the corresponding folder in the ProFTPD directory:
Now generate a certificate (proftpd.cert.pem) and key (proftpd.key.pem) with a lifetime of one year for your Linux FTP server by specifying this location with the following command:
openssl req -new -x509 -days 365 -nodes -out /etc/proftpd/ssl/proftpd.cert.pem -keyout /etc/proftpd/ssl/proftpd.key.pem
Entering your own information is also necessary to register the certificate properly:
- Country name (2 letter code): i.e. “UK” for the United Kingdom
- State or Province Name (full name): i.e. “Cambridgeshire”
- Locality Name (e.g. city): i.e. “Cambridge”
- Organisation Name (e.g. company): Name of the company or your name
- Organisational Unit Name (e.g. company): Name of the department (if applicable), i.e. “IT”
- Common Name (e.g. YOUR name): Specification of the domain to be protected, i.e. “ftp.example.co.uk”
- Email address: Contact email address
Step 2: Enable SSL/TLS in ProFTPD
After you’ve created your own certificate along with a private key, you have to enable the encryption technology for the ProFTPD server. The Debian FTP server software provides the mod_tls module for this, which is installed by default but disabled. For activation, adjustments are once again necessary in proftpd.conf. Open the configuration file and search for the following entry:
<IfModule mod_tls.c> TLSEngine off </IfModule>
Assign the value “on” to the TLSEngine directive and extend the section as follows:
<IfModule mod_tls.c> TLSEngine on TLSLog /var/log/proftpd/tls.log TLSProtocol TLSv1 TLSv1.1 TLSv1.2 TLSRSACertificateFile /etc/proftpd/ssl/proftpd.cert.pem TLSRSACertificateKeyFile /etc/proftpd/ssl/proftpd.key.pem TLSVerifyClient off TLSRequired on </IfModule>
This way, you’ve only activated the SSL/TLS encryption for your Debian FTP server, but also made the most important settings in the same step. Now the log file for the FTP connection records (TLSLog) is defined as well as the path to the certificate (TLSRSACertificateFile) and key (TLSRSACertificateKeyFile). The possible protocol versions (TLSProtocol) are also given. The last two lines ensure that the module doesn’t verify the certificates presented by the client (TLSVerifyClient) and that the basic encryption requirements are in place for setting up a connection (TLSRequired). After restarting the ProFTPD server, the new settings go into effect:
sudo /etc/init.d/proftpd restart
Step 3: Register on the ProFTPD server via SSL/TLS
If you’ve activated SSL/TLS for ProFTPD (as recommended in this Debian FTP server tutorial), users need an FTP client to support the encrypted connection. One of the most prominent agents is FileZilla, which is not only available for Debian and other Linux distributions, but also for macOS and Windows. The open source program presents the optimal solution for you and other users to access various platforms on the FTP server.
In FileZilla’s server manager, specify the saved variant FTPS (“FTP through explicit TSL/SSL”) instead of FTP when selecting the server type. When first forming a connection with the server, it’s also necessary to accept the certificate.
ProFTPD configuration – tips and tricks
The pre-set configuration options presented here are only a small selection of possibilities. The multi-faceted FTP software allows for even more specific and complex scenarios when configuring your own server. The official website of ProFTPD offers lots of useful information on this topic. The freely available online documentation contains, among other things, some example setups, detailed how-tos, as well as FAQs and explanations on individual directives. There is also information on the various standard and additional modules.
Setting up a Debian FTP server made easy: configuration via GUI
In the tutorial, we showed how to set up an FTP server over the command line with manual changes in the configuration file using ProFTPD. As with many Linux/Unix programs, though, there are different graphical user interfaces for the FTP server software that allow you to configure the server without using the terminal. Among others, this includes the GUI collection Gadmintools, a user interface that is easily installed via the package manager. The interface named gadmin-proftpd helps you start your Debian FTP server, create user profiles, or make changes in proftpd.conf. The latter functions without requiring you to open the configuration file – new or modified entries are automatically added.
Use of a graphical user interface rules out the parallel configuration and management of the server via the command line.
Possible server configuration errors
In some cases, restarting the ProFTPD server may result in the following error message:
„mod_tls_memcache/0.1: notice: unable to register 'memcache' SSL session cache: Memcache support not enabled“
In this case, the problem is that the cache module mod_tls_memcache was automatically enabled as an SSL/TLS component when compiling ProFTPD. If you’ve already established SSL/TLS encryption, then in theory (and if desired) the module will cache the encrypted FTP sessions. Since the session caching isn’t required by default, though, you don’t have the necessary settings in place for the module to function – which leads to an error message from ProFTPD. The solution for this problem is simple: Comment out the module as well as the loading process of the module in the configuration file:
# LoadModule mod_tls_memcache.c
In addition to the caching module problem, a faulty connection setup is one of the other complications that can occur after setting up the Debian FTP server. To get to the bottom of this problem, you can try out various analysis options:
1. Test if the ProFTPD server is running:
sudo service proftpd status
2. Test if the ProFTPD server listens on port 21 to register incoming FTP requests:
sudo netstat -tlp|grep proftpd
3. Check error messages in the ProFTPD log:
sudo tail -20 /var/log/proftpd/proftpd.log
4. Check error messages in the TLS log:
sudo tail -20 /var/log/proftpd/tls.log
5. Connection tests on port 21 with telnet:
sudo telnet 192.0.2.10 21
6. Connection tests on port 21 with TLS:
sudo openssl s_client -connect 192.0.2.10:21 -stattls ftp