To-Do:

  • [] Anonymous User
  • [] Configure SFTP
  • [] Virtual Users
  • [] Implement Quota

Installation

$ apt install proftpd -y

$ systemctl enable --now proftpd

$ ufw allow 21; ufw reload

During installation, two new users will be created, ftp, and proftpd:

  • ftp - To login as anonymous
  • proftpd - The user as which the daemon wil run as.

Set up a static IP

Backup the default network interface configuration:

$ cd /etc/netplan
$ cp 00-installer-config.yaml{,.bak}

Use the defaut config as a template:

$ cp 00-installer-config.yaml 01-static-ip.yaml

Replace its content with the following:

# Static IP
network:
  ethernets:
    ens33:
      dhcp4: no
      addresses:
      - 192.168.100.104/24
      gateway4: 192.168.100.1
      nameservers:
              addresses: [8.8.8.8, 1.1.1.1]
  version: 2

Restart netplan:

$ netplan apply

Main configuration file

The main configuration file is /etc/proftpd/proftpd.conf. The most common settings to implement for a basic ftp server(without complex rules) are these:

  • ServerName - Change it as your default server name.
  • UseIPV6 - Enable or disable IPV6.
  • DefaultRoot - To restrict users with their home folders.
  • Port - Change the listening port.
  • SystemLog - Location of the log file.

Note: Always make a backup before modifying a configuration file.

Configure ProFTPD with TLS

Generate a self-signed TLS certificate:

$ cd /etc/ssl/private
openssl req -newkey rsa:1024 -keyout /etc/ssl/private/proftpd.key -out /etc/ssl/certs/proftpd.crt -nodes -days 36

Add/Uncomment the following lines in the /etc/proftpd/tls.conf:

TLSEngine                               on
TLSLog                                  /var/log/proftpd/tls.log
TLSProtocol                             TLSv1.2

TLSRSACertificateFile                   /etc/ssl/certs/proftpd.crt
TLSRSACertificateKeyFile                /etc/ssl/private/proftpd.key

TLSRequires								on

In /etc/proftpd/proftpd.conf, uncomment the following line:

Include /etc/proftpd/tls.conf

Read the configuration file for syntax errors:

$ proftpd -t

Checking syntax of configuration file
2021-04-26 13:05:43,906 ubuntu-local proftpd[49836]: processing configuration directory '/etc/proftpd/conf.d/'
Syntax check complete.

Restart the daemon:

$ systemctl restart proftpd

User Access

By default, ProFTPD will only authenticate users which are found in /etc/passwd. The authenticated user would be able to navigate the whole filesystem. To disable this behaviour, and give the user access only in their home directory(chroot users), set the DefaultRoot directive ~ in the main configuration file:

DefaultRoot ~

Multiple Users accessing the same directory

Let’s say we have a directory for sysadmin scripts:

/home/sysadmin_scripts

And we’ll have two admins:

admin01
admin02

Create a group:

$ addgroup sysadmins

Add the two admins to the new group:

$ sudo usermod -a -G sysadmins admin02
$ sudo usermod -a -G sysadmins admin01

Make sure they’re added to the group:

kavish@ubuntu-local:~$ id -nG admin01
admin01 sysadmins
kavish@ubuntu-local:~$ id -nG admin02
admin02 sysadmins
kavish@ubuntu-local:~$

Modify proftpd.conf by the adding the following lines:

# Use this to jail all users in their homes
DefaultRoot                     /home/sysadmin_scripts sysadmins
DefaultRoot                     ~

The last one is the default. New rules should always be above the default. ProFTPD will apply the rules in order. Similar to iptables.

Give /home/sysadmin-scripts the right permissions(with setgid):

$ sudo chgrp sysadmins /home/sysadmin_scripts/

$ sudo chmod 2775 /home/sysadmin_scripts/

Verify it:

kavish@ubuntu-local:/$ ls -ld /home/sysadmin_scripts/
drwxrwsr-x 2 kavish sysadmins 4096 Apr 27 08:55 /home/sysadmin_scripts/

Restart ProFTPD:

systemctl restart proftpd

Create a file in /home/sysadmin_scripts

$ touch /home/sysadmin_scripts/test.txt

Try to authenticateas a user from the sysadmin group, and see if everything went fine:

kavish@ubuntu-local:/home/sysadmin_scripts$ ftp localhost
---SNIP---
230 User admin01 logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
ftp>
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
-rw-rw-r--   1 1000     1000            0 Apr 27 08:47 test.txt
226 Transfer complete
ftp>

The admins will only have access in /home/sysadmin_scripts. They won’t gain access in their default home directory. To bypass this, you’ll have to tweak proftpd.conf.

Virtual Users

https://bobcares.com/blog/proftpd-create-user/

Anonymous User

Implement Quota

Configure SFTP