[{ALLOW view All}]
[{ALLOW edit Markus}]
Reinstalled 19.03.2023
[{TableOfContents }]
!Info
{{{
proftpd -v # get version
ps -ef|grep proftpd # check running / pid
dpkg -l '*proftp*' # check package installed
apt list --installed | less # check packages installed
proftpd-basic/stable,now 1.3.7a+dfsg-12+deb11u2 all [installiert]
proftpd-core/stable,now 1.3.7a+dfsg-12+deb11u2 amd64 [Installiert,automatisch]
proftpd-doc/stable,now 1.3.7a+dfsg-12+deb11u2 all [Installiert,automatisch]
proftpd-mod-crypto/stable,now 1.3.7a+dfsg-12+deb11u2 amd64 [Installiert,automatisch]
proftpd-mod-wrap/stable,now 1.3.7a+dfsg-12+deb11u2 amd64 [Installiert,automatisch]
service proftpd status # check ProFTPD running
$ netstat -tlp|grep proftp # ProFTPD lauscht auf Port 21
$ tail -20 /var/log/proftpd/proftpd.log # Fehlermeldungen im ProFTPD Log
$ tail -20 /var/log/proftpd/tls.log # Fehlermeldungen im ProFTPD TLS Log
$ telnet 192.0.2.10 21 # Verbindungstest auf Port 21 mit telnet
$ openssl s_client -connect 192.0.2.10:21 -starttls ftp # Verbindungstest auf Port 21 mit TLS
$ proftpd -d 5 #Increase debug, 0-10, 10 = most debugging
}}}
! Deinstall / Clean
{{{
/etc/init.d/proftpd stop
apt-get remove proftpd-basic (removes all packages listed above)
apt install proftpd-basic
}}}
!Configuration
Standard configuration is
{{{
/etc/proftpd/proftpd.conf # main one
/etc/proftpd/conf.d/sftp.conf # sftp
/etc/proftpd/conf.d/tls.conf # tls
}}}
The main one inclused ALL files from conf.d. We create our own one
{{{
vi /etc/proftpd/conf.d/custom.conf
# Ftp user doesn't need a valid shell
<Global>
RequireValidShell off
</Global>
# If desired turn off IPv6
UseIPv6 off
# Default directory is ftpusers home
DefaultRoot ~ ftpuser
# Limit login to the ftpuser group
<Limit LOGIN>
DenyGroup !ftpuser
</Limit>
}}}
!Restart
{{{
systemctl restart proftpd.service
}}}
! Activate TLS
We use TLS, NOT SFTP, so you need to deactivate SSLEngine in sftp.conf !
{{{
$ vi /etc/proftpd/conf.d/tls.conf
<IfModule mod_tls.c>
TLSEngine on
TLSLog /var/log/proftpd/tls.log
TLSProtocol TLSv1.2
#TLSOptions NoSessionReuseRequired NoCertRequest
#TLSRSACertificateFile /etc/proftpd/ssl/proftpd.cert.pem
TLSRSACertificateFile /etc/letsencrypt/live/www.inetone.de/cert.pem
#TLSRSACertificateKeyFile /etc/proftpd/ssl/proftpd.key.pem
TLSRSACertificateKeyFile /etc/letsencrypt/live/www.inetone.de/privkey.pem
TLSVerifyClient off
TLSRequired on
</IfModule>
}}}
Add a virtual user (in the specified path !)
{{{
> cd /etc/proftpd
> ftpasswd --passwd --name proftpd --uid 1001 --home /home/proftpd --shell /bin/false
> ftpasswd --passwd --name ftp --uid 1001 --home /home/ftp --shell /bin/false
}}}
The following output is not important:
{{{
ftpasswd: --passwd: missing --gid argument: default gid set to uid
ftpasswd: creating passwd entry for user proftpd
ftpasswd: /bin/false is not among the valid system shells. Use of
ftpasswd: "RequireValidShell off" may be required, and the PAM
ftpasswd: module configuration may need to be adjusted.
}}}
This will create the file __/etc/proftpd/ftpd.passwd__ in the current path !
!SFTP Client
I use [filezilla 64bit without setup|https://filezilla-project.org/download.php?show_all=1]
Use "Explizites FTP über TLS erfordern"
!Active/Passive
Generally FTP clients use passive connections. To enable passive connection you need to enable port 49152-65534 in the firewall (iptables) and in the conf. Alternatively use active connections.
! Logging
{{{
vi /var/log/proftpd/proftpd.log
vi /var/log/proftpd/sftp.log
}}}
Add in proftpd.conf:
{{{
## Logging ##
LogFormat default "%h %l %u %t \"%r\" %s %b"
LogFormat auth "%v [%P] %h %t \"%r\" %s"
LogFormat write "%h %l %u %t \"%r\" %s %b"
TransferLog /var/log/proftpd/proftpd.xferlog
ExtendedLog /var/log/proftpd/ftp_auth.log AUTH auth
ExtendedLog /var/log/proftpd/ftp_access.log WRITE,READ write
# ExtendedLog /var/log/proftpd/ftp_paranoid.log ALL default
}}}