FTP server on Debian: how to install and configure a server
The frequent storage or download of large files on a server requires an appropriate transmission technology, highlighting the transfer of files through the so-called file transfer protocol (FTP) as the most requested solution available. The transfer protocol for IP networks, which acts on the application layer, offers the user the possibility of creating directories and structuring them as required, in addition to transporting the data with TCP network ports 20 and 21 . Two reasons explain the frequent use of this transfer technology to upload and download files in the web space: on the one hand, only a client software is needed to access the FTP server and, on the other, it is enough to connect both components through from the Internet ..
When using this type of web resources for rent, the specific access codes are obtained from the provider that allow the connection to your FTP server to be established . When it is the user who hosts a server , data transfer technology can also be used to install and properly configure the server itself. This article explains how to install an FTP server in Debian, also dedicating a section to TLS encryption.
advice
Do you need to save or transfer data? By hiring a Secure FTP Hosting with IONOS now, you will get secure transfer with SSH and SSL / TLS and daily backup copies..
Index
- Install an FTP server on Debian
- The FTP server on Debian: setup tutorial
- Basic settings: hostname and FTP directory
- Create users in FTP
- Allow anonymous access
- Configure SSL / TLS encryption
- Step 1: generate the certificate and key
- Step 2: enable SSL / TLS in ProFTPD
- Step 3: register via SSL / TLS on the ProFTPD server
- Configure ProFTD - Tips and Tricks
- Configure FTP server in Debian easily with GUI
- Possible errors in the server configuration
Install an FTP server on Debian
Before proceeding to installation and configuration, you must first find the appropriate server software. Linux offers various FTP servers, mostly open source and usually found in the package administration of the corresponding distribution. One of the best known applications is ProFTPD, which is licensed under the GPL and is easily scalable due to its modular construction. The main configuration file works based on policies or groups of policies that administrators who have already been in contact with the Apache server should be familiar with. Although Debian runs ProFTPD by default in the software repository , installation is carried out in the terminal, as usual, through the following command:
sudo apt-get install proftpd
To finish the installation, you have to decide whether to use ProFTPD in server mode (standalone) or in one of the services controlled by inedt . In the first case, the FTP server handles incoming requests autonomously. In the second variant the? Superserver? inetd / xinetd handles requests and directs them to the FTP server, an option of interest only in the case of expecting little traffic on the FTP.
The FTP server on Debian: setup tutorial
After installation you can start configuring ProFTPD. In the / etc / proftpd / directory is the configuration file proftpd.conf that can be opened with an editor of your choice , such as the standard Debian nano program, accessed via the following command:
sudo nano /etc/proftpd/proftpd.conf
In the following lines of the editor you will find the most important functions and configuration options. Each component has its own line and requires predefined values . If, for example, you want to indicate whether a function can be used, you have the value ? On? (function activated) and ? off? ( function disabled). Also, there is the option to prepend a hash (#) to a line to bypass it, so that the entire line is ignored by the ProFTPD server, i.e. the hash is considered an alternative to ? Off? to disable functions. However, the main purpose of these symbols (the hash marks) is to comment on the different configuration possibilities and thus improve the readability of proftpd.conf.
advice
Instead of a proftpd.conf file you can also use your own configuration file and store it in the /etc/proftpd/conf.d/ directory. This directory remains intact when the FTP software is updated, thereby reducing the risk of losing settings. With include directives, the server specifications saved in the conf.d directory can be seamlessly integrated into the main file (this occurs automatically with the standard configuration)..
Basic settings: hostname and FTP directory
Before proceeding with the configuration of the FTP server in Debian, we must pay attention to the base installation, that is, to the elementary settings: assign a hostname to the server or determine the directory that will be used to upload or download data. In addition, there are different configuration possibilities related to potential FTP users, as can be seen in the example configuration below:
# Indicación de hostname y mensaje de bienvenida ServerName "hostname/ip-address" DisplayLogin "El inicio de sesión en el servidor FTP en Debian se ha realizado con éxito? # Directivas generales de inicio de sesión <Global> # Solo permite el acceso con shells definidos en /etc/shells RequireValidShell on # No aceptar Root-Log-in RootLogin off # Indicación del directorio FTP al que debe acceder el usuario DefaultRoot Directorio </Global> # Definir usuario/grupo de usuarios autorizados al inicio de sesión en FTP <Limit LOGIN> # El inicio de sesión solo se permite a los usuarios del grupo ftpuser # En vez de una larga lista se ignora al grupo con (!) DenyGroup !ftpuser </Limit>
With this basic configuration, users are allowed access to a specific directory. This is very useful, among other things, if they are in charge of the maintenance of the web, since they require extensive access rights . If, on the other hand, the Linux FTP server role intends to provide the user with storage space for files, ProFTPD must be configured so that access is limited to the home directory :
# Permitir a los usuarios solamente el acceso al directorio inicial DefaultRoot ~
Create users in FTP
If you want to create a new ProFTPD user, you must always define / bin / false as the login shell. In this way, the new user only has access to this server and not to the system as a whole. First insert / bin / false with the following terminal command in the shell of the given file:
sudo echo "/bin/false" >> /etc/shells
Then you create a first user:
sudo adduser user1 --shell /bin/false --home /home/user1
In this example, the user account is created with the name? User 1? and the input directory is also indicated. You must also set a password for the new user account and confirm the new profile. However, for this new user to actually connect to the FTP server on Debian and to be able to upload and download the data to their own directory, you must enter their home directory in proftpd.conf:
<Directory /home /user1> Umask 022 AllowOverwrite off <Limit LOGIN> AllowUser user1 DenyAll </Limit> <Limit ALL> AllowUser user1 DenyAll </Limit> </Directory>
This code sample limits the directory in different ways to make it a private storage location for user1's files, and the Umask (022) command assigns all rights to the owner of the directory. Other users, on the other hand, will be able to read the files but will only be allowed to export them when the owner grants them the necessary rights. The deactivated AllowOverwrite directive prevents that when uploading new data, the already stored data is overwritten . Finally, the FTP log in (Limit LOGIN) and the implementation of the (Limit ALL) command are blocked for all users except user1.
advice
Instead of prohibiting the implementation of all FTP commands, it is possible to prevent single operations and thus have the possibility to create, for example, a directory to which users are only allowed to upload files. A guided preview of the different configuration possibilities can be found in the following online manuals.
Allow anonymous access
If you want your FTP server on Debian to be configured to serve as a public download server, in most cases users are also expected to be able to anonymously access the files provided . To do this, you must first define the access rights through chmod for the subsequent download directory , in this case called / home / ftpdownload :
sudo chmod 755 -R /home/ftpdownload
The owner of the directory has all the rights (7 = Read, write and execute) while the group users and the rest of the users can only read and execute (5) . Once the rights have been defined, anonymous access can be configured in the proftpd.conf file:
<Anonymous ~ftp> User ftp Group ftpgroup # Posibles perfiles de login para clientes UserAlias anonymous ftp # Número máximo de clientes y ocultar las propiedades de usuario y de grupo DirFakeUser on ftp DirFakeGroup on ftp RequireValidShell off MaxClients 10 <Directory *> <Limit WRITE> DenyAll </Limit> </Directory> </Anonymous>
In order for the Debian FTP server login to work with the ftp profile, first add the ftpuser group :
sudo adduser ftp ftpgroup
Configure SSL / TLS encryption
The FTP protocol transfers both log information and sent data in plain text . Therefore, if you want to configure ProFTPD in private mode so that it is not accessible to everyone, it is recommended to encrypt the access . The most widely used solution is SSL / TLS encryption, easy to install with the help of OpenSSL software . The Debian package manager contains this encryption tool as standard, although the installation can also be carried out alternatively as follows:
Step 1: generate the certificate and key
Use OpenSSL to create a certificate. In order to save it, create a folder in the ProFTPD directory with the following command:
Both the certificate ( proftpd.cert.pem ) and the key ( proftpd.key.pem ) are valid for one year. In Linux FTP servers they are generated once the storage directory has been inserted in:
openssl req -new -x509 -days 365 -nodes -out /etc/proftpd/ssl/proftpd.cert.pem -keyout /etc/proftpd/ssl/proftpd.key.pem
In addition, it is necessary that you indicate your information so that the certificate is properly registered:
- Country Name (2 letter code) - Country code, for example ? ES? for Spain
- State or Province Name (full name) : state or province, for example,? Barcelona?
- Locality Name (eg, city) : city, for example,? Madrid?
- Organization Name (eg, company) : company name or your own name
- Organizational Unit Name (eg, company) : department (if any), for example? TI?
- Common Name (eg, YOUR name) : name of the domain to be protected, for example,? ftp.example.com. ?
- Email Address : email address
Step 2: enable SSL / TLS in ProFTPD
After having created your own certificate together with a private key, you must activate the encryption technique for the ProFTPD server. For this, the FTP server software in Debian has the mod_tls module, installed by default but turned off. To activate it, it is necessary to carry out a series of adjustments in proftpd.conf . Open the data settings and look for the following entry:
<IfModule mod_tls.c> TLSEngine off </IfModule>
Set the TLSEngine directive to the value? on ? and expand the paragraph as follows:
<IfModule mod_tls.c> TLSEngine on TLSLog /var/log/proftpd/tls.log TLSProtocol TLSv1 TLSv1.1 TLSv1.2 TLSRSACertificateFile /etc/proftpd/ssl/proftpd.cert.pem TLSRSACertificateKeyFile /etc/proftpd/ssl/proftpd.key.pem TLSVerifyClient off TLSRequired on </IfModule>
In this way you have not only enabled SSL / TLS encryption for your FTP server in Debian, but in the same step you have made the most important configurations when defining the access file for the log of FTP connections (TLSLog) as well as the paths to the certificate ( TLSRSACertificateFile ) and the key ( TLSRSACertificateKeyFile ), as well as entering the possible protocol versions ( TLSProtocol ). The last two lines make the module not verify the certificate presented by the client ( TLSVerifyClient ) and that the encryption is a prerequisite to establish the connection ( TLSRequired ). After restarting the ProFTPD server, the settings become effective:
sudo /etc/init.d/proftpd restart
Step 3: register via SSL / TLS on the ProFTPD server
If you have already enabled SSL / TLS for ProFTPD, as recommended in this tutorial, users need an FTP client that supports the creation of the encrypted connection . One of the most important agents is FileZilla, not only available for Debian and other Linux distributions, but also for macOS and Windows. The open source program is presented as the best solution to access the FTP server from different platforms.
In FileZilla Server Manager, when choosing the server type, enter the secure variant FTPS (? FTP over explicit TLS / SSL ?) Instead of FTP. In the first creation of connection with the server it is also necessary that the certificate be accepted.
Configure ProFTD - Tips and Tricks
The above configuration options constitute only a small selection, since the versatile FTP software allows much more specific and complex scenarios for the configuration of a server. The official website of ProFTPD offers an unlimited amount of useful information. The free online documentation contains, among other things, example configurations , detailed instructions , FAQs or frequently asked questions and explanations of individual directives . In addition there is information on the different standard and additional modules.
Configure FTP server in Debian easily with GUI
In this tutorial we have shown you how to configure an FTP server with ProFTPD through command lines and manual modifications in the configuration file. As in many other Linux / Unix programs, there are also different graphical user interfaces for the FTP server software here that allow you to configure the server without resorting to the terminal. Gadmintools includes a user interface that can be seamlessly installed with the package manager . The interface named gadmin-proftpd supports starting the FTP server on Debian, creating a user profile and making changes to proftpd.conf , the latter to avoid opening configuration files. New or modified entries are transferred directly.
Note
The use of a graphical user interface does not preclude parallel configuration and management of the server with the command line.
Possible errors in the server configuration
In some cases, restarting the ProFTPDS server may display the following error messages:
?mod_tls_memcache/0.1: notice: unable to register 'memcache' SSL session cache: Memcache support not enabled?
In this specific case, the problem is that the cache module mod_tls_memcache in the ProFTPD compilation has been automatically activated as an SSL / TLS component. In the SSL / TLS encryption configuration, the module takes care, in theory and if so desired, of the temporary storage of the encrypted FTP sessions. Since the session cache is not required by default, the necessary settings have not been made to make the module work either, which has caused the error message . The solution to this problem is simple: you can comment the module or the loading process in the configuration files.
# LoadModule mod_tls_memcache.c
In addition to the error described above, a bad connection can also occur after installing an FTP server on Debian. To eradicate this problem, different analysis options can be accessed :
1. Check if the ProFTPD server works:
sudo service proftpd status
2. Check if the ProFTPD server listens on port 21 to record its own FTP requests :
sudo netstat -tlp|grep proftpd
3. Check error messages when accessing ProFTPD:
sudo tail -20 /var/log/proftpd/proftpd.log
4. Check TLS access error messages :
sudo tail -20 /var/log/proftpd/tls.log
5. Connectivity tests on port 21 with telnet:
sudo telnet 192.0.2.10 21
6. Connectivity tests on port 21 with TLS:
sudo openssl s_client -connect 192.0.2.10:21 -stattls ftp