ProFTPD is a very popular and secure open source FTP server. File Transfer Protocol (FTP) is the most popular way of uploading files to a server. ProFTPD comes with a lot of features which are not present in other FTP servers. It is highly configurable and the configuration of ProFTPD is performed in a single main configuration file. FTP services gives you ability to quickly upload and download the content to your web servers, you can also manage files and folders on your server using FTP. FTP data transmission are not secured as the traffic is not encrypted, all the data which is incoming or outgoing is in clear text format. ProFTPD provides you ability to secure your FTP connection using SSL/TLS. ProFTPD is used by many popular websites like SourceForge, Samba, Harvard etc.
In this tutorial we will learn to install ProFTPD server on CentOS 7.x, we will also learn to secure the traffic using SSL/TLS and enabling anonymous users in server.
The only requirement to install ProFTPD is that you should have VPS or Dedicated server with CentOS 7.x installed. In addition to that you will also need to have root access to your server. In this tutorial we will be using
root user account to execute the commands, if you are not logged in as root user then use
sudo command before all the commands that we are going to run, or you can also use
su command to login to
root user account.
The ProFTPD package is not included in the default YUM repository of CentOS, hence you will need to add EPEL (Extra Package for Enterprise Linux) repository to your server. Execute the following command to do so.
rpm -iUvh https://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-7.noarch.rpm Now EPEL repository is added to your server, execute the following command to update existing packages.
yum -y update
Now install ProFTPD using the following command.
yum -y install proftpd proftpd-utils
Once installed you can start ProFTPD immediately using the following command.
systemctl start proftpd.service
To automatically start the service at boot time, run the following command.
systemctl enable proftpd.service
Now you will have to add an entry to your firewall rules so that, firewall can allow FTP connections to remote host. Run the following command to do the same.
firewall-cmd --add-service=ftp --permanent
Now restart your firewall using the following command.
To use FTP to transfer the files, we will have to create a new user as
root login is disabled by default in FTP. To create a new user run the following command.
useradd ftpadmin -s /sbin/nologin -d /ftp
This will create a user
ftpadmin who will not be able to login using SSH, as we have supplied
-s /sbin/nologin argument. Home directory of
ftpadmin will be
/ftp. Now change the password of your new user using the following command.
Next change the permissions of
/ftp directory so that every user can add, modify or delete the content using the following command.
chmod 777 /ftp
Now you can check if your FTP is running either by going to the browser and browsing the following URL.
For example if IP address of your server is 192.168.0.100, then you will browse,
You will see a prompt to enter username and password. It shows that FTP server has been successfully deployed to your server. Login using your newly created user account.
As we have no files in our
/ftp directory, there are no files listed. You can also check it through the terminal of your server. Enter the following command.
You will be asked to enter the username, login using your newly created username, you will be successfully logged in. You will be shown something similar to this.
[root@vps ~]# ftp localhost
Trying ::1... Connected to localhost (::1). 220 FTP Server ready. Name (localhost:root): ftpadmin 331 Password required for ftpadmin Password: 230 User ftpadmin logged in Remote system type is UNIX. Using binary mode to transfer files. ftp>
Once you are in
ftp session, you can run help command to see the commands you can use. To exit from ftp you can enter
As we know, the FTP protocol is an insecure protocol and all the data which we send or receive including username and passwords are in clear text format. If a hacker tries to intercept the data, he can easily find out the username and password used for authentication purpose. Hence it is recommended to secure our FTP server using SSL/TLS. Once our FTP server is using SSL/TLS, all the transaction will be encrypted with public key. If a hacker tries to intercept the data, the data will not be of any use to him as he will need the private key to decrypt the data which is stored in server only.
Edit the main configuration file of ProFTPD using your favorite text editor, in this tutorial we will be using
nano, you can use whichever you want. If you don't have
nano installed, you can run
yum install nano command to install
nano on your system.
Scroll down below to find these lines.
# Cause every FTP user except adm to be chrooted into their home directory
DefaultRoot ~ !adm
Append the following line just below the above configuration.
PassivePorts 10000 11000
Thus your configuration should look like as shown below.
# Cause every FTP user except adm to be chrooted into their home directory DefaultRoot ~ !adm PassivePorts 10000 11000
Now scroll down further to find these lines.
# TLS (http://www.castaglia.org/proftpd/modules/mod_tls.html)
TLSEngine on TLSRequired on TLSRSACertificateFile /etc/pki/tls/certs/proftpd.pem TLSRSACertificateKeyFile /etc/pki/tls/certs/proftpd.pem TLSCipherSuite ALL:!ADH:!DES TLSOptions NoCertRequest TLSVerifyClient off TLSRenegotiate ctrl 3600 data 512000 required off timeout 300 TLSLog /var/log/proftpd/tls.log
Comment Out some lines using
# at the start of the line to make the configuration look like as shown below.
# TLS (http://www.castaglia.org/proftpd/modules/mod_tls.html)
# TLSEngine on TLSRequired on TLSRSACertificateFile /etc/pki/tls/certs/proftpd.pem TLSRSACertificateKeyFile /etc/pki/tls/certs/proftpd.pem TLSCipherSuite ALL:!ADH:!DES TLSOptions NoCertRequest TLSVerifyClient off TLSRenegotiate ctrl 3600 data 512000 required off timeout 300 TLSLog /var/log/proftpd/tls.log # TLSSessionCache shm:/file=/var/run/proftpd/sesscache # #
Save the file and exit the editor. Now as we have added port range
11000 as passive ports to accept FTP connections. We will have to add the firewall rule to bypass these ports. Run the following commands to do the same.
firewall-cmd --add-port=10000-11000/tcp --permanent firewall-cmd --reload
You can the status of ports using the following command.
You should see following output.
Now we will have to create SSL certificates. If you do not have
openssl installed you can install it using the following command.
yum -y install openssl
Now run the following command to create certificate and key files.
openssl req -x509 -nodes -newkey rsa:1024 -keyout /etc/pki/tls/certs/proftpd.pem -out /etc/pki/tls/certs/proftpd.pem -nodes -days 365
Now you will be asked some information which is to be added into your CSR (Code Signing Request). You will be asked your country name in two letters, for example consider
IN for India. Then you will be asked about the state or province. Then you will be asked about your city and organization. Finally common name of your server and your email address. If you want to leave some detail blank use full stop of period ( . ) sign. You can also enter the default values just by pressing enter. Example output is given below.
Generating a 1024 bit RSA private key ....++++++ .......................................++++++ writing new private key to '/etc/pki/tls/certs/proftpd.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:IN State or Province Name (full name) :Rajasthan Locality Name (eg, city) [Default City]:Biakner Organization Name (eg, company) [Default Company Ltd]:My Company Organizational Unit Name (eg, section) :. Common Name (eg, your name or your server's hostname) :vps.liptanbiswas.com Email Address :email@example.com
This will generate the key file and certificates and will save then in
/etc/pki/tls/certs/ directory. Now restart your ProFTPD server using the following command.
systemctl restart proftpd.service
You can now check if SSL/TLS has been enabled on your FTP server by executing the following command on terminal.
You will see that FTP server is connected, try logging in with the same user we created above, you will see following output.
Connected to localhost (::1). 220 FTP Server ready. Name (localhost:root): ftpadmin 550 SSL/TLS required on the control channel Login failed. Remote system type is UNIX. Using binary mode to transfer files.
This happened because the
ftp client on terminal does not support FTP connections over SSL/TLS, but the server refused to connect without SSL/TLS.
You can use FileZilla FTP client to access your server now, as it supports FTP over TLS. Open your FileZilla client and enter the IP address, username and password in Quick Connect bar. You can leave port number blank as we are using default port
Now click on the Quickconnect button. FileZilla will try to connect to FTP server and you will see a warning showing your certificate details.
Select Always trust certificate in future sessions checkbox and click the OK button. You will be successfully logged into your FTP account.
Enabling Anonymous FTP Access
If you enable anonymous FTP access to your server, then anyone can access your server without providing a username or password. This is useful when you are sharing public files through your server. Anonymous users normally have only read privilege on server, so that they can login to server and download the files.
To enable anonymous access, again open the configuration file through your favorite editor.
Now scroll down to the end of the file and append these lines at the end.
User ftp Group ftp AccessGrantMsg "Anonymous login ok, restrictions apply."
UserAlias anonymous ftp DirFakeUser on ftp DirFakeGroup on ftp MaxClients 10 "Sorry, max %m users -- try again later"
Save the file and exit from the editor. Now restart ProFTPD service again.
systemctl restart proftpd.service
Now open FileZilla again and this time only enter your IP address in Quick Connect bar, leave username and password field empty. Click on the Quickconnect button and FileZilla will automatically fill
anonymous username for you.
If you had not selected Always trust certificate in future sessions checkbox in previous session, you will be asked again about the authenticity of the certificate, otherwise it will directly log you into the server.
In this tutorial we have learnt to install ProFTPD server in CentOS 7. We also learnt to secure ProFTPD using SSL/TLS with enabling anonymous users. You can now successfully deploy an FTP server on your server, which will give you ability to easily and securely transfer files from your local computer to your server.