The File Transfer Protocol (FTP) is a popular method for transferring files, commonly used for uploading and downloading content to and from web servers. This guide explains how to set up an FTP server with TLS encryption on Debian.

How to install a Debian FTP server

Before configuring your server, you must first find and install suitable server software. For Linux, there are various FTP servers available, most of which are open source and typically included in the package repositories of your respective Linux distribution.

One of the most well-known applications is the GPL-licensed ProFTPD, which is highly modular and extendable. The main configuration file operates using directives and directive groups that will be familiar to administrators with experience using Apache web servers. Debian includes ProFTPD in its software repository by default. Installation can be done via the terminal using the following commands:

sudo apt update
sudo apt install proftpd
sudo apt install proftpd-mod-crypto
bash

To ensure the FTP server starts automatically on system reboot, use this additional command:

sudo systemctl enable proftpd
bash
Tip

Looking to store or transfer data? Rent a secure FTP server from IONOS now. Enjoy secure transmission with SSH and SSL/TLS, as well as daily backups included.

To complete the installation, you must decide whether to use ProFTPD in standalone mode or as a service managed by inetd. In standalone mode, the FTP server independently handles incoming requests. With the second option, the ‘superserver’ inetd/xinetd receives requests and forwards them to the FTP server. This second option is generally only relevant if you expect minimal FTP traffic.

VPS Hosting
Fully virtualised servers with root access
  • Unlimited traffic and up to 1 Gbit/s bandwidth
  • Fast SSD NVMe storage
  • Free Plesk Web Host Edition

5 scenarios and the right IONOS FTP server package on Debian

Unsure what hardware and network configuration you need for your Debian FTP server? The table below outlines three possible FTP server use cases and suggests the most suitable IONOS server package for each.

FTP server scenario Recommended IONOS package
Small web server VPS Linux M
Larger web server VPS Linux XL
Enterprise FTP server Dedicated Server AMD Ryzen XXL-128 NVMe

Debian FTP server tutorial and the key configuration steps

After installation, you can begin setting up ProFTPD. The configuration file proftpd.conf is located in the /etc/proftpd/ directory. To edit it, open it with the text editor of your choice. For example, using Debian’s default editor nano, you would use the following terminal command:

sudo nano /etc/proftpd/proftpd.conf
bash

The configuration file contains various settings and features for the Debian FTP server. Each component is assigned its own line and requires specific values. For example, functions can be toggled on or off by setting their values to on or off respectively. Lines can also be prefixed with a hashtag (#) to ‘comment them out’, causing the ProFTPD server to ignore them entirely. This is another way to disable features.

Tip

Instead of modifying the proftpd.conf file directly, you can create a custom configuration file and place it in the /etc/proftpd/conf.d/ directory. This directory is preserved during FTP software updates, reducing the risk of losing your settings. Use the Include directive to incorporate server specifications from the conf.d folder into the main configuration file (this is done automatically with the default settings).

Server name, FTP directory, and other basic settings

Before diving into detailed configurations, you must first adjust the basic setup. This includes specifying the server hostname and the directory for file uploads and downloads. You also have several configuration options related to potential FTP users, as shown in this example configuration:

# Specify hostname and welcome message
ServerName    "hostname/IP-address"
DisplayLogin    "Your login to the Debian FTP server was successful!"
# General login policies
<Global>
    # Allow access only with shells defined in /etc/shells
    RequireValidShell    on
    # Deny root login
    RootLogin    off
    # Specify FTP directory accessible to users
    DefaultRoot    directory-path
</Global>
# Define authorised users/user groups for FTP login
<Limit LOGIN>
    # Only users in the example group ftpuser are allowed to log in
    # Instead of listing all allowed users, simply negate the unauthorised group (!)
    DenyGroup    !ftpuser
</Limit>

This basic configuration grants users access to a specific directory. This is particularly useful if, for instance, users are involved in maintaining a website and thus require broad access permissions. If the Linux FTP server’s primary function is to provide users with storage space for their files, you should configure ProFTPD to restrict access to the home directory:

# Restrict users to their home directory
DefaultRoot ~

Creating FTP users

When adding new ProFTPD users, it is advisable to set their login shell to /bin/false. This ensures users can only access the FTP server and not the entire system. First, add /bin/false to the list of allowed shells using the following terminal command:

sudo sh -c 'echo "/bin/false" >> /etc/shells'
bash

Then, create a new user account:

sudo adduser user1 --shell /bin/false --home /home/user1
bash

In this example, an account named ‘user1’ is created, and its home directory is set up simultaneously. Finally, assign a password to the account and confirm the profile. To enable this account to connect to the Debian FTP server and upload/download files to its exclusive directory, specify the home directory in proftpd.conf:

<Directory /home/user1>
    Umask 022 
    AllowOverwrite off
    <Limit LOGIN>
        AllowUser user1
        DenyAll
    </Limit>
    <Limit ALL>
        AllowUser user1
        DenyAll
    </Limit>
</Directory>

This code example restricts the directory in multiple ways, making it a private storage space for user1’s files. The Umask directive (022) grants the owning account full permissions, while others can only read and execute files if permitted. The deactivated AllowOverwrite directive prevents overwriting existing data during uploads. Finally, both FTP login (Limit LOGIN) and FTP command execution (Limit ALL) are blocked for all accounts except user1.

Tip

Instead of disallowing all FTP commands, you can disable specific operations. For instance, you can create a directory where users can only upload files. Detailed information about these settings can be found in the online manuals.

Enabling anonymous access

If you want your Debian FTP server to serve as a public download server, you might also want to allow users to access files anonymously. First, define the necessary permissions for the download directory (e.g., /home/ftpdownload) using chmod:

sudo chmod 755 -R /home/ftpdownload
bash

The account owning the directory has full permissions (7 = read, write, and execute), while group users and others can only read and execute (5). Once permissions are set, configure anonymous access in the proftpd.conf file:

<Anonymous ~ftp>
User    ftp
Group    ftpgroup
# Define possible login profiles for clients
UserAlias    anonymous    ftp
# Mask user and group identities; set max client count
DirFakeUser on ftp
DirFakeGroup on ftp
RequireValidShell    off
MaxClients    10
<Directory *>
    <Limit WRITE>
        DenyAll
    </Limit>
</Directory>
</Anonymous>

For the ftp account to log in successfully, add it to the ftpgroup group:

sudo adduser ftp ftpgroup
bash

Configuring SSL/TLS encryption

The FTP protocol transmits both login credentials and data in plain text. If you want to set up a private ProFTPD server that is not accessible to everyone, it is highly recommended to encrypt the login process. You can achieve this using the free software OpenSSL. The cryptographic toolkit is included in Debian’s package management system and may already be installed. Otherwise, you can install it using the following command:

sudo apt install openssl
bash

Step 1: Generate certificate and key

Next, use OpenSSL to create a certificate. Since you need a location to store this, first create an appropriate directory in the ProFTPD folder:

sudo mkdir /etc/proftpd/ssl
bash

Generate a certificate (proftpd.cert.pem) and key (proftpd.key.pem) valid for one year for your Linux FTP server by specifying this location using the following command:

openssl req -new -x509 -days 365 -nodes -out /etc/proftpd/ssl/proftpd.cert.pem -keyout /etc/proftpd/ssl/proftpd.key.pem
bash

Additionally, you will be required to provide some information to properly register the certificate:

  • Country Name (2 letter code): e.g., ‘GB’ for Great Britain
  • State or Province Name (full name): e.g., ‘England’
  • Locality Name (eg, city): e.g., ‘London’
  • Organization Name (eg, company): Your company’s name or your name
  • Organizational Unit Name (eg, company): Department name, if applicable, e.g., ‘IT’
  • Common Name (eg, YOUR name): The domain to be secured, e.g., ‘ftp.example.com’
  • Email Address: Your email address
Dedicated Server
Performance through innovation
  • Enterprise hardware
  • Power and flexibility
  • Latest security technology

Step 2: Enabling SSL/TLS in ProFTPD

After creating your own certificate and private key, you need to activate the encryption technology for the ProFTPD server. The Debian FTP server software provides the mod_tls module for this purpose. To activate it, you must edit the tls.conf configuration file. Open the file and locate the following entry:

<IfModule mod_tls.c>
    TLSEngine    off

Set the TLSEngine directive to ‘on’ and further expand the section as shown below (e.g., by removing comment hashes):

<IfModule mod_tls.c>
    TLSEngine            on
    TLSLog                /var/log/proftpd/tls.log
    TLSProtocol            TLSv1 TLSv1.1 TLSv1.2
    TLSRSACertificateFile        /etc/proftpd/ssl/proftpd.cert.pem
    TLSRSACertificateKeyFile    /etc/proftpd/ssl/proftpd.key.pem
    TLSVerifyClient            off
    TLSRequired            on
</IfModule>

This process not only activates SSL/TLS encryption for your Debian FTP server but also sets up essential configurations. For example, the log file for recording FTP connections (TLSLog) is defined, along with the paths to the certificate (TLSRSACertificateFile) and key (TLSRSACertificateKeyFile). The supported protocol versions (TLSProtocol) are also specified. The final two lines ensure that the module does not verify client-presented certificates (TLSVerifyClient) and that encryption is mandatory for establishing a connection (TLSRequired). Restart the ProFTPD server to apply the changes:

sudo /etc/init.d/proftpd restart
bash

Step 3: Connecting to the ProFTPD server via SSL/TLS

If you have enabled SSL/TLS for ProFTPD as recommended in this Debian FTP server tutorial, users will need an FTP client that supports encrypted connections. One of the most popular options is FileZilla, which is available not only for Debian and other Linux distributions but also for macOS and Windows. This open-source program is an excellent solution for accessing the FTP server from various platforms.

In FileZilla’s server manager, select the secured FTPS option (FTP over explicit TLS/SSL) instead of regular FTP. During the initial connection to the server, the certificate will have to be accepted.

If the TLS connection cannot be established in FileZilla, it might be necessary to manually load the mod_tls module. Add the following line at the beginning of proftpd.conf:

LoadModule mod_tls.c

Restart the server to make the changes effective:

sudo systemctl restart proftpd
bash
Tip

The SSH File Transfer Protocol uses SSH instead of TLS/SSL and offers a streamlined, user-friendly alternative to FTPS.

Tips and tricks for configuring ProFTPD

The configurations presented here are just a small selection. The versatile FTP software allows for much more specific and complex scenarios for configuring your server. The official ProFTPD website provides many useful resources on this topic. The freely available online documentation includes example setups, detailed how-tos, FAQs, and explanations of individual directives. Additionally, information about various standard and additional modules is provided.

Common errors during server configuration

In some cases, restarting the ProFTPD server may result in the following error message:

mod_tls_memcache/0.1: notice: unable to register 'memcache' SSL session cache: Memcache support not enabled

This issue occurs because the mod_tls_memcache caching module is automatically enabled as part of SSL/TLS during ProFTPD’s compilation. While this module theoretically allows for caching encrypted FTP sessions, the default configuration does not include the required settings, leading to the ProFTPD error message. The solution is simple: comment out the module or its loading process in the configuration file:

# LoadModule mod_tls_memcache.c

Another common issue is a failed connection, which may arise during Debian FTP server setup. Use the following analysis options to troubleshoot:

1. Check if the ProFTPD server is running:

sudo service proftpd status
bash

2. Verify that the ProFTPD server is listening on TCP port 21 to register incoming FTP requests:

sudo netstat -tlp|grep proftpd
bash

3. Check ProFTPD log errors:

sudo tail -20 /var/log/proftpd/proftpd.log
bash

4. Check TLS log errors:

sudo tail -20 /var/log/proftpd/tls.log
bash

5. Test connection on port 21 using telnet:

sudo telnet [IP Address] 21
bash

6. Test connection on port 21 using TLS:

sudo openssl s_client -connect [IP Address]:21 -starttls ftp
bash
Was this article helpful?
Go to Main Menu