The File Transfer Protocol (FTP) is a popular method for trans­fer­ring files, commonly used for uploading and down­load­ing content to and from web servers. This guide explains how to set up an FTP server with TLS en­cryp­tion on Debian.

How to install a Debian FTP server

Before con­fig­ur­ing your server, you must first find and install suitable server software. For Linux, there are various FTP servers available, most of which are open source and typically included in the package re­pos­it­or­ies of your re­spect­ive Linux dis­tri­bu­tion.

One of the most well-known ap­plic­a­tions is the GPL-licensed ProFTPD, which is highly modular and ex­tend­able. The main con­fig­ur­a­tion file operates using dir­ect­ives and directive groups that will be familiar to ad­min­is­trat­ors with ex­per­i­ence using Apache web servers. Debian includes ProFTPD in its software re­pos­it­ory by default. In­stall­a­tion can be done via the terminal using the following commands:

sudo apt update
sudo apt install proftpd
sudo apt install proftpd-mod-crypto
bash

To ensure the FTP server starts auto­mat­ic­ally on system reboot, use this ad­di­tion­al command:

sudo systemctl enable proftpd
bash
Tip

Looking to store or transfer data? Rent a secure FTP server from IONOS now. Enjoy secure trans­mis­sion with SSH and SSL/TLS, as well as daily backups included.

To complete the in­stall­a­tion, you must decide whether to use ProFTPD in stan­dalone mode or as a service managed by inetd. In stan­dalone mode, the FTP server in­de­pend­ently handles incoming requests. With the second option, the ‘su­per­serv­er’ inetd/xinetd receives requests and forwards them to the FTP server. This second option is generally only relevant if you expect minimal FTP traffic.

VPS Hosting
VPS hosting at un­beat­able prices on Dell En­ter­prise Servers
  • 1 Gbit/s bandwidth & unlimited traffic
  • Minimum 99.99% uptime & ISO-certified data centres
  • 24/7 premium support with a personal con­sult­ant

5 scenarios and the right IONOS FTP server package on Debian

Unsure what hardware and network con­fig­ur­a­tion you need for your Debian FTP server? The table below outlines three possible FTP server use cases and suggests the most suitable IONOS server package for each.

FTP server scenario Re­com­men­ded IONOS package
Small web server VPS Linux M
Larger web server VPS Linux XL
En­ter­prise FTP server Dedicated Server AMD Ryzen XXL-128 NVMe

Debian FTP server tutorial and the key con­fig­ur­a­tion steps

After in­stall­a­tion, you can begin setting up ProFTPD. The con­fig­ur­a­tion file proftpd.conf is located in the /etc/proftpd/ directory. To edit it, open it with the text editor of your choice. For example, using Debian’s default editor nano, you would use the following terminal command:

sudo nano /etc/proftpd/proftpd.conf
bash

The con­fig­ur­a­tion file contains various settings and features for the Debian FTP server. Each component is assigned its own line and requires specific values. For example, functions can be toggled on or off by setting their values to on or off re­spect­ively. Lines can also be prefixed with a hashtag (#) to ‘comment them out’, causing the ProFTPD server to ignore them entirely. This is another way to disable features.

Tip

Instead of modifying the proftpd.conf file directly, you can create a custom con­fig­ur­a­tion file and place it in the /etc/proftpd/conf.d/ directory. This directory is preserved during FTP software updates, reducing the risk of losing your settings. Use the Include directive to in­cor­por­ate server spe­cific­a­tions from the conf.d folder into the main con­fig­ur­a­tion file (this is done auto­mat­ic­ally with the default settings).

Server name, FTP directory, and other basic settings

Before diving into detailed con­fig­ur­a­tions, you must first adjust the basic setup. This includes spe­cify­ing the server hostname and the directory for file uploads and downloads. You also have several con­fig­ur­a­tion options related to potential FTP users, as shown in this example con­fig­ur­a­tion:

# Specify hostname and welcome message
ServerName    "hostname/IP-address"
DisplayLogin    "Your login to the Debian FTP server was successful!"
# General login policies
<Global>
    # Allow access only with shells defined in /etc/shells
    RequireValidShell    on
    # Deny root login
    RootLogin    off
    # Specify FTP directory accessible to users
    DefaultRoot    directory-path
</Global>
# Define authorised users/user groups for FTP login
<Limit LOGIN>
    # Only users in the example group ftpuser are allowed to log in
    # Instead of listing all allowed users, simply negate the unauthorised group (!)
    DenyGroup    !ftpuser
</Limit>

This basic con­fig­ur­a­tion grants users access to a specific directory. This is par­tic­u­larly useful if, for instance, users are involved in main­tain­ing a website and thus require broad access per­mis­sions. If the Linux FTP server’s primary function is to provide users with storage space for their files, you should configure ProFTPD to restrict access to the home directory:

# Restrict users to their home directory
DefaultRoot ~

Creating FTP users

When adding new ProFTPD users, it is advisable to set their login shell to /bin/false. This ensures users can only access the FTP server and not the entire system. First, add /bin/false to the list of allowed shells using the following terminal command:

sudo sh -c 'echo "/bin/false" >> /etc/shells'
bash

Then, create a new user account:

sudo adduser user1 --shell /bin/false --home /home/user1
bash

In this example, an account named ‘user1’ is created, and its home directory is set up sim­ul­tan­eously. Finally, assign a password to the account and confirm the profile. To enable this account to connect to the Debian FTP server and upload/download files to its exclusive directory, specify the home directory in proftpd.conf:

<Directory /home/user1>
    Umask 022 
    AllowOverwrite off
    <Limit LOGIN>
        AllowUser user1
        DenyAll
    </Limit>
    <Limit ALL>
        AllowUser user1
        DenyAll
    </Limit>
</Directory>

This code example restricts the directory in multiple ways, making it a private storage space for user1’s files. The Umask directive (022) grants the owning account full per­mis­sions, while others can only read and execute files if permitted. The de­ac­tiv­ated Al­lo­wOver­write directive prevents over­writ­ing existing data during uploads. Finally, both FTP login (Limit LOGIN) and FTP command execution (Limit ALL) are blocked for all accounts except user1.

Tip

Instead of dis­al­low­ing all FTP commands, you can disable specific op­er­a­tions. For instance, you can create a directory where users can only upload files. Detailed in­form­a­tion about these settings can be found in the online manuals.

Enabling anonymous access

If you want your Debian FTP server to serve as a public download server, you might also want to allow users to access files an­onym­ously. First, define the necessary per­mis­sions for the download directory (e.g., /home/ft­p­down­load) using chmod:

sudo chmod 755 -R /home/ftpdownload
bash

The account owning the directory has full per­mis­sions (7 = read, write, and execute), while group users and others can only read and execute (5). Once per­mis­sions are set, configure anonymous access in the proftpd.conf file:

<Anonymous ~ftp>
User    ftp
Group    ftpgroup
# Define possible login profiles for clients
UserAlias    anonymous    ftp
# Mask user and group identities; set max client count
DirFakeUser on ftp
DirFakeGroup on ftp
RequireValidShell    off
MaxClients    10
<Directory *>
    <Limit WRITE>
        DenyAll
    </Limit>
</Directory>
</Anonymous>

For the ftp account to log in suc­cess­fully, add it to the ftpgroup group:

sudo adduser ftp ftpgroup
bash

Con­fig­ur­ing SSL/TLS en­cryp­tion

The FTP protocol transmits both login cre­den­tials and data in plain text. If you want to set up a private ProFTPD server that is not ac­cess­ible to everyone, it is highly re­com­men­ded to encrypt the login process. You can achieve this using the free software OpenSSL. The cryp­to­graph­ic toolkit is included in Debian’s package man­age­ment system and may already be installed. Otherwise, you can install it using the following command:

sudo apt install openssl
bash

Step 1: Generate cer­ti­fic­ate and key

Next, use OpenSSL to create a cer­ti­fic­ate. Since you need a location to store this, first create an ap­pro­pri­ate directory in the ProFTPD folder:

sudo mkdir /etc/proftpd/ssl
bash

Generate a cer­ti­fic­ate (proftpd.cert.pem) and key (proftpd.key.pem) valid for one year for your Linux FTP server by spe­cify­ing this location using the following command:

openssl req -new -x509 -days 365 -nodes -out /etc/proftpd/ssl/proftpd.cert.pem -keyout /etc/proftpd/ssl/proftpd.key.pem
bash

Ad­di­tion­ally, you will be required to provide some in­form­a­tion to properly register the cer­ti­fic­ate:

  • Country Name (2 letter code): e.g., ‘GB’ for Great Britain
  • State or Province Name (full name): e.g., ‘England’
  • Locality Name (eg, city): e.g., ‘London’
  • Or­gan­iz­a­tion Name (eg, company): Your company’s name or your name
  • Or­gan­iz­a­tion­al Unit Name (eg, company): De­part­ment name, if ap­plic­able, e.g., ‘IT’
  • Common Name (eg, YOUR name): The domain to be secured, e.g., ‘ftp.example.com’
  • Email Address: Your email address
Dedicated Server
Per­form­ance through in­nov­a­tion
  • En­ter­prise hardware
  • Con­fig­ur­able hardware equipment
  • ISO-certified data centres

Step 2: Enabling SSL/TLS in ProFTPD

After creating your own cer­ti­fic­ate and private key, you need to activate the en­cryp­tion tech­no­logy for the ProFTPD server. The Debian FTP server software provides the mod_tls module for this purpose. To activate it, you must edit the tls.conf con­fig­ur­a­tion file. Open the file and locate the following entry:

<IfModule mod_tls.c>
    TLSEngine    off

Set the TLSEngine directive to ‘on’ and further expand the section as shown below (e.g., by removing comment hashes):

<IfModule mod_tls.c>
    TLSEngine            on
    TLSLog                /var/log/proftpd/tls.log
    TLSProtocol            TLSv1 TLSv1.1 TLSv1.2
    TLSRSACertificateFile        /etc/proftpd/ssl/proftpd.cert.pem
    TLSRSACertificateKeyFile    /etc/proftpd/ssl/proftpd.key.pem
    TLSVerifyClient            off
    TLSRequired            on
</IfModule>

This process not only activates SSL/TLS en­cryp­tion for your Debian FTP server but also sets up essential con­fig­ur­a­tions. For example, the log file for recording FTP con­nec­tions (TLSLog) is defined, along with the paths to the cer­ti­fic­ate (TLSR­SACer­ti­fic­ate­File) and key (TLSR­SACer­ti­fic­ateKey­File). The supported protocol versions (TLSPro­tocol) are also specified. The final two lines ensure that the module does not verify client-presented cer­ti­fic­ates (TLS­Veri­fyC­li­ent) and that en­cryp­tion is mandatory for es­tab­lish­ing a con­nec­tion (TLS­Re­quired). Restart the ProFTPD server to apply the changes:

sudo /etc/init.d/proftpd restart
bash

Step 3: Con­nect­ing to the ProFTPD server via SSL/TLS

If you have enabled SSL/TLS for ProFTPD as re­com­men­ded in this Debian FTP server tutorial, users will need an FTP client that supports encrypted con­nec­tions. One of the most popular options is FileZilla, which is available not only for Debian and other Linux dis­tri­bu­tions but also for macOS and Windows. This open-source program is an excellent solution for accessing the FTP server from various platforms.

In FileZilla’s server manager, select the secured FTPS option (FTP over explicit TLS/SSL) instead of regular FTP. During the initial con­nec­tion to the server, the cer­ti­fic­ate will have to be accepted.

If the TLS con­nec­tion cannot be es­tab­lished in FileZilla, it might be necessary to manually load the mod_tls module. Add the following line at the beginning of proftpd.conf:

LoadModule mod_tls.c

Restart the server to make the changes effective:

sudo systemctl restart proftpd
bash
Tip

The SSH File Transfer Protocol uses SSH instead of TLS/SSL and offers a stream­lined, user-friendly al­tern­at­ive to FTPS.

Tips and tricks for con­fig­ur­ing ProFTPD

The con­fig­ur­a­tions presented here are just a small selection. The versatile FTP software allows for much more specific and complex scenarios for con­fig­ur­ing your server. The official ProFTPD website provides many useful resources on this topic. The freely available online doc­u­ment­a­tion includes example setups, detailed how-tos, FAQs, and ex­plan­a­tions of in­di­vidu­al dir­ect­ives. Ad­di­tion­ally, in­form­a­tion about various standard and ad­di­tion­al modules is provided.

Common errors during server con­fig­ur­a­tion

In some cases, re­start­ing the ProFTPD server may result in the following error message:

mod_tls_memcache/0.1: notice: unable to register 'memcache' SSL session cache: Memcache support not enabled

This issue occurs because the mod_tls_memcache caching module is auto­mat­ic­ally enabled as part of SSL/TLS during ProFTPD’s com­pil­a­tion. While this module the­or­et­ic­ally allows for caching encrypted FTP sessions, the default con­fig­ur­a­tion does not include the required settings, leading to the ProFTPD error message. The solution is simple: comment out the module or its loading process in the con­fig­ur­a­tion file:

# LoadModule mod_tls_memcache.c

Another common issue is a failed con­nec­tion, which may arise during Debian FTP server setup. Use the following analysis options to troubleshoot:

1. Check if the ProFTPD server is running:

sudo service proftpd status
bash

2. Verify that the ProFTPD server is listening on TCP port 21 to register incoming FTP requests:

sudo netstat -tlp|grep proftpd
bash

3. Check ProFTPD log errors:

sudo tail -20 /var/log/proftpd/proftpd.log
bash

4. Check TLS log errors:

sudo tail -20 /var/log/proftpd/tls.log
bash

5. Test con­nec­tion on port 21 using telnet:

sudo telnet [IP Address] 21
bash

6. Test con­nec­tion on port 21 using TLS:

sudo openssl s_client -connect [IP Address]:21 -starttls ftp
bash
Go to Main Menu