Setting up an FTP server on Debian

Posted by Anonymous on Thu 25 Aug 2005 at 17:29

As a means of distributing large collections of files FTP is still a popular choice, despite the rise of bittorrent, and the growing number of HTTP servers.

FTP is an often overlooked method of storing and giving access to files, in many cases FTP servers have been retired in place of webservers such as Apache.

But there are a lot of cases where offering access via FTP makes sense, even with the limitations of FTP - most notably the difficulty of firewalling and the security risk involved in using plaintext passwords.

There are several different FTP servers packaged within Debian, which you can see via:

apt-cache search ftp-server

One of the most popular servers around is proftpd, and that can be installed upon Debian systems with:

apt-get install proftpd

Once downloaded debconf will ask if you wish to run the server via inetd, or in a standalone fashion. In general you want the latter option.

After the installation the server will be running, and will grant access to all user accounts upon the host.

If you wish to stop the server prior to more configuration you can do so with:

/etc/init.d/proftpd stop

The configuration of proftpd is conducted via the configuration file of /etc/proftpd.conf.

Security Options

There are several security options you can enable in proftpd, the most notable is the use of TLS security.

To use TLS you will need to generate a key, and update your server's configuration file to use it.

Generating a key is simple enough with the openssl command, which is contained in the openssl package:

mkdir /etc/proftpd
cd /etc/proftpd
openssl req -new -x509 -days 365 -nodes -out ftpd-rsa.pem \
   -keyout ftpd-rsa-key.pem

With the files generated you can add the following to your proftpd.conf file:

<IfModule mod_tls.c>
   TLSEngine on
   TLSLog /var/log/proftpd-tls.log
   TLSProtocol TLSv1

   # Are clients required to use FTP over TLS when talking to this server?
   TLSRequired off

   TLSRSACertificateFile    /etc/proftpd/ftpd-rsa.pem
   TLSRSACertificateKeyFile /etc/proftpd/ftpd-rsa-key.pem
    
   # Authenticate clients that want to use FTP over TLS?
   TLSVerifyClient off
</IfModule>

Other security options include limiting users to particular directories. To limit the user "bob" to the starting directory "/tmp" you can use:

DefaultRoot /tmp bob

The more general approach is to restrict users to their own home directory, which you can accomplish via:

DefaultRoot ~

This causes all users to be presented with the contents of their home directory (as specified by /etc/passwd) when they login.

Permitting Anonymous Access

To permit anonymous access to your server you will need to uncomment the configuration options which are already present in the standard /etc/proftpd.conf file.

This is a good starting point:


<Anonymous ~ftp>
   User				ftp
   Group			nogroup

   # We want clients to be able to login with "anonymous" as well as "ftp"
   UserAlias			anonymous ftp

   # Cosmetic changes, all files belongs to ftp user
   DirFakeUser	on ftp
   DirFakeGroup on ftp
 
   RequireValidShell		off
 
   # Limit the maximum number of anonymous logins
   MaxClients			10
 
   # We want 'welcome.msg' displayed at login, and '.message' displayed
   # in each newly chdired directory.
   DisplayLogin			welcome.msg
   DisplayFirstChdir		.message
 
   # Limit WRITE everywhere in the anonymous chroot
   <Directory *>
     <Limit WRITE>
       DenyAll
     </Limit>
   </Directory>
</Anonymous>

This configuration setting allows users to login with either anonymous, or ftp, as username and they will be able to read from /home/ftp.

Thankfully they will be unable to upload new content, or delete existing files. They will be given only read-only access to the server.

Miscallaneous Options

There are some other options which you might wish to change, for example the welcome message presented to clients.

The welcome message presented is read from /home/ftp/welcome.msg, editing that file will immediately change the text sent to users.

The hostname of your server is typically displayed to clients when they connect - in the Debian package the greeting only includes the string "Debian" - as you can see from the following session:

user@host:~ ftp localhost
Connected to localhost.localdomain.
220 ProFTPD 1.2.10 Server (Debian) [127.0.0.1]

To change this update the proftpd.conf file to include:

ServerName "My.host.name"

 

 


Posted by Anonymous (82.119.xx.xx) on Thu 25 Aug 2005 at 18:16
I use pure-ftpd (www.pureftpd.org)... I don't remember why I switched from proftpd :) but pure-ftpd is running on our webhosting server without any problems for few years. It has many nice features - such as limiting max. number of connections for IP and for user, workaround for broken ftp clients...

[ Parent | Reply to this comment ]

Posted by todsah (213.93.xx.xx) on Thu 25 Aug 2005 at 19:14
[ View todsah's Scratchpad ]
I too switched from proftpd to pure-ftpd, mainly because I could not get proftpd to work nicely with my particular PAM setup.

Pure-ftpd's configuration is a bit strange at first. Basically, you just add files that represent commandline options to a directory /etc/pureftpd/conf/. For instance, to configure a trusted GID for which no chrooting takes place, pure-ftpd provides the --trustedgid option. To enable this as a configuration option, you create a file named TrustedGID and put the GID in that file.

Even though Pure-ftpd's configuration is unorthodox to say the least, I like it better than proftpd's. For some reason I also had a lot less problems setting up rate-limiting and chrooting (for all users except a few) with pure-ftpd than I did for proftpd.

It seems to me proftpd is a little more advanced and offers more options than proftpd, but so far I haven't found anything I personally use that pure-ftpd doesn't offer and proftpd does. It's worth checking out.

[ Parent | Reply to this comment ]

Posted by Anonymous (192.87.xx.xx) on Tue 6 Jun 2006 at 14:28
I do not believe the 'strange' configuration is a feature of pure-ftpd, but rather of the debian port/package. I have used pure-ftpd on other systems (OpenBSD, Windows) and the configuration is only a simple single configuration file.. Much easier to manage. I suppose the debian maintainer invented this configuration for easier package upgrading or something...

[ Parent | Reply to this comment ]

Posted by Anonymous (67.164.xx.xx) on Sun 25 Sep 2005 at 01:38
I have been having trouble getting ANY ftp servers working on my amd64 box. I just downloaded and installed from source (pure-ftpd 1.0.19) and it worked! Thanks for the idea to try it!
-Trash

[ Parent | Reply to this comment ]

Posted by mvanbaak (80.126.xx.xx) on Sat 25 Mar 2006 at 18:17
I use pure-ftpd too.
But right now I'm looking at vsftpd, because pure-ftpd debian package is not supporting files > 2GB
I know, not a lot users need this, but I do (think DVD's)

[ Parent | Reply to this comment ]

Posted by Anonymous (198.202.xx.xx) on Sat 21 Apr 2007 at 01:10

This may be newer than your post, but in the pureftp documentation it explains how to transfer files over 2GB:--with-largefile: support downloading of files larger than 2 gigabytes on 32-bit architectures. Transfering so huge files through FTP is a strange idea. And your filesystem has to support it. Your kernel and your libc as well. And of course, the FTP client has to be safe against large files, too. And when this feature is enabled, downloads can be a bit slower (or more cpu-intensive) than without it, due to a limitation of actual Linux kernels. To summarize: don't enable this for fun, just if you are really planning to download files over 2 gigabytes.

[ Parent | Reply to this comment ]

Posted by mvanbaak (82.95.xx.xx) on Sat 21 Apr 2007 at 09:56
correct, but then I have to compile the pure-ftpd
And they talk only about downloading, not about uploading.
I only hit this limit once, so not really big deal now.

[ Parent | Reply to this comment ]

Posted by Anonymous (222.212.xx.xx) on Wed 24 Oct 2007 at 10:48
Yes, I installed vsftpd for my one customer, one media company. It works 2 years and works very good. I suggest vsftpd if you need manage 2GB size files.

felix
- gingko soft

[ Parent | Reply to this comment ]

Posted by DaveV (24.8.xx.xx) on Thu 25 Aug 2005 at 20:05

I always recommend sftp (ssh subsystem) for all NON-anonymous ftp access because SSH has far fewer security issues than the average ftp server, and its simple configuration.

If you have OpenSSH server installed then just add the following line to /etc/ssh/sshd_config and restart the daemon (/etc/init.d/ssh restart):

Subsystem sftp /usr/lib/openssh/sftp-server

And for the linux users, install the OpenSSH client and have them use sftp to connect instead of ftp.

For windows users, install one of the following:

  1. http://www.chiark.greenend.org.uk/~sgtatham/putty.html
  2. http://lexa.dyndns.org/sshwindows/

[ Parent | Reply to this comment ]

Posted by Steve (82.41.xx.xx) on Thu 25 Aug 2005 at 22:16
[ View Steve's Scratchpad | View Weblogs ]

I am a big fan of WinSCP for using SCP in a graphical fashion under Windows.

Steve
-- Steve.org.uk

[ Parent | Reply to this comment ]

Posted by kamaraju (128.84.xx.xx) on Sat 27 Aug 2005 at 05:02
I do not think winscp is available in Debian officially. If you want similar functionality fire up konqueror and then press ctrl-shift-l to vertically split the window and then use sftp:// protocol. It is almost similar to winscp and at the same time you can use all your konqueror tricks.

[ Parent | Reply to this comment ]

Posted by Anonymous (89.171.xx.xx) on Thu 26 Oct 2006 at 11:37
In Konqueror, access to SFTP is named FISH (fish://)

[ Parent | Reply to this comment ]

Posted by Anonymous (61.9.xx.xx) on Wed 25 Jun 2008 at 06:53
fish != sftp.

fish uploads a file called .fishsrv.pl and then implements it's own sftp subsystem, all you need for it to work is a shell on that box.

Just FyI

[ Parent | Reply to this comment ]

Posted by Anonymous (66.36.xx.xx) on Thu 25 Aug 2005 at 20:22
Hi,

Great site btw. About that TLS stuff, I guess this solves the cleartext password problem? Or is only the data transfered that's encrypted?

Thanks

Yan

[ Parent | Reply to this comment ]

Posted by SquireCD (24.119.xx.xx) on Thu 25 Aug 2005 at 20:29
I was using proFTP and one day I was looking at kernel.org. They had a comment about switching from proFTP to vsFTP (very secure FTP) and I investigated. I ended up making the switch too. I recommend vsFTP. It's in the apt-get database.

[ Parent | Reply to this comment ]

Posted by Anonymous (209.168.xx.xx) on Thu 25 Aug 2005 at 21:37
I'm new to Debian, and fairly new to linux, and am interested in running and FTP server. I'm curious as to the advantages of proftpd to ftpd-ssl.

[ Parent | Reply to this comment ]

Posted by ajt (84.12.xx.xx) on Thu 25 Aug 2005 at 22:22
[ View Weblogs ]
I agree that FTP is underrated, and very much out of fashion.

I'd use vsftp if I needed a FTP server. It's small and simple, a modern design, and built with security in mind. There is a nice package in Debian with all the bits in, and it even does TLS out of the box.

http://vsftpd.beasts.org/

If Debian, OpenBSD et al., use it as their official FTP server, then it's probably good enough for me too.

--
"It's Not Magic, It's Work"
Adam

[ Parent | Reply to this comment ]

Posted by K4sperl (212.33.xx.xx) on Fri 26 Aug 2005 at 09:32
I use vsftpd too and I'm happy with it. vsftpd is very fast, stable and of course secure.

--
Gerald
holl.co.at

[ Parent | Reply to this comment ]

Posted by simonw (84.45.xx.xx) on Sat 27 Aug 2005 at 21:31
[ View Weblogs ]
I run both vsftpd and proftpd at work.

We use proftpd to support virtual users, although I dare say this could be done through PAM, there are other aspects to having a lot of virtual users, like quota management that proftpd does well.

Where we just need vanilla system users to be able to ftp, we use vsftpd.

Never had a problem with either, yes proftpd has a bit of a security history but it provides a lot of features not found elsewhere, and as far as I have ascertained none of the security issues have so far affected a configuration that is 2 years old.

However I think ftp is overrated, it provides very little that you don't get with HTTP, although the HTTP upload via WebDav can get a bit fiddly compared to say setting up vsftpd.

[ Parent | Reply to this comment ]

Posted by Anonymous (81.88.xx.xx) on Fri 26 Aug 2005 at 07:49
If you are experiencing slow logins using proftpd i suggest you to turn off DNS lookup.
Insert this lines in your proftpd.conf:

UseReverseDNS off
IdentLookups off


Syneus.

[ Parent | Reply to this comment ]

Posted by Anonymous (64.142.xx.xx) on Fri 26 Aug 2005 at 17:41

Personally, I recommend against proftp because of its security history and, last I checked, large memory footprint per connection. When I set up my ftp stuff, pure-ftpd was the only reliable option which supported upload in a safeish way.

If I did not need upload I would use an ftpd which does not implement the feature. If I needed to set up an ftp server with upload now, I would use vsftp, no question.

--JoshuaRodman

[ Parent | Reply to this comment ]

Posted by Anonymous (150.216.xx.xx) on Sun 28 Aug 2005 at 03:34
Is there a simple, anonymous FTP server that runs well under a normal user? When I just want to transfer a few files between a GNU/Linux system and an MS Windows system or to share some files with a friend, I wish that I could do something like 'chroot ~/foo some_ftpd' and later ctrl-c when I'm done

[ Parent | Reply to this comment ]

Posted by Anonymous (196.25.xx.xx) on Sat 10 Sep 2005 at 11:03
That is client specific. If your server has an ssh daemon running on it and you have the sftp subsystem enabled (look above) then just use FileZilla as your windows ftp client to connect to the sftp subsystem.

Anyway, my experiance with ftp has mainly been ProFTPD and I do access to vsFTP but havn't really bothered to look at it. I am more then happy with the Quota MySQL management with ProFTP under Debian Sarge/Mandrake(RH Clone)/Red Hat.

The TLS option is something that I am interisted in, but the only thing that I feel a bit lacking in ProFTPD is the ability to prevent certain ftp user logins from an ip range that you do not whish to have access to. (I'll keep on looking for the solution...)

Well, ProFTPD is not that difficult to set up... and if there are upload and download retrictions that I desire then I could limit the file size via Frox, and download rate via TC.

Have a good weekend!
Cheers

[ Parent | Reply to this comment ]

Posted by chaica (83.143.xx.xx) on Tue 13 Sep 2005 at 16:12
Pureftpd ( www.pureftpd.org ) is a really good ftp server, which is available in apt-get database.


Unlike other popular FTP servers, the number of root exploits found since the very first released version is zero.

The server can run with privilege separation for paranoid security. It can even run 100% non-root, with its built-in chroot() emulation and virtual accounts.

Transmission of cleartext passwords and commands can be avoided : Pure-FTPd has optional support for an SSL/TLS encryption layer using the OpenSSL library.

[ Parent | Reply to this comment ]

Posted by Anonymous (80.171.xx.xx) on Fri 16 Dec 2005 at 10:11
good info!
well, localy all is fine and a secure connection work but not from outside :-( and i have no idea what this can be!
is there any port which must be opened for TLS?
i can connect, login and then a client get an unknow error! server log reports notthing wrong. :-(
[code]
230 User test logged in.
...
211-AUTH TLS
...
TYPE I
200 Type set to I
REST 0
350 Restarting at 0. Send STORE or RETRIEVE to initiate transfer
PWD
257 "/" is current directory.
CWD /
250 CWD command successful
PWD
257 "/" is current directory.
TYPE A
200 Type set to A
PROT P
200 Protection set to Private
PASV
227 Entering Passive Mode (192,168,1,103,129,130).
Opening data connection to 192.168.1.103 Port: 33154
LIST -aL
Timeout (120s).
Active Help: http://www.smartftp.com/support/kb/index.php/74
Client closed the connection.
[/code]

[ Parent | Reply to this comment ]

Posted by Anonymous (12.216.xx.xx) on Mon 16 Jan 2006 at 23:13
Similar problem:
Config:
DefaultRoot /somedir bob

running
ftp://localhost in konqueror/firefox/nau... works fine

running
ftp my_ip in console works fine (I can ls, cd, etc)

running
ftp://my_ip in konqueror/firefox/nau... almost fails: none folders/files are displayed, coping files fails but I can create a new folder!

Any ideas?

[ Parent | Reply to this comment ]

Posted by Anonymous (83.245.xx.xx) on Mon 17 Jul 2006 at 21:47
That's because ftp uses different ports for the control channel and the data transfer channel(s).

The control channel is nicely fixed to 21. The default data channel is 20, but it can be just about anything and I believe there may even be multiple data channels in action at any one time - a real pain.

You can create directories because you're connected through the control channel but your inability to transfer files is probably caused by no data channel.

Try opening the default data channel and pray.

I don't know enough about any particular server/client to tell you how to nail down the port numbers available as data channels.

Regards, Max

[ Parent | Reply to this comment ]

Posted by namit (83.70.xx.xx) on Wed 5 Sep 2007 at 18:03
I am getting the following
Unable to load config info from /usr/lib/ssl/openssl.cnf

when i run,
openssl req -new -x509 -days 365 -nodes -out ftpd-rsa.pem -keyout ftpd-rsa-key.pem

[ Parent | Reply to this comment ]

Posted by Anonymous (125.160.xx.xx) on Sat 21 Mar 2009 at 05:57
why i can't install proftpd??
apt-get install proftpd
what i'm wrong
please repp me on email
zakuzi_one@yahoo.co.id

[ Parent | Reply to this comment ]

Posted by Anonymous (149.254.xx.xx) on Fri 5 Jun 2009 at 10:36
proftpd on Debian has 4 flavours - depending on if you want a database back
end for authentication pgsql, mysql, etc or no database backend.

If you are not sure then just go for proftpd-basic

apt-get install proftpd-basic

Brief package description here:
http://packages.debian.org/lenny/proftpd-basic
includes this explanation:
"This package contains the daemon and all main modules used for common configurations. If you need database-centric authentication install the suitable proftpd-mod suggested package."

[ Parent | Reply to this comment ]

Posted by Anonymous (203.91.xx.xx) on Wed 6 May 2009 at 15:42
I can't to access my ftp server. when I access to ftp server, ask name and password. what is default name and password?

[ Parent | Reply to this comment ]

Posted by Anonymous (203.160.xx.xx) on Fri 31 Jul 2009 at 08:10
I can't to access my ftp server. when I access to ftp server, ask name and password. what is default name and password?

[ Parent | Reply to this comment ]

Posted by Anonymous (62.66.xx.xx) on Thu 1 Oct 2009 at 22:36
What's an FTP server?

[ Parent | Reply to this comment ]

Posted by Anonymous (88.23.xx.xx) on Mon 18 Oct 2010 at 09:31
What's Debian?

[ Parent | Reply to this comment ]

Posted by Anonymous (79.178.xx.xx) on Mon 20 Dec 2010 at 22:45
how i can enter this site
ghanem.mine.nu and to get passwords from there and thnx

[ Parent | Reply to this comment ]

Posted by Anonymous (77.126.xx.xx) on Tue 10 May 2011 at 13:31
its an difficult thing but..
if u had one active pass with user maybe we can help u.
tnx

[ Parent | Reply to this comment ]

Sign In

Username:

Password:

[Register|Advanced]

 

Flattr

 

Current Poll

What do you use for configuration management?








( 147 votes ~ 0 comments )