Hint: You can use the Tab key to autocomplete all filenames and directories, so you don't have to type in the complete file or directory name manually.
This tutorial was last checked and updated on April 3, 2023.
- If you havn't already done so, download the program "PuTTY".
- Connect to your root server or VPS/vServer via SSH using PuTTY. To do this, open PuTTY and enter the domain or IP address of your server in the text box named "Host Name (or IP address)". Then click the "OK" button below.
- Update your package lists with the command
apt update
. - Now install any available updates of the packages already installed on your server using the command
apt upgrade -y
. - Install the "ProFTPD" FTP Server and other required packages with the following command:
apt install proftpd-basic -y
- Now create an configuration file in the directory "/etc/proftpd/conf.d/" by executing the command
nano /etc/proftpd/conf.d/ftp.conf
. The files in this directory won't be overwritten when you update the ProFTPD server. - Add the following content to this configuration file and adjust it if necessary (for example, if you don't want to disable IPv6):
# FTP users don't need a valid shell
<Global>
RequireValidShell off
</Global>
# Disable IPv6 (if wanted)
UseIPv6 off
# Set home directory as root directory for FTP users
DefaultRoot ~ ftpuser
# Allow login only for users of the group "ftpuser"
<Limit LOGIN>
DenyGroup !ftpuser
</Limit> - Save your changes to the configuration by pressing CTRL + X, then hit the "Y" key followed by enter.
- Restart the ProFTPD Server using the command
systemctl restart proftpd
to apply the configuration you just created. -
Without encryption, both the login data and the files themselves are transferred in plain text. Therefore you should use SSL/TLS. The required module for the ProFTPD server is already included and activated, but a configuration is still necessary. To do this, perform the following steps:
- You can use an existing certificate or create a self-signed one using the command
openssl req -x509 -newkey rsa:2048 -keyout /etc/ssl/private/proftpd.key -out /etc/ssl/certs/proftpd.crt -nodes -days 1460
. This certificate is stored under "/etc/ssl/certs/proftpd.crt" and the private key under "/etc/ssl/private/proftpd.key". If you create a self-signed certificate, some data will be requested. The only required field is the "Common Name". At this point, use the FQDN or hostname of your server. If you want to omit another field - for example the country code - just type a ".". - Now create a configuration file for TLS by executing the command
nano /etc/proftpd/conf.d/tls.conf
. - Add the following content to this configuration file and change the path to your SSL certificate if you want to use your own existing certificate:
<IfModule mod_tls.c>
TLSEngine on
TLSLog /var/log/proftpd/tls.log
TLSProtocol TLSv1.2
TLSRSACertificateFile /etc/ssl/certs/proftpd.crt
TLSRSACertificateKeyFile /etc/ssl/private/proftpd.key
TLSVerifyClient off
TLSOptions NoSessionReuseRequired
TLSRequired on
</IfModule> - Save your changes to the configuration by pressing CTRL + X, then hit the "Y" key followed by enter.
- For Debian 11 (not necessary until Debian 10 and under Ubuntu):
- Open the module configuration file of ProFTPD by executing the command
nano /etc/proftpd/modules.conf
. - Next, remove the "#" character before the line "LoadModule mod_tls.c" and save your changes by pressing CTRL + X, then hit the "Y" key followed by enter.
- Open the module configuration file of ProFTPD by executing the command
- Then restart the ProFTPD server using the command
systemctl restart proftpd
again, so that the TLS configuration is also applied.
- You can use an existing certificate or create a self-signed one using the command
- Now you have to create the group "ftpuser". You will later add all users to this group who are allowed to log in to the FTP server. Use the following command to create the group:
addgroup ftpuser
- Next, you have to create the users who are allowed to log in to the FTP server. The command for this is:
adduser example --shell /bin/false --home /var/www/example
. Replace "example" with the desired username and "/var/www/example" with the home directory in which this user should have read and write access. This is also the user's FTP home directory. - Set a secure password for the FTP user. There are no characters displayed during input, but this is normal. Confirm the password you set by pressing enter. You can skip all further information such as the name, telephone number, etc. by pressing enter as well.
- Finally, add the FTP user you just created to the group "ftpuser" so that this user can log in to the FTP server. Use the command
adduser example ftpuser
and replace "example" with the username you've chosen. - Your FTP server is now ready to use. You can now connect to it using an FTP client such as FileZilla and log in with the users you previously created and added to the "ftpuser" group.