As a means of distributing large collections of files FTP is still a popular choice, despite the rise of bittorrent, and the growing number of HTTP servers.

FTP is an often overlooked method of storing and giving access to files, in many cases FTP servers have been retired in place of webservers such as Apache.

But there are a lot of cases where offering access via FTP makes sense, even with the limitations of FTP – most notably the difficulty of firewalling and the security risk involved in using plaintext passwords.

There are several different FTP servers packaged within Debian, which you can see via:

apt-cache search ftp-server

One of the most popular servers around is proftpd, and that can be installed upon Debian systems with: apt-get install proftpd Once downloaded debconf will ask if you wish to run the server via inetd, or in a standalone fashion. In general you want the latter option. After the installation the server will be running, and will grant access to all user accounts upon the host. If you wish to stop the server prior to more configuration you can do so with:

/etc/init.d/proftpd stop

The configuration of proftpd is conducted via the configuration file of /etc/proftpd.conf.

Security Options

There are several security options you can enable in proftpd, the most notable is the use of TLS security.

To use TLS you will need to generate a key, and update your server’s configuration file to use it.

Generating a key is simple enough with the openssl command, which is contained in the openssl package:

mkdir /etc/proftpd
cd /etc/proftpd
openssl req -new -x509 -days 365 -nodes -out ftpd-rsa.pem \
   -keyout ftpd-rsa-key.pem

With the files generated you can add the following to your proftpd.conf file:

<IfModule mod_tls.c>
   TLSEngine on
   TLSLog /var/log/proftpd-tls.log
   TLSProtocol TLSv1

   # Are clients required to use FTP over TLS when talking to this server?
   TLSRequired off

   TLSRSACertificateFile    /etc/proftpd/ftpd-rsa.pem
   TLSRSACertificateKeyFile /etc/proftpd/ftpd-rsa-key.pem

   # Authenticate clients that want to use FTP over TLS?
   TLSVerifyClient off
</IfModule>

Other security options include limiting users to particular directories. To limit the user “bob” to the starting directory “/tmp” you can use:

DefaultRoot /tmp bob

The more general approach is to restrict users to their own home directory, which you can accomplish via:

DefaultRoot ~

This causes all users to be presented with the contents of their home directory (as specified by /etc/passwd) when they login.

Permitting Anonymous Access

To permit anonymous access to your server you will need to uncomment the configuration options which are already present in the standard /etc/proftpd.conf file.

This is a good starting point:

<Anonymous ~ftp>
   User				ftp
   Group			nogroup

   # We want clients to be able to login with "anonymous" as well as "ftp"
   UserAlias			anonymous ftp

   # Cosmetic changes, all files belongs to ftp user
   DirFakeUser	on ftp
   DirFakeGroup on ftp

   RequireValidShell		off

   # Limit the maximum number of anonymous logins
   MaxClients			10

   # We want 'welcome.msg' displayed at login, and '.message' displayed
   # in each newly chdired directory.
   DisplayLogin			welcome.msg
   DisplayFirstChdir		.message

   # Limit WRITE everywhere in the anonymous chroot
   <Directory *>
     <Limit WRITE>
       DenyAll
     </Limit>
   </Directory>
</Anonymous>

This configuration setting allows users to login with either anonymous, or ftp, as username and they will be able to read from /home/ftp.

Thankfully they will be unable to upload new content, or delete existing files. They will be given only read-only access to the server.

Miscallaneous Options
There are some other options which you might wish to change, for example the welcome message presented to clients.

The welcome message presented is read from /home/ftp/welcome.msg, editing that file will immediately change the text sent to users.

The hostname of your server is typically displayed to clients when they connect – in the Debian package the greeting only includes the string “Debian” – as you can see from the following session:

user@host:~ ftp localhost
Connected to localhost.localdomain.
220 ProFTPD 1.2.10 Server (Debian) [127.0.0.1]

To change this update the proftpd.conf file to include:

ServerName "My.host.name"