Setting up an FTP server on Debian
As a means of distributing large collections of files FTP is still a popular choice, despite the rise of bittorrent, and the growing number of HTTP servers.
FTP is an often overlooked method of storing and giving access to files, in many cases FTP servers have been retired in place of webservers such as Apache.
But there are a lot of cases where offering access via FTP makes sense, even with the limitations of FTP – most notably the difficulty of firewalling and the security risk involved in using plaintext passwords.
There are several different FTP servers packaged within Debian, which you can see via:
apt-cache search ftp-server
One of the most popular servers around is proftpd, and that can be installed upon Debian systems with:
apt-get install proftpd Once downloaded debconf will ask if you wish to run the server via inetd, or in a standalone fashion. In general you want the latter option. After the installation the server will be running, and will grant access to all user accounts upon the host. If you wish to stop the server prior to more configuration you can do so with:
The configuration of proftpd is conducted via the configuration file of /etc/proftpd.conf.
There are several security options you can enable in proftpd, the most notable is the use of TLS security.
To use TLS you will need to generate a key, and update your server’s configuration file to use it.
Generating a key is simple enough with the openssl command, which is contained in the openssl package:
mkdir /etc/proftpd cd /etc/proftpd openssl req -new -x509 -days 365 -nodes -out ftpd-rsa.pem \ -keyout ftpd-rsa-key.pem
With the files generated you can add the following to your proftpd.conf file:
<IfModule mod_tls.c> TLSEngine on TLSLog /var/log/proftpd-tls.log TLSProtocol TLSv1 # Are clients required to use FTP over TLS when talking to this server? TLSRequired off TLSRSACertificateFile /etc/proftpd/ftpd-rsa.pem TLSRSACertificateKeyFile /etc/proftpd/ftpd-rsa-key.pem # Authenticate clients that want to use FTP over TLS? TLSVerifyClient off </IfModule>
Other security options include limiting users to particular directories. To limit the user “bob” to the starting directory “/tmp” you can use:
DefaultRoot /tmp bob
The more general approach is to restrict users to their own home directory, which you can accomplish via:
This causes all users to be presented with the contents of their home directory (as specified by /etc/passwd) when they login.
Permitting Anonymous Access
To permit anonymous access to your server you will need to uncomment the configuration options which are already present in the standard /etc/proftpd.conf file.
This is a good starting point:
<Anonymous ~ftp> User ftp Group nogroup # We want clients to be able to login with "anonymous" as well as "ftp" UserAlias anonymous ftp # Cosmetic changes, all files belongs to ftp user DirFakeUser on ftp DirFakeGroup on ftp RequireValidShell off # Limit the maximum number of anonymous logins MaxClients 10 # We want 'welcome.msg' displayed at login, and '.message' displayed # in each newly chdired directory. DisplayLogin welcome.msg DisplayFirstChdir .message # Limit WRITE everywhere in the anonymous chroot <Directory *> <Limit WRITE> DenyAll </Limit> </Directory> </Anonymous>
This configuration setting allows users to login with either anonymous, or ftp, as username and they will be able to read from /home/ftp.
Thankfully they will be unable to upload new content, or delete existing files. They will be given only read-only access to the server.
There are some other options which you might wish to change, for example the welcome message presented to clients.
The welcome message presented is read from /home/ftp/welcome.msg, editing that file will immediately change the text sent to users.
The hostname of your server is typically displayed to clients when they connect – in the Debian package the greeting only includes the string “Debian” – as you can see from the following session:
user@host:~ ftp localhost Connected to localhost.localdomain. 220 ProFTPD 1.2.10 Server (Debian) [127.0.0.1]
To change this update the proftpd.conf file to include: