markdown 安装proFTP

Posted 2021-05-05

## Step 1: Installation of ProFTPD
To install ProFTP, execute below commands, first command 'apt-get update' will update the packages list available in the repositories. The second command will do the actual installation.

```
$ apt-get update
$ apt-get install proftpd
```

You can verify the installation by executing below command. It should give its version in output.
```
$ proftpd -v
```

Great! you have successfully installed proftpd on the server. Now let's configure and use the FTP service. First, we need to create Linux group and user.

## Step 2: Create FTP Group
Create a group with the name of your choice. In this article, we will use `ftpgroup` and `pradip` as a group name and username respectively. create a group by executing following command.

```
$ addgroup ftpgroup
```
## Step 3: Create FTP user
Create user by replacing appropriate values in command
```
$ adduser ${username} -shell /bin/false -G ${groupname} -home ${USER_HOME_DIRECTORY}
```

An example is shown below. It will prompt for the new password and user details. Use same groupname as we created in step 2 while creating user.

```
$ adduser pradip -shell /bin/false -ingroup ftpgroup -home /ftpshare
```

```
Adding user `pradip' ...
Adding new user `pradip' (1000) with group `ftpgroup' ...
Creating home directory `/ftpshare' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for pradip
Enter the new value, or press ENTER for the default
        Full Name []: Pradip Sakhavala
        Room Number []:
        Work Phone []:
        Home Phone []:
        Other []:
Is the information correct? [Y/n] Y
```
## Step 4: Configure ProFTPD
Now we need to configure ProFTPD. Edit file /etc/proftpd/proftpd.conf with your favorite text editor as shown below.

```
$ vi /etc/proftpd/proftpd.conf
```
```
[...]
UseIPv6 off
PassivePorts 60000 65535	# These ports should be safe...

# Enable the tls.conf
Include /etc/proftpd/tls.conf

[...]

RootLogin	off
RequireValidShell off

DefaultRoot  ~

<Limit LOGIN>
    DenyGroup !ftpgroup
</Limit>
```
I am not using IPv6, so I have disabled it by setting 'UseIPv6' to off as show above. I am disabling root user login by RootLogon off. DefaultRoot is set to `~` to restrict users with their home folders access only. DenyGroup will allow only the users from ftpgroup access to the ftp server, all other connection will get rejected. Please note that you need to set group name same as you have created in step 2.

## Step 5: Starting ProFTP service
Now restart the proftpd service by issuing below command.

```
$ service proftpd restart
```

Once, the service is started properly, You can start using ftp server by hitting URL `ftp://{Server_IP or Server_hostname}`. It will prompt for username and password. Use same details that you have configured in step 3.

## ProFTPD TLS settings
To configure and run TLS, We first need to generate a certificate. To do that, First, Install openssl by executing below command.

```
$ apt-get install openssl
```
Create ssl directory under /etc/proftpd.

```
$ mkdir /etc/proftpd/ssl
```

Generate self-signed certificate by executing below command. It will ask for some information, please provide input accordingly.

```
$ openssl req -x509 -newkey rsa:4096 -keyout /etc/proftpd/ssl/proftpd.key.pem -out /etc/proftpd/ssl/proftpd.cert.pem -days 365 -nodes
```

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.

```
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:GUJ
Locality Name (eg, city) []:AMD
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Batman
Organizational Unit Name (eg, section) []:Build
Common Name (e.g. server FQDN or YOUR name) []:Pradip
Email Address []:pradip.sakhavala@gmail.com
```
The proftpd.key file must be readable by root only. To secure the environment, execute below command.

```
$ chmod 600 /etc/proftpd/ssl/proftpd.*
```

Open `/etc/proftpd/tls.conf` and change and/or uncomment lines as shown below.

```
$ vi /etc/proftpd/tls.conf
```

```
<IfModule mod_tls.c>
TLSEngine                  on
TLSLog                     /var/log/proftpd/tls.log
TLSProtocol                SSLv23
TLSOptions                 NoCertRequest AllowClientRenegotiations NoSessionReuseRequired
TLSRSACertificateFile      /etc/proftpd/ssl/proftpd.cert.pem
TLSRSACertificateKeyFile   /etc/proftpd/ssl/proftpd.key.pem
TLSVerifyClient            off
TLSRequired                on
RequireValidShell          no
</IfModule>
```
After this, Restart the service as shown in step 5 above.

```
$ service proftpd restart
```