I checked the Upload and Download directories. Needed to change permissions on the Upload directory, but still having problems. Tried accessing from Windows Explorer and get following msg:

Windows Cannot access this folder. Make sure you typed the file name correctly and that you have permission to access the folder.

Details
220 ProFTPD 1.3.0 Server (basement) [192.168.0.101]
550 SSL/TLS required on the control channel


Been searching through posts. Not sure what to do next.I'm not sure windows explorer support this protocol and without the exact url you typed in windows explorer i can't tell you if you did something wrong. Anyway FTP client are there to avoid having nightmares with web browsers and FTP so you should just use them.

First off, great howto, I had a secure ftp server up and running in no time! Thanks very much for that.

I have a quick question about proftpd, and although it might have been answered already in this thread, I don't particularly want to trawl through 50+ pages...

So if no one minds, could you please tell me how to disable the server by default? I don't envisage needing to provide ftp server most of the time, just every once in a while. I have proftpd configured as a standalone process, so what can I do to tell it to not startup with the computer, and only when I want?

Any help with this would be greatly appreciated,

Tom.

System > Administration > Services, uncheck proftp so it won't be start on boot :).

hehe, thanks

Okay tried Filezilla

host: basement.homelinux.net port:1980

server type: FTPES -FTP over explicit TLS/SSL

logontype: Ask for Password

user: rob

Get following message:

Resolving IP-Address for basement.homelinux.net
Connecting to 71.230.201.151:1980
Connection established, waiting for welcome message
220 ProFTPD 1.3.0 Server (basement) [192.168.0.101]
AUTH TLS
234 AUTH TLS Successful
Initializing TLS
USER rob
Error: Could not connect to server

When I set this up with 5.10, I did not have this much trouble.

I was able to get ssh working and can transfer files. Still working at FTP.

How does one use the GUI to add users for ProFTPD? I have Ubuntu Server installed.

You said it all, you have Ubuntu Server edition which means with no GUI (except if you installed a desktop environment). Just use command line to create your user.

This is my first post in the Ubuntu forum and I must say Ubuntu Server is indeed very powerful and I am very pleased with it :)

Okay. I don't know if this issue has been brought up before or not. But I have my SFTP server up and running and its doing great. I can connect to it with FileZilla using the FTPES connection and it works.

The problem is that for my web development I use Dreamweaver CS3 on Windows. It supposedly supports SFTP yet when I try to log in using SFTP it doesn't connect to the server. It gives me an authentication error. It can log in if I use regular unencrypted FTP. But I want to use SFTP.

Do any of you know if there is a way that I can connect to this SFTP server without having the connection be an FTPES type and just a regular SFTP connection. Basically I want to know if its possible to connect to this without having to have a client that supports exlicit TLS/SLL connections (i.e. Dreamweaver)

Thanks in advance for the help,
Agman

It is not SFTP here, SFTP is ftp in ssh tunnel. The tutorial explains you how to set a FTP server with TLS encryption most often called FTPS.
Without a client which support FTP with TLS/SLL i'm scared there's no way to login your server except if you remove the encryption obviously.

The other option you have is to install a SSH server, configure it to restrict the access only to the directories you want to share then you will be able to access these directories using the SFTP support of Dreamweaver because if i understood well SFTP just mean you connect through FTP client to a SSH server.

Ohh I see. After looking at it now it makes sense. I feel kinda dumb now.

Anyway, do you know howt o set this up. I already have an SSH server running and I can log in using my account. But I don't know how to restrict it to one folder.

I still want to be able to login via SSH and have complete control of the machine so I don't have to stand in front of it to make changes but I would also like to do SFTP with restricted access so this makes me believe I have to use the account I created for ftps. What do you think?

Unfortunately i'm far to be an SSH expert as i never had to set myself a ssh server so i can't help you on this, sorry.
Maybe you should try to post your ssh server question in the server forum, i'm sure there's some experts around who will be able to bring some insight one this and help you.

How do you access it..like what do I type into the address bar or what? (I'm a complete noob sorry)

In address bar ?

Bad idea in general to use web browser to access your FTP, it not as convenient as using a FTP client. About FTP client you have the choice, i guess most of use Gftp or filezilla.

Hi Frodon,

Great thread and thanks for sticking with it for noobs like myself.

Following your instructions I'm having problems when I try restarting the FTP server:

* Stopping ftp server proftpd [ OK ]
* Starting ftp server proftpd - IPv4 getaddrinfo 'Auriga' error: No address associated with hostname
- warning: unable to determine IP address of 'Auriga'
- error: no valid servers configured
- Fatal: error processing configuration file '/etc/proftpd/proftpd.conf'
[fail]

I'm pretty sure the problem isn't the proftpd.conf, but something else. Any ideas?

Thanks


Mark

Post your proftpd.conf just in case, if it's not in your proftpd.conf i would say the issue is in /etc/hosts file with a missing hostname (here Auriga) at the end of the "localhost" line.

Great guide, but... how do I get to the FTP? I think I have it mostly figured out, but In the FTP client, what do I put for host?

Thanks!

Ever since I installed this, my connection starts to peak every second using my max speed. Any idea what could be doing this? I tried sudo /init.d/blahblah. stop command and it said stopped but my connection is still peaking. :(
I have to keep my server off tell I can find out what is doing it.

Great guide, but... how do I get to the FTP? I think I have it mostly figured out, but In the FTP client, what do I put for host?

Thanks!

You can either use "localhost", without the quotes of course, or the IP 127.0.0.1

In addition, if you want to use something random, you can go into the file /etc/hosts (execute "sudo gedit /etc/hosts") and add any names, seprated by space, at the end of the line strting with 127.0.0.1

Great guide, but... how do I get to the FTP? I think I have it mostly figured out, but In the FTP client, what do I put for host?

Thanks!The host to use is the IP address of the computer running the server.

Ever since I installed this, my connection starts to peak every second using my max speed. Any idea what could be doing this? I tried sudo /init.d/blahblah. stop command and it said stopped but my connection is still peaking. :(
I have to keep my server off tell I can find out what is doing it.If you stopped the server and still have these peaks then it is not related to proftp.

Thanks a lot frodon.. And of course everybody that has given a piece of advice in this thread..
After 3-4 days i finally managed to set up an FTP, which turned out really handy for file sharing between my ubuntu machine and a windows laptop that we have at home...I also decided to make it accessible from the internet (which is what actually troubled me the most)

For all the newbies trying to do the same thing (this might have already been mentioned, but I couldn't read through the entire thread, it's pretty large.. I only got to page 20something) here's some advice:

* if you decided not to follow frodons' HOWTO and go with port 21, think it over.. It's not only for safety reasons, it's because some modems or routers have an "internal FTP" which in most of the cases is on by default.. In that case you will see you are connected but your login will always fail. Try putting the username and psswd you use to configure your modem/router and you'll probably be able to login. But it's not what you've been trying to do, it has nothing to do with proftpd.. How to solve the problem? You either change the port you are using for your FTP or disable the modem/routers' FTP..

*when trying to connect to your FTP from the internet and you get
Cannot connect to your_external_ip: Connection refused
it's probably because your modem/router prevents you from sending information out and then in again.. (I think it's called loop protection or something).. I don't think you can turn that off, so you will have to find another connection to test you FTP.. When I say another connection I don't mean another computer from your network!!!! I mean a friends pc or something else.
I spent 2 days trying to "fix" the problem, only to find out in the end that my FTP server was working flawlessly, it was my router preventing me to connect!!! Using a proxy to connect is supposed to solve the problem, but it didn't for me. (frodon, you might want to put a notice of that in the tutorial so people won't have to spend time trying to figure out the problem)

*for file sharing between windows and ubuntu, when trying to connect from windows to proftpd, dont' use Internet Explorer (IE). It's pretty crappy, and if you can't connect it will probably not help you as its' error messages are useless.. Google "free ftp client" and choose one (i use coreftp). Install it and you're ready. (FireFTP for Firefox didn't work for me and it's error messages aren't very helpful either)

OKAY! I finally got it working. I just don't have write access to the upload/download folder. What group do I set userftp at to make it have write functions.
EDIT: I got it so anything I put in the upload folder you can download. But that's it. I can't make any directories anywhere. Only if I'm root on my computer...any help?

If I'm correct I should put stuff I want people to access in the Upload folder and I want things people put in my server in the Download folder right?

No it's the invert :P, in the download directory you put what you want your users be able to download without being able to modify anything and in the upload directory users can upload things on your computer.

Post your proftpd.conf just in case, if it's not in your proftpd.conf i would say the issue is in /etc/hosts file with a missing hostname (here Auriga) at the end of the "localhost" line.

Hi frodon, sorry for the delay ion getting back to you. Here's my proftpd.conf:

# To really apply changes reload proftpd after modifications.
AllowOverwrite on
AuthAliasOnly on

UserAlias splendid userftp

ServerName "Auriga FTP"
ServerType standalone
DeferWelcome on

MultilineRFC2228 on
DefaultServer on
ShowSymlinks off

TimeoutNoTransfer 600
TimeoutStalled 100
TimeoutIdle 2200

DisplayFirstChdir .message
ListOptions "-l"

RequireValidShell off

TimeoutLogin 20

RootLogin off

# It's better for debug to create log files ;-)
ExtendedLog /var/log/ftp.log
TransferLog /var/log/xferlog
SystemLog /var/log/syslog.log

#DenyFilter \*.*/

# I don't choose to use /etc/ftpusers file (set inside the users you want to ba$
UseFtpUsers off

# Allow to restart a download
AllowStoreRestart on

# Port 21 is the standard FTP port, so you may prefer to use another port for s$
Port 1980

MaxInstances 8

# Set the user and group that the server normally runs at.
User nobody
Group nogroup

# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
Umask 022 022

PersistentPasswd off

MaxClients 8
MaxClientsPerHost 8
MaxClientsPerUser 8
MaxHostsPerUser 8

# Display a message after a successful login
AccessGrantMsg "Greetings Higlander !!!"
# This message is displayed for each access good or not
ServerIdent on "Welcome to Auriga"

# Set /home/FTP-shared directory as home directory
DefaultRoot /home/vault

# Lock all the users in home directory, ***** really important *****
DefaultRoot ~

MaxLoginAttempts 5

#VALID LOGINS

<Limit LOGIN>
AllowUser userftp
DenyALL
</Limit>

<Directory /home/FTP-shared>
Umask 022 022
AllowOverwrite off
<Limit MKD STOR DELE XMKD RNRF RNTO RMD XRMD>
DenyAll
</Limit>
</Directory>

<Directory /home/vault/download/*>
Umask 022 022
AllowOverwrite off
<Limit MKD STOR DELE XMKD RNEF RNTO RMD XRMD>
DenyAll
</Limit>
</Directory>

<Directory> /home/vault/upload/>
Umask 022 022
AllowOverwrite on
<Limit READ RMD DELE>
DenyAll
</Limit>

<Limit STOR CWD MKD>
AllowAll
</Limit>
</Directory>


And just to recap, here's the error I'm getting:

* Stopping ftp server proftpd [ OK ]
* Starting ftp server proftpd - IPv4 getaddrinfo 'Auriga' error: No address associated with hostname
- warning: unable to determine IP address of 'Auriga'
- error: no valid servers configured
- Fatal: error processing configuration file '/etc/proftpd/proftpd.conf'
[fail]

Many thanks


Mark

Ok i think ServerName "Auriga FTP" is the problem as i'm not sure space are supported there, server name must remain as simple as possible if you want to avoid such problems.

Cheers Frodon, I'll give that a go.

Many thanks

when i install proftp i get this error:
and i cannot start it



Not creating home directory `/var/run/proftpd'.
* Starting ftp server proftpd - IPv4 getaddrinfo 'psycho' error: No address associated with hostname
- warning: unable to determine IP address of 'psycho'
- error: no valid servers configured
- Fatal: error processing configuration file '/etc/proftpd/proftpd.conf'
[fail]
invoke-rc.d: initscript proftpd, action "start" failed.
dpkg: error processing proftpd (--configure):
subprocess post-installation script returned error exit status 1
Errors were encountered while processing:
proftpd
E: Sub-process /usr/bin/dpkg returned an error code (1)

Well either way I can't modify anything in the upload directory
Status: Creating directory '/upload/New folder/'...
Command: MKD New folder
Response: 550 New folder: Permission denied
Command: MKD /upload/New folder/
Response: 550 /upload/New folder/: Permission denied

when i install proftp i get this error:
and i cannot start it



Not creating home directory `/var/run/proftpd'.
* Starting ftp server proftpd - IPv4 getaddrinfo 'psycho' error: No address associated with hostname
- warning: unable to determine IP address of 'psycho'
- error: no valid servers configured
- Fatal: error processing configuration file '/etc/proftpd/proftpd.conf'
[fail]
invoke-rc.d: initscript proftpd, action "start" failed.
dpkg: error processing proftpd (--configure):
subprocess post-installation script returned error exit status 1
Errors were encountered while processing:
proftpd
E: Sub-process /usr/bin/dpkg returned an error code (1)
Ouch, the install definitively went bad, check that you have well all the repositoriues enable (main,universe, multiverse, restricted) and try to reinstall. There should be a reason why the install fail on your system.

Well either way I can't modify anything in the upload directory
Status: Creating directory '/upload/New folder/'...
Command: MKD New folder
Response: 550 New folder: Permission denied
Command: MKD /upload/New folder/
Response: 550 /upload/New folder/: Permission deniedNormally it should work without any problem. The problem either come to too restrictive rights on your upload directory (rights must 777 to avoid pb on this directory) or the problem come from your proftpd.conf file.
Please post your proftpd.conf file if you modified it.

Ok i think ServerName "Auriga FTP" is the problem as i'm not sure space are supported there, server name must remain as simple as possible if you want to avoid such problems.

Okay, I took out the space (making it AurigaFTP) but the problem persists.

* Stopping ftp server proftpd [ OK ]
* Starting ftp server proftpd - IPv4 getaddrinfo 'Auriga' error: No address associated with hostname
- warning: unable to determine IP address of 'Auriga'
- error: no valid servers configured
- Fatal: error processing configuration file '/etc/proftpd/proftpd.conf'
[fail]


Any ideas?

Then it should come from your /etc/hosts file i think, could you post it there please ?

Ouch, the install definitively went bad, check that you have well all the repositoriues enable (main,universe, multiverse, restricted) and try to reinstall. There should be a reason why the install fail on your system.

Normally it should work without any problem. The problem either come to too restrictive rights on your upload directory (rights must 777 to avoid pb on this directory) or the problem come from your proftpd.conf file.
Please post your proftpd.conf file if you modified it.


thanx for replying..my problem is that while before vsftpd was installed ok..i removed it and now it cannot reinstalled again..its shows the same errors as in proftpd.....

Ok, you should solve your issue following the instructions given in this thread :
http://ubuntuforums.org/showthread.php?t=543172

check that you have well all the repositoriues enable (main,universe, multiverse, restricted) and try to reinstall. There should be a reason why the install fail on your system.








how can i check that????

You can check that using synaptic package manager (https://help.ubuntu.com/community/SynapticHowto), in Settings tab click on Repositories, but here i think it might not be the cause.
I think the solution is in the thread i linked in my previous post.

I've got my ftp server up and running, and all looks good. I mount a USB hard drive to one of my download directories, but get "access denied" from my ftp client. I tried to chmod the usb drive, and the mounted directory and nothing is happening...

Am I being a total bonehead here?? Does chmod work differently on ext hard drives? Ideally, I have a system account that I would like to have mostly full access to my mounted drives, but lesser access depending on logins...any help MUCH appreciated...

What filesystem use your external drive ?

Chmod should work as expected normally, at least it did for me last time i tried, in general when one want to attribute same rights for several users on the same file one use group rights attributes.

What filesystem use your external drive ?



'Doh! Fat32... problem solved... Thanks!

check that you have well all the repositoriues enable (main,universe, multiverse, restricted) and try to reinstall. There should be a reason why the install fail on your system.








how can i check that????



hi again, i check everythink i changed the hostname but stills nothing...

the problem is that with every ftp the install fail..i tried ftpd,vsftp,proftp....


the vsftp the first time i install it worked...but then i remove it...and i reinstall it again but it does not installed correctly anymore...

i think the problem might be due to some etc files of vsftp that did not removed completely...

but when i try sudo killall -9 vsftp or froftp

its says no process to be removed....how can i have it completelly remove.. as the system was before i install them for the first time...

Alright. Here is my proftpd.conf
# To really apply changes reload proftpd after modifications.
AllowOverwrite on
AuthAliasOnly on

# Choose here the user alias you want !!!!
UserAlias blithen userftp

ServerName "ChaosTheory"
ServerType standalone
DeferWelcome on

MultilineRFC2228 on
DefaultServer on
ShowSymlinks off

TimeoutNoTransfer 600
TimeoutStalled 100
TimeoutIdle 2200

DisplayFirstChdir .message
ListOptions "-l"

RequireValidShell off

TimeoutLogin 20

RootLogin off

# It's better for debug to create log files ;-)
ExtendedLog /var/log/ftp.log
TransferLog /var/log/xferlog
SystemLog /var/log/syslog.log

#DenyFilter \*.*/

# I don't choose to use /etc/ftpusers file (set inside the users you want to ban, not useful for me)
UseFtpUsers off

# Allow to restart a download
AllowStoreRestart on

# Port 21 is the standard FTP port, so you may prefer to use another port for security reasons (choose here the port you want)
Port 1980

# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 8

# Set the user and group that the server normally runs at.
User nobody
Group nogroup

# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
Umask 022 022

PersistentPasswd off

MaxClients 8
MaxClientsPerHost 8
MaxClientsPerUser 8
MaxHostsPerUser 8

# Display a message after a successful login
AccessGrantMsg "welcome !!!"
# This message is displayed for each access good or not
ServerIdent on "you're at home"

# Set /home/FTP-shared directory as home directory
DefaultRoot /home/FTP-shared

# Lock all the users in home directory, ***** really important *****
DefaultRoot ~

MaxLoginAttempts 5

#VALID LOGINS
<Limit LOGIN>
AllowUser userftp
DenyALL
</Limit>

<Directory /home/FTP-shared>
Umask 022 022
AllowOverwrite off
<Limit MKD STOR DELE XMKD RNRF RNTO RMD XRMD>
DenyAll
</Limit>
</Directory>

<Directory /home/FTP-shared/YourUploads/*>
Umask 022 022
AllowOverwrite off
<Limit MKD STOR DELE XMKD RNEF RNTO RMD XRMD>
DenyAll
</Limit>
</Directory>
Change Downloads to 'YourUploads' and Uploads to 'MyUploads'. It was easier to understand to me. I changed everything accordingly though.

Ok your upload directory just don't allow basic write commands so the FTP server is behaving right not allowing anyone to upload on your server.

Your upload directory section should look like that to allow users to upload files :
<Directory> /home/FTP-shared/upload/>
Umask 022 022
AllowOverwrite on
<Limit READ RMD DELE>
DenyAll
</Limit>

<Limit STOR CWD MKD>
AllowAll
</Limit>
</Directory>
With this configuration users are allowed to write in your upload directory but they won't be allowed to delete files (this is configurable of course).

YES FINALLY. Everything work perfectly. Thank you SO much for all of your help. You rock.:guitar:

Read thru the tutorial decided to give it a try.

When I go to start Proftpd, I get the following error:
root@MyServer:/home/john# /etc/init.d/proftpd start
* Starting ftp server proftpd - IPv6 getaddrinfo 'MyServer.ri.cox.net' error: No address associated with hostname


I had modified my hosts config file to get Putty and TightVNC working, so I have a feeling I'm missing something here...

Any ideas?

Thought this might give some more into: /etc/hosts

127.0.0.1 localhost
127.0.1.1 MyServer.ri.cox.net MyServer

# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

EDIT:
Well, I found msm's post and made some mods regarding masquerading... still getting above error.

In Firefox, I tried to get to the FTP server and got the following. I seem to be connecting... how do you connect? Is Firefox acceptable?

220 you're at home
500 GET not understood
500 HOST: not understood
500 USER-AGENT: not understood
500 ACCEPT: not understood
500 ACCEPT-LANGUAGE: not understood
500 ACCEPT-ENCODING: not understood
500 ACCEPT-CHARSET: not understood
500 KEEP-ALIVE: not understood
500 CONNECTION: not understood
421 Login Timeout (20 seconds): closing control connection.

Read thru the tutorial decided to give it a try.

When I go to start Proftpd, I get the following error:
root@MyServer:/home/john# /etc/init.d/proftpd start
* Starting ftp server proftpd - IPv6 getaddrinfo 'MyServer.ri.cox.net' error: No address associated with hostname


I had modified my hosts config file to get Putty and TightVNC working, so I have a feeling I'm missing something here...

Any ideas?

Thought this might give some more into: /etc/hosts

127.0.0.1 localhost
127.0.1.1 MyServer.ri.cox.net MyServer

# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

EDIT:
Well, I found msm's post and made some mods regarding masquerading... still getting above error.

In Firefox, I tried to get to the FTP server and got the following. I seem to be connecting... how do you connect? Is Firefox acceptable?

220 you're at home
500 GET not understood
500 HOST: not understood
500 USER-AGENT: not understood
500 ACCEPT: not understood
500 ACCEPT-LANGUAGE: not understood
500 ACCEPT-ENCODING: not understood
500 ACCEPT-CHARSET: not understood
500 KEEP-ALIVE: not understood
500 CONNECTION: not understood
421 Login Timeout (20 seconds): closing control connection.

Ok... I d/l Filezilla and was able to connect and login to the FTP server.

Noob question: Can you use a web brower like Firefox to access the FTPserver?

Of course you can but it is less convenient, to do so type the adress like that :
ftp://username@hostname:port

You can skip the port attribute if you use port 21 as it is the default port used.

For the ipv6 error it doesn't prevent the server to work correctly, anyway if you don't want to see it anymore add your hostname after ::1 ip6-localhost ip6-loopback, for you it would make :
::1 ip6-localhost ip6-loopback MyServer.ri.cox.net

Of course you can but it is less convenient, to do so type the adress like that :
ftp://username@hostname:port

You can skip the port attribute if you use port 21 as it is the default port used.

For the ipv6 error it doesn't prevent the server to work correctly, anyway if you don't want to see it anymore add your hostname after ::1 ip6-localhost ip6-loopback, for you it would make :
::1 ip6-localhost ip6-loopback MyServer.ri.cox.net

frodon, when I try to access thru Firefox, it how askes for the use password. After entering pswd, screen goes blank and just sits there loading.

I guess I was wrong on Filezilla as I'm getting an error after connecting:
Status: Connected
Status: Retrieving directory listing...
Command: CWD /home/FTP-shared/
Response: 550 /home/FTP-shared/: No such file or directory
Error: Failed to retrieve directory listing

I have followed the instructions on setting the directory and permissions... not sure why it can't find /home/FTP-shared.

Where do I add this:
::1 ip6-localhost ip6-loopback MyServer.ri.cox.net

If you did not modified the proftpd.conf ilfe provided and well set the rights on the directories then it should work without any problem.
If you mofified the given proftpd.conf files please post it.

About the suggestion for the IPV6 erors i meant to fix the concerned line in your /etc/hosts file.

If you did not modified the proftpd.conf ilfe provided and well set the rights on the directories then it should work without any problem.
If you mofified the given proftpd.conf files please post it.

About the suggestion for the IPV6 erors i meant to fix the concerned line in your /etc/hosts file.

frodon,
First would like to thank you for taking the time to help!

Second
I used msm's config file and tweaked it slightly for user and port stuff:
# To really apply changes reload proftpd after modifications.
AllowOverwrite on
AuthAliasOnly off

# Choose here the user alias you want !!!!
#UserAlias scott schmeerftp

ServerName "MyFTP"
ServerType standalone
DeferWelcome on

MultilineRFC2228 on
DefaultServer on
ShowSymlinks off

TimeoutNoTransfer 600
TimeoutStalled 100
TimeoutIdle 1200

DisplayFirstChdir .message
ListOptions "-l"

RequireValidShell off

TimeoutLogin 20

RootLogin off

# It's better for debug to create log files ;-)
ExtendedLog /var/log/ftp.log
TransferLog /var/log/xferlog
SystemLog /var/log/syslog.log

#DenyFilter \*.*/

# I don't choose to use /etc/ftpusers file (set inside the users you want to ban, not useful for me)
UseFtpUsers off

# Allow to restart a download
AllowStoreRestart on

# Port 21 is the standard FTP port, so you may prefer to use another port for security reasons (choose here the port you want)
Port 21000

# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 8

# Set the user and group that the server normally runs at.
User nobody
Group nogroup

# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
Umask 022 022

PersistentPasswd off

#MaxClients 8
#MaxClientsPerHost 8
#MaxClientsPerUser 8
#MaxHostsPerUser 8

# Display a message after a successful login
AccessGrantMsg "welcome !!!"
# This message is displayed for each access good or not
ServerIdent on "you're at home"

# Set /home/FTP-shared directory as home directory
DefaultRoot /home/FTP-shared

# Lock all the users in home directory, ***** really important *****
DefaultRoot ~

MaxLoginAttempts 5

#VALID LOGINS
<Limit LOGIN>
AllowUser scottftp
#AllowUser schmeerftp
DenyALL
</Limit>

<Directory /home/FTP-shared>
Umask 022 022
AllowOverwrite off
<Limit MKD STOR DELE XMKD RNRF RNTO RMD XRMD>
DenyAll
</Limit>
</Directory>

<Directory /home/FTP-shared/download/*>
Umask 022 022
AllowOverwrite off
<Limit MKD STOR DELE XMKD RNEF RNTO RMD XRMD>
DenyAll
</Limit>
</Directory>

<Directory> /home/FTP-shared/upload/>
Umask 022 022
AllowOverwrite on
<Limit READ RMD DELE>
DenyAll
</Limit>

<Limit STOR CWD MKD>
AllowAll
</Limit>
</Directory>

# Delay engine reduces impact of the so-called Timing Attack described in
# http://security.lss.hr/index.php?page=details&ID=LSS-2004-10-02
# It is on by default.
#DelayEngine off

# A basic anonymous configuration, no upload directories.

# <Anonymous ~ftp>
# User ftp
# Group nogroup
# # We want clients to be able to login with "anonymous" as well as "ftp"
# UserAlias anonymous ftp
# # Cosmetic changes, all files belongs to ftp user
# DirFakeUser on ftp
# DirFakeGroup on ftp
#
# RequireValidShell off
#
# # Limit the maximum number of anonymous logins
# MaxClients 10
#
# # We want 'welcome.msg' displayed at login, and '.message' displayed
# # in each newly chdired directory.
# DisplayLogin welcome.msg
# DisplayFirstChdir .message
#
# # Limit WRITE everywhere in the anonymous chroot
# <Directory *>
# <Limit WRITE>
# DenyAll
# </Limit>
# </Directory>
#
# # Uncomment this if you're brave.
# # <Directory incoming>
# # # Umask 022 is a good standard umask to prevent new files and dirs
# # # (second parm) from being group and world writable.
# # Umask 022 022
# # <Limit READ WRITE>
# # DenyAll
# # </Limit>
# # <Limit STOR>
# # AllowAll
# # </Limit>
# # </Directory>
#
# </Anonymous>

MasqueradeAddress myserver.homelinux.net

# These ports should be safe...
PassivePorts 60000 65535

UseReverseDNS off
IdentLookups off

Then it should come from your /etc/hosts file i think, could you post it there please ?

Hi Frodon, here's my hosts file:

127.0.0.1 localhost
127.0.1.1 Auriga.agency.org

# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts


Many thanks


Mark

I think it should be :
127.0.0.1 localhost Auriga.agency.org

But i'm not sure, try some different implementations and search on the forum, some other users had this problem and solved it.

I think it should be :
127.0.0.1 localhost Auriga.agency.org

But i'm not sure, try some different implementations and search on the forum, some other users had this problem and solved it.

Thanks frodon I found post #409 by kptracey which covered this:


If you run into the same problem... do me a favour and in terminal type: 'hostname -f'
I bet it responds 'hostname: Unknown host'

If it does, do this:
sudo gedit /etc/hosts/

Add this line: '127.0.0.1 <hostname> <FQDN>'

FQDN stands for Fully Qualified Domain Name
hostname is the name of your machine

Mine reads something like this:
127.0.0.1 samurai samurai.phubs.net.cab.irelandrules.com

In this instance, hostname is samurai and samurai.phubs.net.cab.irelandrules.com is the FQDN.

In hindsight, this is a result of me being lazy during my Samba install and simply appending a preexisting entry with mshome and slightly altering the 127 mask.

I amended my hosts file accordingly (in this case using your syntax and renaming 'localhost' to 'Auriga').

Thanks


Mark

Glad to hear this, enjoy your FTP server now :)

frodon,
First would like to thank you for taking the time to help!

Second
I used msm's config file and tweaked it slightly for user and port stuff:
# To really apply changes reload proftpd after modifications.
AllowOverwrite on
AuthAliasOnly off

# Choose here the user alias you want !!!!
#UserAlias scott schmeerftp

ServerName "MyFTP"
ServerType standalone
DeferWelcome on

MultilineRFC2228 on
DefaultServer on
ShowSymlinks off

TimeoutNoTransfer 600
TimeoutStalled 100
TimeoutIdle 1200

DisplayFirstChdir .message
ListOptions "-l"

RequireValidShell off

TimeoutLogin 20

RootLogin off

# It's better for debug to create log files ;-)
ExtendedLog /var/log/ftp.log
TransferLog /var/log/xferlog
SystemLog /var/log/syslog.log

#DenyFilter \*.*/

# I don't choose to use /etc/ftpusers file (set inside the users you want to ban, not useful for me)
UseFtpUsers off

# Allow to restart a download
AllowStoreRestart on

# Port 21 is the standard FTP port, so you may prefer to use another port for security reasons (choose here the port you want)
Port 21000

# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 8

# Set the user and group that the server normally runs at.
User nobody
Group nogroup

# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
Umask 022 022

PersistentPasswd off

#MaxClients 8
#MaxClientsPerHost 8
#MaxClientsPerUser 8
#MaxHostsPerUser 8

# Display a message after a successful login
AccessGrantMsg "welcome !!!"
# This message is displayed for each access good or not
ServerIdent on "you're at home"

# Set /home/FTP-shared directory as home directory
DefaultRoot /home/FTP-shared

# Lock all the users in home directory, ***** really important *****
DefaultRoot ~

MaxLoginAttempts 5

#VALID LOGINS
<Limit LOGIN>
AllowUser scottftp
#AllowUser schmeerftp
DenyALL
</Limit>

<Directory /home/FTP-shared>
Umask 022 022
AllowOverwrite off
<Limit MKD STOR DELE XMKD RNRF RNTO RMD XRMD>
DenyAll
</Limit>
</Directory>

<Directory /home/FTP-shared/download/*>
Umask 022 022
AllowOverwrite off
<Limit MKD STOR DELE XMKD RNEF RNTO RMD XRMD>
DenyAll
</Limit>
</Directory>

<Directory> /home/FTP-shared/upload/>
Umask 022 022
AllowOverwrite on
<Limit READ RMD DELE>
DenyAll
</Limit>

<Limit STOR CWD MKD>
AllowAll
</Limit>
</Directory>

# Delay engine reduces impact of the so-called Timing Attack described in
# http://security.lss.hr/index.php?page=details&ID=LSS-2004-10-02
# It is on by default.
#DelayEngine off

# A basic anonymous configuration, no upload directories.

# <Anonymous ~ftp>
# User ftp
# Group nogroup
# # We want clients to be able to login with "anonymous" as well as "ftp"
# UserAlias anonymous ftp
# # Cosmetic changes, all files belongs to ftp user
# DirFakeUser on ftp
# DirFakeGroup on ftp
#
# RequireValidShell off
#
# # Limit the maximum number of anonymous logins
# MaxClients 10
#
# # We want 'welcome.msg' displayed at login, and '.message' displayed
# # in each newly chdired directory.
# DisplayLogin welcome.msg
# DisplayFirstChdir .message
#
# # Limit WRITE everywhere in the anonymous chroot
# <Directory *>
# <Limit WRITE>
# DenyAll
# </Limit>
# </Directory>
#
# # Uncomment this if you're brave.
# # <Directory incoming>
# # # Umask 022 is a good standard umask to prevent new files and dirs
# # # (second parm) from being group and world writable.
# # Umask 022 022
# # <Limit READ WRITE>
# # DenyAll
# # </Limit>
# # <Limit STOR>
# # AllowAll
# # </Limit>
# # </Directory>
#
# </Anonymous>

MasqueradeAddress myserver.homelinux.net

# These ports should be safe...
PassivePorts 60000 65535

UseReverseDNS off
IdentLookups off

Hi fordon, see above... not sure if you missed my posting my conf file like you asked.

I did not miss you post, i just can't help you as nothing seem wrong. I think the issue is in your system rights and the FTP shared folders.

Okay. It seems that even though i followed the instructions on the front page about the router it still will not work.
Any ideas? People can't connect to me server.

I did everything in your first post verbatim with TLS support and when I log in the FTP client gets to LIST and times out.

My proftpd.conf file is copied and pasted from yours in the first post and I added the "on" trigger for TLSRequired and included the TLS lines, copied and pasted at the bottom, as well as the "Include /etc/proftpd/modules.conf" line.

I gave the FTP-shared chown access to userftp:userftp as well as all its subdirectories and 755 access to the directory. Upload has 777 access and download has 755.

Why is it still timing out?

EDIT:

Scratch that. I found the posts about setting up passive listening ports. Ehehe. It works fine now. Well done with the post, though maybe you should set that part a little more prominently in the post since most people use routers anymore.

Thank you for this guide. I was able to get my ftp up and running in minutes! It works perfectly. :)

I have just started setting up my ftp server and have been trying to login to test and I get

Status: Connecting to 192.168.0.109:21...
Status: Connection established, waiting for welcome message...
Error: Could not connect to server
Status: Waiting to retry...


Here is my proftpd.conf for you pleasure


ServerType standalone
DefaultServer on
Umask 022
ServerName "192.168.0.109"
ServerIdent on "minttop"
ServerAdmin Lee@logonomics.net
IdentLookups off
UseReverseDNS off
Port 21
PassivePorts 49152 65534
#MasqueradeAddress None
TimesGMT off
MaxInstances 30
MaxLoginAttempts 3
TimeoutLogin 300
TimeoutNoTransfer 10000
TimeoutIdle 10000
DisplayLogin welcome.msg
User nobody
Group nobody
DirFakeUser off nobody
DirFakeGroup off nobody
DefaultTransferMode binary
AllowForeignAddress on
AllowRetrieveRestart on
AllowStoreRestart on
DeleteAbortedStores off
TransferRate RETR 999999
TransferRate STOR 999999
TransferRate STOU 999999
TransferRate APPE 999999
SystemLog /var/log/secure
RequireValidShell off
#gp_random_username_length 6
#gp_random_password_length 6
#gp_randomize_case lower
#gp_useradd_homedir_path /var/ftp
#gp_html_path /var/www/html/ftp.htm
#gp_welcome_name welcome.msg
<IfModule mod_tls.c>
TLSEngine off
TLSRequired off
TLSVerifyClient off
TLSProtocol TLSv1
TLSLog /var/log/proftpd_tls.log
TLSRSACertificateFile /etc/gproftpd/gproftpd.pem
</IfModule>
<IfModule mod_ratio.c>
Ratios off
SaveRatios off
RatioFile "/restricted/proftpd_ratios"
RatioTempFile "/restricted/proftpd_ratios_temp"
CwdRatioMsg "Please upload first!"
FileRatioErrMsg "FileRatio limit exceeded, upload something first..."
ByteRatioErrMsg "ByteRatio limit exceeded, upload something first..."
LeechRatioMsg "Your ratio is unlimited."
</IfModule>
<Limit LOGIN>
AllowUser lmyers
AllowUser userftp
AllowUser ftp
AllowUser proftpd
AllowUser lee
DenyALL
</Limit>

<Anonymous /home/FTP-shared>
User lmyers
Group lee
AnonRequirePassword on
MaxClients 5 "The server is full, hosting %m users"
DisplayLogin welcome.msg
<Limit LOGIN>
Allow from all
Deny from all
</Limit>
<Limit LIST NLST RETR PWD XPWD SIZE STAT CWD XCWD CDUP XCUP >
AllowAll
</Limit>
<Limit STOR STOU APPE RNFR RNTO DELE MKD XMKD SITE_MKDIR RMD XRMD SITE_RMDIR SITE SITE_CHMOD SITE_CHGRP MTDM >
DenyAll
</Limit>
</Anonymous>



Please see if there is any thing wrong and if you know how I could make it work.

This thread is to support users using the tutorial not to debug your proftpd configurations, proftpd forum is way more appropriate for this.
http://forums.proftpd.org/smf/

Anyway with so few details there's no answer to your question, think to check firewall and router settings. On the other hand i warn you that your config is not safe so you should better use it only on home network.

How do you get proftpd to start automatically on booting your system?

EDIT:
And if it's supposed to start automatically, what can I do to get it to happen? Note: update-rc.d does not work, it says system startup links already exist.

System > Administration > Services is the place in ubuntu where you can choose which service to start on boot or not.

I did use the tutorial but I have been having major problems with it after the tutorial ended so I saw others that had posted their information and got help so I figured I would try to see if it was some very small problem that I had missed some where. But thank you for the link to the forum I wil go there and see if I get more help. Oh and I know it is safe because no one can connect up to it at all.

You are not locking the user in one directory in your configuration which is what sound unsafe for me as the user will be able to browse your whole system what in general users want to avoid, but maybe here it is the purpose of your FTP server.

I am trying to get proftpd to work with RSA/Radius authentication. Do any of you have any experience with that? I can't seem to find much documentation on it. It might also be that I am a Linux newbie. Please help if you can. Thanks

All These Steps Should Work Just Fine In Hardy W/O Any Trouble?

First off great tutorial...
Well Im new to Ubuntu but I think Im making the transition nicely.

Where to begin... Ive used GPROFTPD and worked like a charm and with being behind a router (worked within and out of my LAN).. and upload/download/fxp all good, but only thing I didnt like is that it injected allot of useless stuff when compared to the conf used here.

So axed it, and wanted to use a clean conf.. but having issues... cant upload (used the PassivePort and MasqueradeAddress) and I have no idea why that is...any help would help.

TIA.


UPDATE: I was able to get it to work, just turned out I needed to open port 20-21 instead of just 21... upload/download works great... again thanks for this tut.

This is a great tutorial, very helpful.
I've got an issue though:

I can connect to my server from my LAN (and apparently also from outside although I have´nt tested it thoroughly), but only using the ftp client that runs from the dos shell. I cannot connect from other ftp clients (I've tried filezilla and fireftp). Any help would be much appreciated.

I'll attach my proftpd.conf and the Filezilla log



Thanks

I've set my home directory to /home/myuser, so that's what I see when I log in. I've also added /home/myuser to the folders in GroFTPD, as well as /media/My Book. However, I can't see the folders there when I log in. Any idea why?

user@user-desktop:/home/FTP-shared$ sudo /etc/init.d/proftpd start
* Starting ftp server proftpd [fail]


i configure the proftpd and followed all instructions. but
my Ubuntu gutsy gibbon 7.10 ftp always [fail] when i start the ftp server.

it works! thanks.. ive just gedit a wrong file.

This is a small exemple on how avoid user2 to enter in the download directory.
In this case 2 users have been created (userftp and user2) and each one have its own alias.
This exemple will allow userftp to see all the shared directory and avoid user2 to use the dowload directory, (i give you only the directory section) : #VALID LOGINS
<Limit LOGIN>
AllowUser userftp
AllowUser user2
DenyALL
</Limit>

<Directory /home/FTP-shared>
Umask 022 022
AllowOverwrite off
<Limit ALL>
Order Allow,Deny
AllowUser userftp
AllowUser user2
Deny ALL
</Limit>
<Limit MKD STOR DELE XMKD RNRF RNTO RMD XRMD>
DenyAll
</Limit>
</Directory>

<Directory /home/FTP-shared/download/*>
Umask 022 022
AllowOverwrite off
<Limit ALL>
Order Allow,Deny
AllowUser userftp
Deny ALL
</Limit>
<Limit MKD STOR DELE XMKD RNEF RNTO RMD XRMD>
DenyAll
</Limit>
</Directory>

<Directory> /home/FTP-shared/upload/>
Umask 022 022
AllowOverwrite on
<Limit ALL>
Order Allow,Deny
AllowUser userftp
AllowUser user2
Deny ALL
</Limit>
<Limit READ RMD DELE>
DenyAll
</Limit>

<Limit STOR CWD MKD>
AllowAll
</Limit>
</Directory>

was wonder how can this be done with "virtual users" using a passwd file? is it possible? I would like to have the upload user only have axx to the upload directory, while the rest of the users can have axx to both download/upload directories..

Yes it is possible, virtual users are supposed to work the same way than normal users. Also the way i propose to restrict the access is not the only one.

Good luck.

Yes it is possible, virtual users are supposed to work the same way than normal users. Also the way i propose to restrict the access is not the only one.

Good luck.

not to be a lazyass or anything but you think you might be able to point in that direction.. cuz I tried they way you outlined but was unsuccessful unless there are specific directives that need to be in my config..

if you dont mind to just look over my config and see if all is up to snuff, cuz users can connect and all just trying to lock the upload user to just the upload dir while everyone else can have axx to both dirs.


Include /etc/proftpd/modules.conf
# /etc/proftpd.conf -- This is a basic ProFTPD configuration file.
# To really apply changes reload proftpd after modifications.
#
AllowOverwrite on
AuthAliasOnly off

# Choose here the user alias you want !!!!
#UserAlias upload userftp

ServerAdmin root@localhost
AllowForeignAddress on

ServerName "kMHFTP"
ServerType standalone
DeferWelcome off

MultilineRFC2228 on
DefaultServer on
ShowSymlinks off

TimeoutNoTransfer 300
TimeoutStalled 600
TimeoutIdle 120
TimeoutLogin 300

#DisplayLogin welcome.msg
DisplayFirstChdir .message
ListOptions "-l"

RequireValidShell off

TimeoutLogin 20

RootLogin off

# It's better for debug to create log files ;-)
ExtendedLog /var/log/ftp.log
TransferLog /var/log/xferlog
SystemLog /var/log/syslog.log

#DenyFilter \*.*/

AuthOrder mod_auth_file.c
AuthUserFile /etc/proftpd/passwd
#AuthGroupFile /etc/proftpd/ftpd.group

# I don't choose to use /etc/ftpusers file (set inside the users you want
#to ban, not useful for me)
UseFtpUsers off

# Allow to restart a download
AllowStoreRestart on



# Uncomment this if you are using NIS or LDAP to retrieve passwords:
PersistentPasswd off

# Uncomment this if you would use TLS module:
#TLSEngine on

# Uncomment this if you would use quota module:
#Quotas on

# Uncomment this if you would use ratio module:
#Ratios on

# Port 21 is the standard FTP port, so don't use it for security reasons
#(choose here the port you want)
Port 31337
#Port 21

# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 30

# Set the user and group that the server normally runs at.
User nobody
Group nogroup

DirFakeUser on ~

# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
Umask 022 022
# Normally, we want files to be overwriteable.
#AllowOverwrite on

# Display a message after a successful login
AccessGrantMsg "welcome !!!"
# This message is displayed for each access good or not
ServerIdent on "you're at home"

# Set /home/FTP-shared directory as home directory
DefaultRoot /home/FTP-shared

# Lock all the users in home directory, ***** really important *****
DefaultRoot ~

MaxLoginAttempts 5

#VALID LOGINS
<Limit LOGIN>
Allow from all
#AllowUser upload
#AllowUser von
DenyALL
</Limit>

<Directory /home/FTP-shared>
Umask 022 022
AllowOverwrite off
<Limit MKD STOR DELE XMKD RNRF RNTO RMD XRMD MACB>
DenyAll
</Limit>
</Directory>

<Directory /home/FTP-shared/download/*>
Umask 022 022
AllowOverwrite off
<Limit MKD STOR DELE XMKD RNEF RNTO RMD XRMD>
DenyAll
</Limit>
</Directory>

<Directory /home/FTP-shared/upload/>
Umask 022 022
AllowOverwrite on
<Limit READ RMD DELE>
DenyAll
</Limit>

<Limit STOR CWD MKD RETR>
AllowAll
</Limit>
</Directory>

# Delay engine reduces impact of the so-called Timing Attack described in
# http://security.lss.hr/index.php?page=details&ID=LSS-2004-10-02
# It is on by default.
#DelayEngine off

MasqueradeAddress mysite.dyndns.org

# These ports should be safe...
PassivePorts 31337 31437

UseReverseDNS off
IdentLookups off
UseIPv6 off

DisplayConnect /etc/welcome.msg

You are not filtering any user in your proftpd.conf so i don't really understand what you tried.
Basically you allow any valid user to login and that's what you FTP server do allowing all users in all the available FTP directories.

To perform a per directory user access you must add <Limit LOGIN> commands in each <Directory ******> section as in the example in the first post.

You are not filtering any user in your proftpd.conf so i don't really understand what you tried.
Basically you allow any valid user to login and that's what you FTP server do allowing all users in all the available FTP directories.

To perform a per directory user access you must add <Limit LOGIN> commands in each <Directory ******> section as in the example in the first post.

Thanks a bunch frodon!!! I did the <Limit ALL> for each directory and i commented all lines of the <Limit LOGIN> and was able to keep upload from cdup out of upload/ dir.. not sure if thats right but it worked *shrugs*... and this could also work with groups, in case the user base is bigger than just a few users?


#VALID LOGINS
#<Limit LOGIN>
#Allow from all
#AllowUser upload
#AllowUser von
#DenyALL
#</Limit>

<Directory /home/FTP-shared>
Umask 022 022
AllowOverwrite off
<Limit ALL>
Order Allow,Deny
AllowUser von
Deny ALL
</Limit>
<Limit MKD STOR DELE XMKD RNRF RNTO RMD XRMD MACB>
DenyAll
</Limit>
</Directory>

<Directory /home/FTP-shared/download/*>
Umask 022 022
AllowOverwrite off
<Limit ALL>
Order Allow,Deny
AllowUser von
Deny ALL
</Limit>
<Limit MKD STOR DELE XMKD RNEF RNTO RMD XRMD>
DenyAll
</Limit>
</Directory>

<Directory /home/FTP-shared/upload/>
Umask 022 022
AllowOverwrite on
<Limit ALL>
Order Allow,Deny
AllowUser von
AllowUser upload
Deny ALL
</Limit>
<Limit READ RMD DELE>
DenyAll
</Limit>

<Limit STOR CWD MKD RETR>
AllowAll
</Limit>
</Directory>

Great tutorial, but for some reason when I log in using an FTP client it appears to take me to the wrong directory. It shows the directory as just "/" and won't let me do anything. Any help would be appreciated. I've added all of the directories. Here's my config file:

AllowOverwrite on
AuthAliasOnly on

UserAlias music userftp

ServerName "brianserver"
ServerType standalone
DeferWelcome on

MultilineRFC2228 on
DefaultServer on
ShowSymlinks off

TimeoutNoTransfer 600
TimeoutStalled 100
TimeoutIdle 2200

DisplayChdir .message
ListOptions "-1"

RequireValidShell off

TimeoutLogin 20
RootLogin off

ExtendedLog /var/log/ftp.log
TransferLog /var/log/xfer.log
SystemLog /var/log/syslog.log

UseFtpUsers off

AllowStoreRestart on

Port 1980

MaxInstances 8

User nobody
Group nogroup

Umask 022 022

PersistentPasswd off

MaxClients 8
MaxClientsPerHost 8
MaxClientsPerUser 8
MaxHostsPerUser 8

AccessGrantMsg "welcome!!!"
ServerIdent on "you're at home"

DefaultRoot /home/FTP-shared

DefaultRoot ~

MaxLoginAttempts 5

<Limit LOGIN>
AllowUser userftp
DenyALL
</Limit>

<Directory /home/FTP-shared>
Umask 022 022
AllowOverwrite off
<Limit MKD STOR DELE XMKD RNRF RNTO RMD XRMD>
DenyAll
</Limit>
</Directory>

<Directory /home/FTP-shared/download/>
Umask 022 022
AllowOverwrite off
<Limit MKD STOR DELE XMKD RNEF RNTO RMD XRMD>
DenyAll
</Limit>
</Directory>

<Directory /home/FTP-shared/upload/>
Umask 022 022
AllowOverwrite on
<Limit READ RMD DELE>
DenyAll
</Limit>

<Limit STOR CWD MKD>
AllowAll
</Limit>
</Directory>

Hi,frodon
I tried the way you say(Create user through the GUI) but got a 530 login error...I just use the default conf file you provided,and I don't know what is wrong.Could you please give me a hand?Thx a lot.

@tk0, i think it's even more safe to keep also a general <Limit LOGIN> section (the one you had previously before all your <Directory ****> section.

@yawnzzzz, i would say that you user may not have the right home directory, anyway i think keeping only the DefaultRoot /home/FTP-shared line would be enough. Now that i look at it it seems redundant to me as "DefaultRoot ~" says to lock the user connected in his home directory.

@qingrenjyf, In this case i would try to change the password several time and also using CLI (sudo passwd userftp).

@yawnzzzz, i would say that you user may not have the right home directory, anyway i think keeping only the DefaultRoot /home/FTP-shared line would be enough. Now that i look at it it seems redundant to me as "DefaultRoot ~" says to lock the user connected in his home directory.


The user has the correct home directory. When I connected from a Mac, it didn't show anything, but when I connected from a PC, it showed 'download' and 'upload' as type 'File' instead of being directories. I previously had this config file working correctly, and it showed the 'download' and 'upload' as directories. The only thing I've changed since then is the config file.

I did some more tests by not containing the user in a directory, and it shows every directory as a file type of 'file', which means I can't do anything with it. Any ideas on this?

I have an ftp server as well as a telnet server running, all of a sudden my ftp server has stopped accepting my password. I am using the same password to login to Ubuntu and also for the telnet server, only for the ftp access my password is being denied. Help is appreciated.

The only thing I've changed since then is the config file.Then the most important i think, is to remember what you changed in your config file.

Then the most important i think, is to remember what you changed in your config file.

It would help if I remembered, but I don't because I changed it multiple times. Any suggestions on where to start looking?

I believe it would have something to do with user permissions, and I'm having trouble finding the commands to view what user permissions I've set up for my userftp along with the user permissions for the directories. I followed your tutorial to set them up, but maybe they somehow got changed by another program.

I have an ftp server as well as a telnet server running, all of a sudden my ftp server has stopped accepting my password. I am using the same password to login to Ubuntu and also for the telnet server, only for the ftp access my password is being denied. Help is appreciated.

Sorry I forgot to add that I get "530 Login incorrect", eventhough the same password works for logging into my computer and telnet server that I run on my computer.

You should post your proftpd.conf too just in case and detail what you enter to login and what apps you use for FTP.

Hi,

Im running Ubuntu 8.04 Alt_Server,
I get this error when running the sign.sh server.csr and haven't proceeded any further (my apologies if I'm repeating someone here but I cant find out whats going on):

metonymy@Aurelius:/etc/ftpcert$ ./sign.sh server.csr
./sign.sh: 33: cannot create ca.config: Permission denied
CA signing: server.csr -> server.crt:
Using configuration from ca.config
error loading the config file 'ca.config'
6382:error:02001002:system library:fopen:No such file or directory:bss_file.c:122:fopen('ca.config','rb')
6382:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:125:
6382:error:0E078072:configuration file routines:DEF_LOAD:no such file:conf_def.c:197:
CA verifying: server.crt <-> CA cert
Error loading file ca.crt
6383:error:02001002:system library:fopen:No such file or directory:bss_file.c:122:fopen('ca.crt','r')
6383:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:125:
6383:error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib:by_file.c:274:
usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check] [-engine e] cert1 cert2 ...
recognized usages:
sslclient SSL client
sslserver SSL server
nssslserver Netscape SSL server
smimesign S/MIME signing
smimeencrypt S/MIME encryption
crlsign CRL signing
any Any Purpose
ocsphelper OCSP helper

Any suggestions ?
Whoot for this Howto, awesome work!

You need to run this command as root because the /etc directoryis in the root space. So type sudo ./sign.sh server.csr instead.

You need to run this command as root because the /etc directoryis in the root space. So type sudo ./sign.sh server.csr instead.

Ok, here's the real problem :

Enter pass phrase for ./ca.key:
unable to load CA private key
24053:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:461:
24053:error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c:425:
CA verifying: server.crt <-> CA cert
Error opening certificate file server.crt
24099:error:02001002:system library:fopen:No such file or directory:bss_file.c:352:fopen('server.crt','r')
24099:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354:
unable to load certificate

wtf eh ? (thanks for quick reply, much appreciated)

(Nevermind, its working now!)

This is a good guide.

I've one question. Have had a brief look but couldn't see the answer.

How can I have a single directory with read/write access?


<Directory /home/FTP-shared>
Umask 022 022
AllowOverwrite off
<Limit MKD STOR DELE XMKD RNRF RNTO RMD XRMD>
DenyAll
</Limit>
</Directory>

<Directory /home/FTP-shared/download/*>
Umask 022 022
AllowOverwrite off
<Limit MKD STOR DELE XMKD RNEF RNTO RMD XRMD>
DenyAll
</Limit>
</Directory>

<Directory> /home/FTP-shared/upload/>
Umask 022 022
AllowOverwrite on
<Limit READ RMD DELE>
DenyAll
</Limit>

<Limit STOR CWD MKD>
AllowAll
</Limit>
</Directory>


Currently I have this but I'd like to setup /home/FTP-shared/read-write/ and do away with seperate upload/download directories as I'll be updating my webserver this way.

Can anyone advise what <directory> commands would be needed?

Hi,

New to Ubuntu but have some Linux knowledge.

I have almost the exact same setup as Frodon (btw, thanks for taking the time to write and monitor this useful tutorial). However, my machine is connected to my cable modem through a NETGEAR wireless router. I do not think that the router has a hardware firewall.

A few things:
a) I have a dyndns domain name (ricochet.dyndns.info) and ddclient running.
b) In my .config, I have
PassivePorts 60000 60100
MasqueradeAddress ricochet.dyndns.info

When I restart proftpd, I get this message:
cschill-desktop - 127.0.1.1:1980 masquerading as 67.188.114.239

So, I forward port 1980 and 60000-60100 for address 127.0.1.1 in my router setup.

On my ubuntu machine, I can
ftp 127.0.1.1 1980
and I login fine.

However if I try to do this from my ubuntu desktop:
ftp ricochet.dyndns.info 1980
it just hangs. Also, I have a mac running os x on the same wireless network. If I use fugu
to connect, it just hangs for either address (127.0.1.1 or ricochet.dyndns.info).

I attached my config file. Thanks for taking the time...

BTW, I noticed some posts discussing the /etc/hosts file. Here is mine:
127.0.0.1 localhost
127.0.1.1 cschill-desktop

# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

Chris

Two main problems as I see it...

First, you seem to be using "127.x.x.x" for logging in to the FTP server from other computers. Not good. Use the IP address specified for the active interface in
ifconfig
when connecting from other computers, at least. This also means changing the port forwards to direct to the right ip (usually 192.168.x.x or 10.0.x.x).

I'm not completely sure about the second one. It depends on my understanding of the ddns client. Which is probably wrong. My understanding is that ddns clients take the ip of the computer they are running on, and send it to dyndns or whatever. So it will be, say... 192.168.0.2... which isn't much space outside the network. It needs to be set up to point to your external IP - at least, if you plan on using it from outside home, which is sort of the purpose of dyndns. The client should therefore be running on the device that gives you your IP address - ie, your modem.
An alternative to this would be to set up the server so that it runs a script hosted somewhere else - a php script, say, that updates a file with the $_SERVER['REMOTE_ADDR'] var or something - and stick and entry for it in chrontabs...

Hey, this is an excellent tutorial you got there. Thanks!
I wanted to ask about the part with the ssl (ftps). Will those commands work with xampp? It uses proftpd as an ftp server. I would really want to enable ssl with my ftp server. Again thanks!

I followed your tutorials and had no problems all through but when I tried to access the ftp with filezilla, mozilla, and IE6, it gives me time out on all connection types.

I have attached a copy of my proftpd.conf in the message

@haryoh, you are more likely to have firewall/router issues.

I do have a PROXY server (squid + dansguardian) up and running. I added the ports both SSL 21 and safe ports 21 and also on my router, I already have port 21 opened. so what do you think I'm doing wrong?

Thanks. your response would be appreciated.

Is my configuration setup ok.

Your config seems ok, as i told you timeout issues are in general the indicator of network issue (firewall, router, port forwarding and so on).
I think there's something in your home network preventing the FTP server to accept incoming connections.

I will look into it for am still at work. I I have a windows server 2003 running in the back ground but the internal IP is been blocked and I haven't even set up the NFS or SAMBA on my server that will be conflicting the WIN 2003.

like I said I will look into it and if I come up with anything, I will let you know.

Good tutorial. it's perfect. I had to tweak somethings in though..

I'm getting the following error on Kubuntu Hardy (KDE 3) using the gproftpd "guide":
- warning: unable to determine IP address of 'devlon'
- error: no valid servers configured
- Fatal: error processing configuration file '/etc/proftpd/proftpd.conf'


My Config is:
ServerType standalone
DefaultServer on
Umask 022
ServerName "0.0.0.0"
ServerIdent on "Devlon"
ServerAdmin David@Neoelite-Consulting.com
IdentLookups off
UseReverseDNS off
Port 21
PassivePorts 49149 65534
#MasqueradeAddress None
TimesGMT off
MaxInstances 30
MaxLoginAttempts 3
TimeoutLogin 300
TimeoutNoTransfer 120
TimeoutIdle 120
DisplayLogin welcome.msg
User nobody
Group nobody
DirFakeUser off nobody
DirFakeGroup off nobody
DefaultTransferMode binary
AllowForeignAddress off
AllowRetrieveRestart on
AllowStoreRestart on
DeleteAbortedStores off
TransferRate RETR 0
TransferRate STOR 0
TransferRate STOU 0
TransferRate APPE 0
SystemLog /var/log/secure
RequireValidShell off
#gp_random_username_length 6
#gp_random_password_length 6
#gp_randomize_case lower
#gp_useradd_homedir_path /var/ftp
#gp_html_path /var/www/html/ftp.htm
#gp_welcome_name welcome.msg
<IfModule mod_tls.c>
TLSEngine off
TLSRequired off
TLSVerifyClient off
TLSProtocol TLSv1
TLSLog /var/log/proftpd_tls.log
TLSRSACertificateFile /etc/gproftpd/gproftpd.pem
</IfModule>
<IfModule mod_ratio.c>
Ratios off
SaveRatios off
RatioFile "/restricted/proftpd_ratios"
RatioTempFile "/restricted/proftpd_ratios_temp"
CwdRatioMsg "Please upload first!"
FileRatioErrMsg "FileRatio limit exceeded, upload something first..."
ByteRatioErrMsg "ByteRatio limit exceeded, upload something first..."
LeechRatioMsg "Your ratio is unlimited."
</IfModule>
<Limit LOGIN>
AllowUser david
DenyALL
</Limit>

<Anonymous /var/ftp>
User david
Group david
AnonRequirePassword on
MaxClients 3 "The server is full, hosting %m users"
DisplayLogin welcome.msg
<Limit LOGIN>
Allow from all
Deny from all
</Limit>
AllowOverwrite on
<Limit LIST NLST STOR STOU APPE RETR RNFR RNTO DELE MKD XMKD SITE_MKDIR RMD XRMD SITE_RMDIR SITE SITE_CHMOD SITE_CHGRP MTDM PWD XPWD SIZE STAT CWD XCWD CDUP XCUP >
AllowAll
</Limit>
<Limit NOTHING >
DenyAll
</Limit>
</Anonymous>

check your proftpd.config and make sure you are not missing anything. The error you could get is TIME OUT ERROR when you setup proftpd. Can you attach your configuration here?

I'm getting the following error on Kubuntu Hardy (KDE 3) using the gproftpd "guide":


My Config is:Your computer name devlon is not defined in your /etc/hosts file therefore the FTP server can't resolve it.

If you don't have the following or something similar in your /etc/hosts file then add it and it should solve your issue :
127.0.1.1 devlon

Haryoh, Are you responding to me? If so I already posted my error and my config.

frodon you guru you! Thanks for that, everything works now. Finally I can access my PHP development files from the University.

Haryoh, Are you responding to me? If so I already posted my error and my config.

Ok.. Fordon is right.

ServerName "0.0.0.0"
ServerIdent on "Devlon"

Devlon needs to resolve ServerName or you will continue to get the error.
Also make sure in /etc/hosts that everything is configured to work with your box. I just have a rough example below

$cat /etc/hosts

127.0.0.1 localhost
127.0.1.1 Devlon

192.168.0.3 Devlonbox

# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

Hello Frodon,

It's working now. there was nothing my firewall. I turned off my proxy and my windows 2003 server and nothing.

But when I open the passive ports as directed in quick guide (http://www.proftpd.org/localsite/Userguide/linked/x862.html), everything worked fine.

Thanks for this, now I can bind it with my /var/www and work on the security part of it.

Thanks to all people that participated in this great thread. my own HOW TO is coming soon.

Yep, i should have thought to passive ports, some other users have reported this to be a mandatory step when using NAT and domain names.

Glad you got all working, good FTP server is a must to have to access his website and manage it remotely.

If you have suggestions about this tutorial or want me to link one of yours related to the topic feel free to contact me by PM.

No problem Frodon. Thanks again.

Thankyou for this useful guide.

I'm experiencing one problem. If a user logs into my FTP server and uploads a file in the upload directory I have no problem deleting the file locally on my Ubuntu machine when I'm logged in as my usual user (non-root). But when a user logged in to the FTP creates a directory in the upload directory and uploads a file in that I can't delete the file created.

How come this differs from a file in the "root" upload-directory? And is there a way to change it?

Here's my proftpd.conf:

#
# /etc/proftpd/proftpd.conf -- This is a basic ProFTPD configuration file.
# To really apply changes reload proftpd after modifications.
#

# Includes DSO modules
Include /etc/proftpd/modules.conf

# Set off to disable IPv6 support which is annoying on IPv4 only boxes.
UseIPv6 on

MasqueradeAddress <my-ip>

PassivePorts 60000 65534

ServerName "RunesFTP"
ServerType standalone
DeferWelcome on

MultilineRFC2228 on
DefaultServer on
ShowSymlinks on

TimeoutNoTransfer 600
TimeoutStalled 600
TimeoutIdle 1200
TimeoutLogin 20

DisplayLogin welcome.msg
DisplayFirstChdir .message
ListOptions "-l"

RootLogin off

#DenyFilter \*.*/

UseFtpUsers off

AccessGrantMsg "Hej hej !!!"

AllowForeignAddress on

DefaultRoot /media/sdb4/ftp

# Use this to jail all users in their homes
#DefaultRoot ~

MaxLoginAttempts 5

#VALID LOGINS
<Limit LOGIN>
AllowUser userftp
DenyALL
</Limit>

# Users require a valid shell listed in /etc/shells to login.
# Use this directive to release that constrain.
RequireValidShell off

# Port 21 is the standard FTP port.
Port 1986

# Allow to restart a download
AllowStoreRestart on

# Allow to restart an upload
AllowRetrieveRestart on

# In some cases you have to specify passive ports range to by-pass
# firewall limitations. Ephemeral ports can be used for that, but
# feel free to use a more narrow range.
# PassivePorts 49152 65534

# If your host was NATted, this option is useful in order to
# allow passive tranfers to work. You have to use your public
# address and opening the passive ports used on your firewall as well.
# MasqueradeAddress 1.2.3.4

# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 30

# Set the user and group that the server normally runs at.
User nobody
Group nogroup

# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
Umask 022 022
# Normally, we want files to be overwriteable.
AllowOverwrite on

# Uncomment this if you are using NIS or LDAP to retrieve passwords:
PersistentPasswd off

# Be warned: use of this directive impacts CPU average load!
# Uncomment this if you like to see progress and transfer rate with ftpwho
# in downloads. That is not needed for uploads rates.
#
# UseSendFile off

# Choose a SQL backend among MySQL or PostgreSQL.
# Both modules are loaded in default configuration, so you have to specify the backend
# or comment out the unused module in /etc/proftpd/modules.conf.
# Use 'mysql' or 'postgres' as possible values.
#
#<IfModule mod_sql.c>
# SQLBackend mysql
#</IfModule>

ExtendedLog /var/log/proftpd/extdftp.log
TransferLog /var/log/proftpd/xferlog
SystemLog /var/log/proftpd/proftpd.log

<IfModule mod_tls.c>
TLSEngine off
</IfModule>

<IfModule mod_quota.c>
QuotaEngine on
</IfModule>

<IfModule mod_ratio.c>
Ratios on
</IfModule>


# Delay engine reduces impact of the so-called Timing Attack described in
# http://security.lss.hr/index.php?page=details&ID=LSS-2004-10-02
# It is on by default.
<IfModule mod_delay.c>
DelayEngine on
</IfModule>

<IfModule mod_ctrls.c>
ControlsEngine on
ControlsMaxClients 2
ControlsLog /var/log/proftpd/controls.log
ControlsInterval 5
ControlsSocket /var/run/proftpd/proftpd.sock
</IfModule>

<IfModule mod_ctrls_admin.c>
AdminControlsEngine on
</IfModule>

# A basic anonymous configuration, no upload directories.

# <Anonymous ~ftp>
# User ftp
# Group nogroup
# # We want clients to be able to login with "anonymous" as well as "ftp"
UserAlias mrftp userftp


<Directory /media/sdb4/ftp>
Umask 022 022
AllowOverwrite off
<Limit MKD STOR DELE XMKD RNRF RNTO RMD XRMD>
DenyAll
</Limit>
</Directory>

<Directory /media/sdb4/ftp/download/*>
Umask 022 022
AllowOverwrite off
<Limit MKD STOR DELE XMKD RNEF RNTO RMD XRMD>
DenyAll
</Limit>
</Directory>

<Directory /media/sdb4/ftp/upload/*>
Umask 022 022
AllowOverwrite on
<Limit RMD DELE>
DenyAll
</Limit>

<Limit STOR CWD MKD>
AllowAll
</Limit>
</Directory>

All input is appreciated!

EDIT: I think I've solved this by changing the Umask of the upload directory from "022 022" to "022 000". I'm not sure this is the correct solution though so I'd still very much appreciate any feedback on this.

Umask is as you guessed something you can set differently depending on what is more convenient for you. I don't see any particular security risk with the modification you did.

I do have install Ubuntu Server Hardy, FTP server with proftpd, i want to use SSL to secure data transmission, but if in the TLS.log i choose TLSRequired ON, i don't see my directory...it's failed somehow..

Cool, thanks for the heads up frodon. I guess I fixed it myself then :)

kira_yamato, if you are using the proftpd from the repositories, TLS isn't an option sadly. Try running this command:

proftpd -l

if mod_tls.c isn't amongst the output you have to compile proftpd yourself. But don't worry it's not hard at all. Take a look at this guide:

http://www.troublenow.org/?p=6

For it to work you have to add the following arguments to the configure script in order to match the directories proftpd has already been installed in by apt-get:

./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --with-modules=mod_tls


EDIT: Wait a minute. I'm just now finding out where the correct directories are. THe above is not correct.

Since proftp version 1.3 modules are implemented in a different way, the version of proftp in the repositories include mod_tls but you must uncomment it in Include /etc/proftpd/modules.conf and add the following line in your proftpd.conf file to use it :
Include /etc/proftpd/modules.conf

@kira_yamato, details the steps you followed to set the TLS encrytion and how your tried to login your FTPO server (which client, how it is configured and so on).

This How to es great but a little bit outdated...
I tried to install the proftpd server and the config file looks different. Is there another tutorial for the latest proftpd latest version?

Outaded based on what ?

This tutorial is and has always been up to date, it does what the title says in a safe way. This is not the default config, default config set anonimous login which is not the purpose of this tutorial.

Frodon
The config file in your post on October 20th, 2005 is different to the config file i saw yesterday. There are many fields are not there.
The config file I saw yesterday looks like runesvend posted 1 week ago

I thought one second you were going to base your opinion on serious arguments.

The config file in first post is a customized config file last edited in october 2007 as written explicitely at the bottom of the first post therefore it is different from the default config file which do not perform user access restriction and per directory access.

Please lets not steer the thread off topic now, if you have valid arguments/suggesstion/enhancement to propose they are of course more than welcome.

Hi Frodon
I am trying to use TLS with the proftpd server and when i ran proftpd -l it doesn't show that the module mod_tls was loaded. I checked the modules.conf and It seems that it should load. The line:
"LoadModule mod_tls.c" is not commented out, when i ran the proftpd -td5 it says:"My-Server - mod_tls/2.1.1: passphrase locked into memory".

I am having trouble trying to connect using the sftp protocol from a client to this server, but when I use the FTP protocol it works

Modules in latest proftp versions are handled in modules.conf so you did the right thing uncommenting mod_tls in the file but don't forget to add "Include /etc/proftpd/modules.conf" somewhere at the beginning of your file to make your server parsing the module configuration.

Be careful FTP + TLS encryption is not SFTP, SFTP is connecting to a ssh server through FTP. FTP + TLS encryption is commonly called FTPS and in filezilla (a FTP client i advice you) it is called FTPES.

Ok Frodon, my /etc/proftpd/proftpd.conf file has the line "Include /etc/proftpd/modules.conf" uncommented.
So, it is correct to say if i try to connect to my ftp server (that is using the default port 21)with the sftp protocol. It will work?
I understand the sftp protocol points to port 22 instead port 21

No it won't as my guide is for FTP over TLS encryption not SFTP which is FTP in SSH tunnel and it is why it use port 22 as port 22 is the default port for SSH.
You must have a FTPS compliant FTP client to login your server if you use TLS encription.

Ok thanks Frodon i will try with filezilla

Hey Frodon
I just downloaded the filezilla client and it works great with the FTPES protocol....

Thanks for your help, and sorry for the initial post about the how-to was no up-to-date, actually it is and is great, sorry Frodo my bad :(

Only a question: with the FTPES protocol the authentication process will be encripted, but what about the data transmitted. is that encrypted too?

Thanks

np, you're welcome :)

With TLS encription all is encripted (authentification + datas) so you are safe transfering sensible datas with your FTP server. You can even force users to use FTPES using "TLSRequired on" but your friends will have to find a FTPES compliant client like filezilla.

Hi frodon if I am going to use a masquerade address (nat) in the proftpd.conf file i should add the fields: MasqueradeAddress and PassivePorts right?
The MasqueradeAddress should be the public IP address (IP in the internet) right?

Yes it should be your IP or domain name, however i'm not expert on this as i don't have NAT configuration myself.

Ok, I followed your tutorial and everything is working just fine! Great tut!!
I am using xampp 1.6.6 on Kubuntu 8.04. Thanks..

I can't connect using FileZilla and i've used everything I can. I have tried other clients and can't connect
this is my thing:
ServerType standalone
DefaultServer on
Umask 022
ServerName "192.168.1.3"
ServerIdent off "My FTPD"
ServerAdmin arvvvs@gmail.com
IdentLookups off
UseReverseDNS off
Port 21
PassivePorts 49152 65534
#MasqueradeAddress None
TimesGMT off
MaxInstances 30
MaxLoginAttempts 3
TimeoutLogin 300
TimeoutNoTransfer 120
TimeoutIdle 120
DisplayLogin welcome.msg
User nobody
Group nobody
DirFakeUser off nobody
DirFakeGroup off nobody
DefaultTransferMode binary
AllowForeignAddress off
AllowRetrieveRestart on
AllowStoreRestart on
DeleteAbortedStores off
TransferRate RETR 30
TransferRate STOR 40
TransferRate STOU 40
TransferRate APPE 40
SystemLog /var/log/secure
RequireValidShell off
#gp_random_username_length 6
#gp_random_password_length 6
#gp_randomize_case lower
#gp_useradd_homedir_path /var/ftp
#gp_html_path /var/www/html/ftp.htm
#gp_welcome_name welcome.msg
<IfModule mod_tls.c>
TLSEngine off
TLSRequired off
TLSVerifyClient off
TLSProtocol TLSv1
TLSLog /var/log/proftpd_tls.log
TLSRSACertificateFile /etc/gproftpd/gproftpd.pem
</IfModule>
<IfModule mod_ratio.c>
Ratios off
SaveRatios off
RatioFile "/restricted/proftpd_ratios"
RatioTempFile "/restricted/proftpd_ratios_temp"
CwdRatioMsg "Please upload first!"
FileRatioErrMsg "FileRatio limit exceeded, upload something first..."
ByteRatioErrMsg "ByteRatio limit exceeded, upload something first..."
LeechRatioMsg "Your ratio is unlimited."
</IfModule>
<Limit LOGIN>
AllowUser userftp
AllowUser userftp
AllowUser arvvvs
DenyALL
</Limit>

<Anonymous /var/ftp>
User userftp
Group FTP
AnonRequirePassword on
MaxClients 3 "The server is full, hosting %m users"
DisplayLogin welcome.msg
AllowOverwrite off
<Limit LOGIN>
Allow from all
Deny from all
</Limit>
<Limit RETR LIST NLST MDTM SIZE STAT CWD XCWD PWD XPWD CDUP XCUP>
AllowAll
</Limit>
<Limit DELE APPE STOR STOU SITE_CHMOD SITE_CHGRP RNFR RNTO MKD XMKD RMD XRMD>
DenyAll
</Limit>
</Anonymous>

<Anonymous /home/FTP>
User userftp
Group FTP
AnonRequirePassword on
MaxClients 5 "The server is full, hosting %m users"
DisplayLogin welcome.msg
<Limit LOGIN>
Allow from all
Deny from all
</Limit>
AllowOverwrite off
<Limit LIST NLST RETR SITE_CHMOD PWD XPWD SIZE STAT CWD XCWD CDUP XCUP >
AllowAll
</Limit>
<Limit STOR STOU APPE RNFR RNTO DELE MKD XMKD SITE_MKDIR RMD XRMD SITE_RMDIR SITE SITE_CHGRP MTDM >
DenyAll
</Limit>
</Anonymous>

<Anonymous /home/FTP>
User arvvvs
Group FTP
AnonRequirePassword on
MaxClients 5 "The server is full, hosting %m users"
DisplayLogin welcome.msg
<Limit LOGIN>
Allow from all
Deny from all
</Limit>
<Limit LIST NLST RETR SITE_CHMOD PWD XPWD SIZE STAT CWD XCWD CDUP XCUP >
AllowAll
</Limit>
<Limit STOR STOU APPE RNFR RNTO DELE MKD XMKD SITE_MKDIR RMD XRMD SITE_RMDIR SITE SITE_CHGRP MTDM >
DenyAll
</Limit>
</Anonymous>

Hi
I have my ftp server connected to the internet when i try to connect using the ftp protocol it works fine, but when i try to use the FTPES protocol it fails. This is my log's output in my client:
13:42:19 Trace: ControlSocket.cpp(1057): CRealControlSocket::ContinueConnect(0p22dcc8) m_pEngine=0p128f6d8 caller=0p1332b60
13:42:19 Status: Connecting to <my-ip-address>:21...
13:42:19 Status: Connection established, waiting for welcome message...
13:42:33 Trace: CFtpControlSocket::OnReceive()
13:42:33 Response: 220 ProFTPD 1.3.0 Server ready.
13:42:33 Trace: CFtpControlSocket::SendNextCommand()
13:42:33 Command: AUTH TLS
13:42:33 Trace: CFtpControlSocket::OnReceive()
13:42:33 Response: 234 AUTH TLS successful
13:42:33 Status: Initializing TLS...
13:42:33 Trace: CTlsSocket::Handshake()
13:42:33 Trace: CFtpControlSocket::SendNextCommand()
13:42:33 Command: USER <user-name>
13:42:34 Trace: CTlsSocket::OnSocketEvent(): wxSOCKET_LOST received
13:42:34 Trace: CRealControlSocket::OnClose()
13:42:34 Trace: CFtpControlSocket::ResetOperation(66)
13:42:34 Trace: CControlSocket::ResetOperation(66)
13:42:34 Error: Could not connect to server
13:42:34 Status: Waiting to retry...

I checked the proftpd mini how-to and they said there is a problem with TSL and NAT and that is fixable if you add this in the config file: TLSRequired auth+data(to use the Clear Command Channel) I tried to add this in my config file but it threw an error when i restart the daemon.

Is there any way to force this in a proftod server ver 1.3.0?

Thanks

frodon u there?

Yep, but there's nothing i can do for you, i don't use NAT on my home config. In your case i would try at least once to regenerate the rsa key.

Maybe some users who used this howto and who use a NAT can help you.

I already figured out the problem. It was a port problem in my dsl modem.
If I want that my internal clients access to my FTP server behind my dsl modem i have to create a virtual server right?

Why when i try to connect from my internal IP addresses to my internet IP address my clients fail to connect to the FTP server?

You may find some useful infos in this post :
http://ubuntuforums.org/showpost.php?p=680702&postcount=81

I don't have problems with my router/DSL modem anymore, After using the directive Ipmasquerade I cannot connect to my internal IP address anymore, I am not sure if I have to set up a virtual server section in my proftpd.conf file

In don't understand either why when I tried to connect to the ftp server from an internal IP address using the public internet address it fails....

You external IP (i guess IPv4) is not related to s apecific computer of your local network therefor if you didn't set any rules to redirect the needed ports to your computer then the FTP frame is more likely to be lost.
Check your router configuration and that FTP ports are well redirected to the computer hosting the FTP server then to test from the internet maybe just call a friend.

I am lost now, when i tried to connect from another complete different IP address (ie my house) It works, I already forwarded the ports and passive ports to the FTP's internal IP address it work fine, I am using the masquerading directive. The problem is when an internal client from the same FTP server's network try to connect to the FTP using the external IP address (internet address)it fails

You should not use your external IP when communicating within your localnetwork but the IP of the computer directly.

i tried that, using the internal IP address in my network, but it fails when is listing the directories.
that's the reason i ask if I need to create a field for a virtual server in my conf file (using the FTP's internal address and without the maquerading directive)

Been making various attempts of setting up an ftp server myself but failed. This was a great guide so thank you!

Okay with section C, I set it up okay, but do I need to store a file on my computer if I want to login using SFTP?

Im also having the problem where I can login to the FTP server from all computers on same home network as the server but not from any remote computers. I have opened, on my router, port 21 and the range of passive ports.

When attempting to connect from a remote computer, filezilla simply says "unable to connect"....

What else to I need to enable in gproftpd?

Thanks!

I have opened, on my router, port 21 and the range of passive ports.

Did you set the router to forward to the right IP?

I know there are a lot of 530 Login failed. questions here, and I have looked through them and tried many things. I have changed the password for my ftpuser (changed from the original userftp) many times through both the GUI and CLI. I do not know how to confirm the file permissions, but I have gone back and reassigned them. When I login, I make sure to use the user name (tst) assigned by UserAlias in proftpd.conf (below) and not the UNIX user name. Still, my 530 problem persists. Any help would be appreciated.

Also, a prompt reply would be appreciated, because I am going overseas in a few days and want to use the server to dump files onto my computer.

Thanks in advance.


# To really apply changes reload proftpd after modifications.
AllowOverwrite on
AuthAliasOnly on

# Choose here the user alias you want !!!!
UserAlias tst ftpuser

ServerName "adamserver"
ServerType standalone
DeferWelcome on

MultilineRFC2228 on
DefaultServer on
ShowSymlinks off

TimeoutNoTransfer 600
TimeoutStalled 100
TimeoutIdle 2200

DisplayFirstChdir .message
ListOptions "-l"

RequireValidShell off

TimeoutLogin 20

RootLogin off

# It's better for debug to create log files ;-)
ExtendedLog /var/log/ftp.log
TransferLog /var/log/xferlog
SystemLog /var/log/syslog.log

#DenyFilter \*.*/

# I don't choose to use /etc/ftpusers file (set inside the users you want to ban, not useful for me)
UseFtpUsers off

# Allow to restart a download
AllowStoreRestart on

# Port 21 is the standard FTP port, so you may prefer to use another port for security reasons (choose here the port you want)
Port 1981

# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 8

# Set the user and group that the server normally runs at.
User nobody
Group nogroup

# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
Umask 022 022

PersistentPasswd off

MaxClients 8
MaxClientsPerHost 8
MaxClientsPerUser 8
MaxHostsPerUser 8

# Display a message after a successful login
AccessGrantMsg "welcome !!!"
# This message is displayed for each access good or not
ServerIdent on "you're at home"

# Set /home/FTP-shared directory as home directory
DefaultRoot /home/ftpuser

# Lock all the users in home directory, ***** really important *****
DefaultRoot ~

MaxLoginAttempts 5

#VALID LOGINS
<Limit LOGIN>
AllowUser userftp
DenyALL
</Limit>

<Directory /home/ftpuser>
Umask 022 022
AllowOverwrite off
<Limit MKD STOR DELE XMKD RNRF RNTO RMD XRMD>
DenyAll
</Limit>
</Directory>

<Directory /home/ftpuser/download/*>
Umask 022 022
AllowOverwrite off
<Limit MKD STOR DELE XMKD RNEF RNTO RMD XRMD>
DenyAll
</Limit>
</Directory>

<Directory> /home/ftpuser/upload/>
Umask 022 022
AllowOverwrite on
<Limit READ RMD DELE>
DenyAll
</Limit>

<Limit STOR CWD MKD>
AllowAll
</Limit>
</Directory>

Did you tried to login on the same computer that runs the server or from another one.

I tried to login from the same machine. I am on a LAN behind a router and I understand the complications about access from outside my LAN, but as far as I know, that should not affect this. Also, I am able to communicate with the ftp server, just not login. The full input/output looks like this:

adam@adam-desktop:~$ ftp 192.168.1.220 1981
Connected to 192.168.1.220.
220 you're at home
Name (192.168.1.220:adam): tst
331 Password required for tst
Password:
530 Login incorrect.
Login failed.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> quit
221 Goodbye.

So you tried from the same computer that runs the server because it can be firewall issue too on either computer. Try with other ftp clients than ftp command line too. You can test that the password is working trying to login your session with your ftpuser directly, that would exclude any password issue on the user creation level.

I am using proftp and no matter what i set the allowed transfer rates at my friends and i can only download files from my server at about 50-60kbs i have 384kbs upload speed in my plan with bellsouth. There are no other problems with the server other than the speed. The bellsouth speed test returns the correct values. Bellsouth told me they do not cap or throttle any ports my server might be using.

I am not using passive ftp.

What can I do to speed up the rate at which my server uploads to clients? I am referring to the file transfer speed, logins and listings are all fine.

380kbits/s ~= 50kbytes/s, ISPs almost always give you bandwidth information in kbits whereas everything in the computer world is displayed in kbytes.

I tried logging in to the session with ftpuser and it completed (although I got a "The computer administrator has disabled your account" or something equivalent, probably because the user has no privileges). Could this be the problem?

I am trying from the same machine, so firewall shouldn't be a problem, but if it is, how do I add an exception to iptables? (ie. can I add an exception just for proftpd on a certain port?)

I tried connecting from Firefox and gFTP and both communicate with the server (I get 220 and 331), but still get 530; exactly the same as with the command line.

Thanks for all your help.

ugh! i see... i guess my only option is to try and upgrade my plan...

Any other suggestions for faster file sharing?? anybody aware of off site server services?

If you have iptables configured and try to login from the computer that runs the server the only thing you need is to allow loopback interface (connection from yourself). If you never played with iptables or firewall it should be allowed already.

For the moment you seem to have done all the things well so i have no real idea of what is wrong in your config.

I hawe a problem...
my proftpd server WORKS...
but...
wen i login on nucftp ewrything is good... but with razer i cane make a dir... but i cant se annything. not the dir i made or nothing... but wen i check the server the new dir i made is there... and my ftp client say directory identifier unavailable...


# To really apply changes reload proftpd after modifications.
AllowOverwrite on

ServerName "razer"
ServerType standalone
DeferWelcome on

MasqueradeAddress razer
MasqueradeAddress xxx.xxx.xxx.xxx

MultilineRFC2228 on
DefaultServer on
ShowSymlinks off

PassivePorts 60000 60100

UseReverseDNS off
IdentLookups off

RequireValidShell off

RootLogin off

# It's better for debug to create log files ;-)
ExtendedLog /var/log/ftp.log
TransferLog /var/log/xferlog
SystemLog /var/log/syslog.log

#DenyFilter \*.*/

# I don't choose to use /etc/ftpusers file (set inside the users you want to ban, not useful for me)
UseFtpUsers off

# Allow to restart a download
AllowStoreRestart on
# Port 21 is the standard FTP port, so you may prefer to use another port for security reasons (choose here the port you want)
Port 23

# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 30

# Set the user and group that the server normally runs at.
User nobody
Group nogroup

# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
Umask 077

PersistentPasswd off

MaxClients 8
MaxClientsPerHost 8
MaxClientsPerUser 8
MaxHostsPerUser 8

# Display a message after a successful login
AccessGrantMsg "welcome !!!"
# This message is displayed for each access good or not
ServerIdent on "you're at home"

MaxLoginAttempts 5
DefaultRoot ~

<Limit LOGIN>
AllowUser razer
AllowUser nucftp
Deny ALL
</Limit>

<Limit ALL>
Order Allow,Deny
AllowUser razer
Deny ALL
</Limit>

<Limit READ STOR RETR REST PWD NLST LIST DELE CWD>
AllowUser nucftp
Deny ALL
</Limit>




and this made me get 530 ALL THE TIME but wen i removed it all is fine...

AuthAliasOnly on

# Choose here the user alias you want !!!!
UserAlias sauron userftp

I'm really struggling to get TLS with gproftpd, I installed proftpd and gproftpd just like at the begininng of the tutorial and followed all the instructions to create the tls certificates and stuff but it seems as though the module is not being loaded at all. I can connect to the FTP fine without TLS, but when I select Auth TLS In flashFXP i get:

[R] AUTH TLS
[R] 500 AUTH not understood
[R] Failed SSL/TLS negotiation, disconnected
[R] Connection failed (Connection lost)

I checked the tls log but it is blank ( The file/ path doesn't even exist!)

Can anyone point me in the right direction?

This is my proftpd.conf file:

Include /etc/proftpd/modules.conf

ServerType standalone
DefaultServer on
Umask 022
ServerName "xxx.xxx.xxx.xxx"
ServerIdent on "SupaBox"
ServerAdmin Admin@this.domain.topdomain
IdentLookups off
UseReverseDNS off
Port 443
PassivePorts 49152 65534
#MasqueradeAddress None
TimesGMT off
MaxInstances 30
MaxLoginAttempts 3
TimeoutLogin 300
TimeoutNoTransfer 600
TimeoutIdle 600
DisplayLogin welcome.msg
User nobody
Group nobody
DirFakeUser off nobody
DirFakeGroup off nobody
DefaultTransferMode binary
AllowForeignAddress off
AllowRetrieveRestart on
AllowStoreRestart on
DeleteAbortedStores off
TransferRate RETR 1100
TransferRate STOR 1100
TransferRate STOU 1100
TransferRate APPE 1100
SystemLog /var/log/secure
RequireValidShell off
#gp_random_username_length 6
#gp_random_password_length 6
#gp_randomize_case lower
#gp_useradd_homedir_path /var/ftp
#gp_html_path /var/www/html/ftp.htm
#gp_welcome_name welcome.msg

<IfModule mod_ratio.c>
Ratios off
SaveRatios off
RatioFile "/restricted/proftpd_ratios"
RatioTempFile "/restricted/proftpd_ratios_temp"
CwdRatioMsg "Please upload first!"
FileRatioErrMsg "FileRatio limit exceeded, upload something first..."
ByteRatioErrMsg "ByteRatio limit exceeded, upload something first..."
LeechRatioMsg "Your ratio is unlimited."
</IfModule>
<Limit LOGIN>
AllowUser admin
DenyALL
</Limit>

<IfModule mod_tls.c>
TLSEngine on
TLSLog /var/ftpd/tls.log
TLSProtocol TLSv1

# Are clients required to use FTP over TLS when talking to this server?
TLSRequired on

# Server's certificate
TLSRSACertificateFile /etc/ftpcert/server.crt
TLSRSACertificateKeyFile /etc/ftpcert/server.key

# CA the server trusts
TLSCACertificateFile /etc/ftpcert/ca.crt

# Authenticate clients that want to use FTP over TLS?
TLSVerifyClient off
</IfModule>

<Anonymous /home/admin>
User admin
Group ftp
AnonRequirePassword on
MaxClients 5 "The server is full, hosting %m users"
DisplayLogin welcome.msg
<Limit LOGIN>
Allow from all
Deny from all
</Limit>
AllowOverwrite off
AllowOverwrite on
<Limit LIST NLST STOR STOU APPE RETR RNFR RNTO DELE MKD XMKD SITE_MKDIR RMD XRMD SITE_RMDIR MTDM PWD XPWD SIZE STAT CWD XCWD CDUP XCUP >
AllowAll
</Limit>
<Limit SITE SITE_CHMOD SITE_CHGRP >
DenyAll
</Limit>
</Anonymous>

Never mind 'AuthAliasOnly on'
was 'off'

Where do I change my users password?
Someone else setup proftp with webmin in the config file I can see my username. No clue what my password was setup as.
Thanks for any help. Jake

Where do I change my users password?
Someone else setup proftp with webmin in the config file I can see my username. No clue what my password was setup as.
Thanks for any help. Jake
If you followed frodon's tutorial you change the password by doing...
sudo passwd userftp <password here>

Now it's just giving me a connection refused. I'm trying to access it from a VMWare virtual server, you know to simulate someone trying to access it from the outside.

Hello everyone

I followed these instructions line by line and have setup the proftpd server on my ubuntu desktop. I have a static ip assigned to this pc so i don't have any issues w/ routers.

Everything seemed to work, however, when i try and go "ftp ipAddress" of the ubuntu box it can't connect. Am i missing something here?

Hello everyone

I followed these instructions line by line and have setup the proftpd server on my ubuntu desktop. I have a static ip assigned to this pc so i don't have any issues w/ routers.

Everything seemed to work, however, when i try and go "ftp ipAddress" of the ubuntu box it can't connect. Am i missing something here?
Actually yes, if you followed everything correctly you need to connect to the server through a client such as Filezilla.
sudo apt-get install filezilla
Then once install run it and then for your host Put your IP address
And well everything else is self explanatory.

When i was setting up my user account I made a typo in the name and didn't realize it. My question is - Is there a way to remove a user account? Is there also a way to change the root directory as well?

Of course there is :)

In the System > Administration menu you should have an item pointing to the user & group window which allows to handle all the user and group stuff.
You can do it using command line too using the "userdel" tool.

Ahh thanks. I was trying to type userdelete rather than userdel. I also find the User and Groups menu easier to use than the terminal commands and it never occurred to me use that for some reason. That would've saved me abunch of time. I've been using Ubuntu for a week now and I've learned alot so far and things are going better than I thought they would. Just a few minor hang-ups like these.

Thanks for the help.

Ok, I followed you guide from the first page and got proftpd set up. Everything is working. But there are some things I'd like to change about how it works. First, before I used your guide, I was logging into the server (via ftp) with the same user/password that I used to log into the system. I was using whatever proftpd.conf that came installed. (I didn't change anything.) My first question is how safe is that? Now, when logged in as that user, I could go anywhere on the filesystem that I wanted. I liked being able to access everything. How can I do this again?

I'm no linux expert, so keep that in mind. ;-) Thanks!

If you mean access your whole system nothing is more dangerous and i would strongly advice you ssh over FTP for this use.

Having said this you only need to set the defaultroot directory to /

Thanks for the response. So giving access to / over FTP is really unsafe. Why? I enabled TLS/SSL encryption from the guide. Is this secure enough? If not, exactly to I use SSH and FTP together?

Now you also said that to give me access to / all I had to do was change defaultroot to /. I did this but nothing seems to have changed. / is my default folder, but the only folders I have access to are still the upload and download folders. Is there something else I have to change?

Thanks again.

Have you modified both ? :
# Set /home/FTP-shared directory as home directory
DefaultRoot /home/FTP-shared

# Lock all the users in home directory, ***** really important *****
DefaultRoot ~Giving access to / is unsafe by nature and in general users giving access to / want to remotely administrate their computer that's why ssh is more used when you want full access.

Now about the easiest to crack between FTP with TLS and SHH i don't know but in both cases i strongly recommend you a well definied firewall maybe also protecting you against from brute force attacks and before all strong password :).

proftpd is working great, but I have a quick question about the Useful Trick permament mount trick. Here is my /etc/fstab file (I've added the last 3 lines).


# /etc/fstab: static file system information.
#
# <file system> <mount point> <type> <options> <dump> <pass>
proc /proc proc defaults 0 0
# /dev/sdb1
UUID=20d564bc-2e44-42b8-8918-968c182aacb6 / ext3 relatime,errors=remount-ro 0 1
# /dev/sdb5
UUID=db43db79-44cc-4a20-8e31-6e8be90dd54a none swap sw 0 0
/dev/scd1 /media/cdrom0 udf,iso9660 user,noauto,exec,utf8 0 0
/dev/scd0 /media/cdrom1 udf,iso9660 user,noauto,exec,utf8 0 0
/dev/fd0 /media/floppy0 auto rw,user,noauto,exec,utf8 0 0
/dev/sda1 /media/hd2 ext3 defaults 0 0
/media/hd2/backup/externalHD/My\ Music /media/music vfat bind 0 0
/media/music /home/steve/music vfat bind 0 0


but when I boot, the folders don't automatically mount and when I run sudo mount -a I get the output


steve@sklesser-server:/media/music$ sudo mount -a
[mntent]: line 13 in /etc/fstab is bad



where line 13 is the second to last line. However, when I run sudo mount -o bind it works. Any ideas on what could be causing this? Thank you!

From my first looking i see no biog mistake however i find it strange that you mount a directory in another one to mount again this directory elsewhere, i have never tested the mount -o bind command with 2 layers of bind.

Hello, i followed the guide. But i cant connect to the ftp server even on LAN. The ftp server is on my desktop and im trying to connect from my laptop. I've enabled the port forwarding to port 21 but still no connection ...

I can see that the service is up and running .

bruno@bruno-desktop:~$ ps aux | grep proftp
nobody 7445 0.0 0.1 9908 1604 ? Ss 11:13 0:00 proftpd: (accepting connections)

I'll paste my proftpd.conf



#
# /etc/proftpd/proftpd.conf -- This is a basic ProFTPD configuration file.
# To really apply changes reload proftpd after modifications.
#

# Includes DSO modules
Include /etc/proftpd/modules.conf

# Set off to disable IPv6 support which is annoying on IPv4 only boxes.
UseIPv6 off

ServerName "Debian"
ServerType standalone
DeferWelcome off

MultilineRFC2228 on
DefaultServer on
ShowSymlinks on

TimeoutNoTransfer 600
TimeoutStalled 600
TimeoutIdle 1200

DisplayLogin welcome.msg
DisplayChdir .message true
ListOptions "-l"

#DenyFilter \*.*/

# Use this to jail all users in their homes
DefaultRoot ~

# Users require a valid shell listed in /etc/shells to login.
# Use this directive to release that constrain.
# RequireValidShell off

# Port 21 is the standard FTP port.
Port 21

# In some cases you have to specify passive ports range to by-pass
# firewall limitations. Ephemeral ports can be used for that, but
# feel free to use a more narrow range.
# PassivePorts 49152 65534

# If your host was NATted, this option is useful in order to
# allow passive tranfers to work. You have to use your public
# address and opening the passive ports used on your firewall as well.
# MasqueradeAddress 1.2.3.4

# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 30

# Set the user and group that the server normally runs at.
User nobody
Group nogroup

# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
Umask 022 022
# Normally, we want files to be overwriteable.
AllowOverwrite on

# Uncomment this if you are using NIS or LDAP via NSS to retrieve passwords:
# PersistentPasswd off

# This is required to use both PAM-based authentication and local passwords
# AuthOrder *mod_auth_pam.c mod_auth_unix.c

# Be warned: use of this directive impacts CPU average load!
# Uncomment this if you like to see progress and transfer rate with ftpwho
# in downloads. That is not needed for uploads rates.
#
# UseSendFile off

# Choose a SQL backend among MySQL or PostgreSQL.
# Both modules are loaded in default configuration, so you have to specify the backend
# or comment out the unused module in /etc/proftpd/modules.conf.
# Use 'mysql' or 'postgres' as possible values.
#
#<IfModule mod_sql.c>
# SQLBackend mysql
#</IfModule>

TransferLog /var/log/proftpd/xferlog
SystemLog /var/log/proftpd/proftpd.log

<IfModule mod_quotatab.c>
QuotaEngine off
</IfModule>

<IfModule mod_ratio.c>
Ratios off
</IfModule>


# Delay engine reduces impact of the so-called Timing Attack described in
# http://security.lss.hr/index.php?page=details&ID=LSS-2004-10-02
# It is on by default.
<IfModule mod_delay.c>
DelayEngine on
</IfModule>

<IfModule mod_ctrls.c>
ControlsEngine off
ControlsMaxClients 2
ControlsLog /var/log/proftpd/controls.log
ControlsInterval 5
ControlsSocket /var/run/proftpd/proftpd.sock
</IfModule>

<IfModule mod_ctrls_admin.c>
AdminControlsEngine off
</IfModule>

#
# Alternative authentication frameworks
#
#Include /etc/proftpd/ldap.conf
#Include /etc/proftpd/sql.conf

#
# This is used for FTPS connections
#
#Include /etc/proftpd/tls.conf

# A basic anonymous configuration, no upload directories.

# <Anonymous ~ftp>
# User ftp
# Group nogroup
# # We want clients to be able to login with "anonymous" as well as "ftp"
# UserAlias anonymous ftp
# # Cosmetic changes, all files belongs to ftp user
# DirFakeUser on ftp
# DirFakeGroup on ftp
#
# RequireValidShell off
#
# # Limit the maximum number of anonymous logins
# MaxClients 10
#
# # We want 'welcome.msg' displayed at login, and '.message' displayed
# # in each newly chdired directory.
# DisplayLogin welcome.msg
# DisplayFirstChdir .message
#
# # Limit WRITE everywhere in the anonymous chroot
# <Directory *>
# <Limit WRITE>
# DenyAll
# </Limit>
# </Directory>
#
# # Uncomment this if you're brave.
# # <Directory incoming>
# # # Umask 022 is a good standard umask to prevent new files and dirs
# # # (second parm) from being group and world writable.
# # Umask 022 022
# # <Limit READ WRITE>
# # DenyAll
# # </Limit>
# # <Limit STOR>
# # AllowAll
# # </Limit>
# # </Directory>
#
# </Anonymous>

#VALID LOGINS
<Limit LOGIN>
AllowUser userftp
DenyALL
</Limit>

<Directory /home/bruno/FTP-shared/>
Umask 022 022
AllowOverwrite off
<Limit MKD STOR DELE XMKD RNRF RNTO RMD XRMD>
DenyAll
</Limit>
</Directory>

<Directory /home/bruno/FTP-shared/download/*>
Umask 022 022
AllowOverwrite off
<Limit MKD STOR DELE XMKD RNEF RNTO RMD XRMD>
DenyAll
</Limit>
</Directory>

<Directory> /home/bruno/FTP-shared/upload/>
Umask 022 022
AllowOverwrite on
<Limit READ RMD DELE>
DenyAll
</Limit>

<Limit STOR CWD MKD>
AllowAll
</Limit>
</Directory>



I'm on Hardy , 8.04 2.6.24-21 kernel.

I'll apreciatte any help.

Thank You

Could you paste you FTP client log so that we can see the nature of the problem ?

Thanks.

Log shows a blank, it just hangs when i try to log in. :s

just says :


Looking up : 192.168.1.67
Trying 192.168.1.67:21


I think the problem isnt on the proftpd configuration but something else, because i also tried trough ssh and hangs the same way. I openned both ports on router. Dont know what to do next :/

I just tried on locahost and it works fine. Besides port forwarding port 21, is there any other issues that block external connections(including LAN) ?

Note : just notice i cant even ping both machines ( helpful ? )

Send Note : Have been done some reading altough i couldnt understand much, found some threads talking about iptables and ftp/ssh servers. Doest iptables by default block this kind of services? I never worked with those before, and never changed anything since i installed ubuntu.

Thank you in advance

Ei, I have figured out!

I'm a complete newbie, but i figured that ubuntu comes with a built in firewall (iptables), have start to read some tutorials and understanding chains and policies. but in the mean time i fount out that firestarter is a frontend to configure iptables, so i've manage to allow ftp / ssh.

I'm gonna need to understand better iptables for the future, so do you know a good tutorial or documentation?

I just cant access from an external IP to the server. Any Info ?

Thank You

I've writen one for beginners if interested :
http://ubuntuforums.org/showthread.php?t=159661&highlight=iptables

Ye great howto, i've manage to open the ports already. But i cant get people from outside my local network to connect to the ftp server.

I've read something about passive and active ftp server . But couldnt get any configuration to solve the problem.

Can you help me in this issue?

Thank you so much

Read in the iptables tutorial thread from post 169, you will see a user who managed to get all working with passive connections although passive FTP is not mandatory.

Are you using a router ?

Read in the iptables tutorial thread from post 169, you will see a user who managed to get all working with passive connections although passive FTP is not mandatory.

Are you using a router ?

yes i am :s

Ok so i trongly advice you to read this post in details :
http://ubuntuforums.org/showpost.php?p=680702&postcount=81

It explains the steps to follow to get FTP server working through a router on the FTP server config side and on the router side too.

Hope it will answer your questions.

:)

Read in the iptables tutorial thread from post 169, you will see a user who managed to get all working with passive connections although passive FTP is not mandatory.

Are you using a router ?

gonna test and will be back with the result ;)

Still the same, i used the config provided by that post. got me this error while restarting the service :

- warning: the DisplayFirstChdir directive is deprecated and will be removed in a future release. Please use the DisplayChdir directive.


And whats the functionality of MasqueradeAddress ?

And what this comments means ?

# These ports should be safe...
PassivePorts 60000 65535

What im missing ? :(

MasqueradeAddress is mandatory when using a router, here you must put either your domain name or the IP of the router.

PassivePorts command allows to define accurately what port to use if in passive mode.

Should i port forward the passive ports aswell ?

Thank you

I don't think so.

Still no go :s

heres my proftpd.conf


#
# /etc/proftpd.conf -- This is a basic ProFTPD configuration file.
# To really apply changes reload proftpd after modifications.
#
AllowOverwrite on
AuthAliasOnly off

# Choose here the user alias you want !!!!
UserAlias frbr userftp


ServerName "Debian"
ServerType standalone
DeferWelcome on

MultilineRFC2228 on
DefaultServer on
ShowSymlinks off

TimeoutNoTransfer 600
TimeoutStalled 600
TimeoutIdle 1200

#DisplayLogin welcome.msg
DisplayFirstChdir .message
ListOptions "-l"

RequireValidShell off

TimeoutLogin 20

RootLogin off

# It's better for debug to create log files ;-)
ExtendedLog /var/log/ftp.log
TransferLog /var/log/xferlog
SystemLog /var/log/syslog.log

#DenyFilter \*.*/

# I don't choose to use /etc/ftpusers file (set inside the users you want
#to ban, not useful for me)
UseFtpUsers off

# Allow to restart a download
AllowStoreRestart on



# Uncomment this if you are using NIS or LDAP to retrieve passwords:
PersistentPasswd off

# Uncomment this if you would use TLS module:
#TLSEngine on

# Uncomment this if you would use quota module:
#Quotas on

# Uncomment this if you would use ratio module:
#Ratios on

# Port 21 is the standard FTP port, so don't use it for security reasons
#(choose here the port you want)
Port 1980
#Port 21

# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 8

# Set the user and group that the server normally runs at.
User nobody
Group nogroup

# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
Umask 022 022
# Normally, we want files to be overwriteable.
#AllowOverwrite on

# Display a message after a successful login
AccessGrantMsg "welcome !!!"
# This message is displayed for each access good or not
ServerIdent on "you're at home"

# Set /home/FTP-shared directory as home directory
DefaultRoot /home/FTP-shared

# Lock all the users in home directory, ***** really important *****
DefaultRoot ~

MaxLoginAttempts 5

#VALID LOGINS
<Limit LOGIN>
AllowUser userftp
#AllowUser frbr
DenyALL
</Limit>

<Directory /home/FTP-shared>
Umask 022 022
AllowOverwrite off
<Limit MKD STOR DELE XMKD RNRF RNTO RMD XRMD>
DenyAll
</Limit>
</Directory>

<Directory /home/FTP-shared/download/*>
Umask 022 022
AllowOverwrite off
<Limit MKD STOR DELE XMKD RNEF RNTO RMD XRMD>
DenyAll
</Limit>
</Directory>

<Directory> /home/FTP-shared/upload/>
Umask 022 022
AllowOverwrite on
<Limit READ RMD DELE>
DenyAll
</Limit>

<Limit STOR CWD MKD>
AllowAll
</Limit>
</Directory>

# Delay engine reduces impact of the so-called Timing Attack described in
# http://security.lss.hr/index.php?page=details&ID=LSS-2004-10-02
# It is on by default.
#DelayEngine off

# A basic anonymous configuration, no upload directories.

# <Anonymous ~ftp>
# User ftp
# Group nogroup
# # We want clients to be able to login with "anonymous" as well as "ftp"
# UserAlias anonymous ftp
# # Cosmetic changes, all files belongs to ftp user
# DirFakeUser on ftp
# DirFakeGroup on ftp
#
# RequireValidShell off
#
# # Limit the maximum number of anonymous logins
# MaxClients 10
#
# # We want 'welcome.msg' displayed at login, and '.message' displayed
# # in each newly chdired directory.
# DisplayLogin welcome.msg
# DisplayFirstChdir .message
#
# # Limit WRITE everywhere in the anonymous chroot
# <Directory *>
# <Limit WRITE>
# DenyAll
# </Limit>
# </Directory>
#
# # Uncomment this if you're brave.
# # <Directory incoming>
# # # Umask 022 is a good standard umask to prevent new files and dirs
# # # (second parm) from being group and world writable.
# # Umask 022 022
# # <Limit READ WRITE>
# # DenyAll
# # </Limit>
# # <Limit STOR>
# # AllowAll
# # </Limit>
# # </Directory>
#
# </Anonymous>

MasqueradeAddress 192.168.1.254

# These ports should be safe...
PassivePorts 60000 65535

UseReverseDNS off
IdentLookups off


I'm port forwarding 20,21,1980.

And using firestarter (iptables fron-end) allowing connections on 21.21.1980

Any clues?

Try to set and configure your FTP server install on port 21, it is way easier in general when having with router, firewall and passive ports.

BTW MasqueradeAddress must be the IP of your router not the IP of your computer on local network.

hi, i tried to set up a proftpd server with tls (ftps)

my config:



# This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use. It establishes a single server
# and a single anonymous login. It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.

ServerName "FTPS Server"
ServerType standalone
DefaultServer on

# Port 21 is the standard FTP port.
Port 21

# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask 022

# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd).
MaxInstances 30

# Set the user and group under which the server will run.
User nobody
Group nogroup

# To cause every FTP user to be "jailed" (chrooted) into their home
# directory, uncomment this line.
DefaultRoot ~

# Normally, we want files to be overwriteable.
AllowOverwrite on
AllowRetrieveRestart on
AllowStoreRestart on

# Bar use of SITE CHMOD by default
<Limit SITE_CHMOD>
DenyAll
</Limit>

# A basic anonymous configuration, no upload directories. If you do not
# want anonymous users, simply delete this entire <Anonymous> section.
<Anonymous /data/ftp/Pub/Download>
User ftp
Group ftp

# We want clients to be able to login with "anonymous" as well as "ftp"
UserAlias anonymous ftp
RootLogin off
RequireValidShell off

# Limit the maximum number of anonymous logins
MaxClients 10

# We want 'welcome.msg' displayed at login, and '.message' displayed
# in each newly chdired directory.
DisplayLogin welcome.msg
DisplayChdir .message


# Limit WRITE everywhere in the anonymous chroot
<Limit WRITE>
DenyAll
</Limit>

</Anonymous>

<IfModule mod_tls.c>

#Security (TSL/SSL Layer)
TLSEngine on
TLSLog /var/log/proftpd/tsl.log
TLSProtocol TLSv1
TLSRequired off
TLSRSACertificateFile /etc/proftpd/ftpcert/server.crt
TLSRSACertificateKeyFile /etc/proftpd/ftpcert/server.key

TLSCACertificateFile /etc/proftpd/ftpcert/ca.crt

TLSVerifyClient off
</IfModule>


with
sudo proftpd -nd5 -c /etc/proftpd/proftpd.conf
i see

server (xxxxx) - FTP session requested from unknown class
server (xxxxx) - connected - local : Server IP:21
server (xxxxx) - connected - remote : Remote IP:50594
server (xxxxx) - FTP session opened.
server (xxxxx) - dispatching PRE_CMD command '' to mod_tls
server (xxxxx) - dispatching PRE_CMD command '' to mod_core
server (xxxxx) - dispatching PRE_CMD command '' to mod_core
server (xxxxx) - dispatching LOG_CMD_ERR command '' to mod_log
server (xxxxx) - mod_tls/2.1.2: scrubbing 1 passphrase from memory
server (xxxxx) - FTP session closed.


in the tls_log i get this

Nov 01 15:08:57 mod_tls/2.1.2[25298]: using default OpenSSL verification locations (see $SSL_CERT_DIR environment variable)
Nov 01 15:09:07 mod_tls/2.1.2[25298]: SSL/TLS required but absent on control channel, denying ^V^C^B command


i am using filezilla 3.1.5 connection with FTPS and normal auth

- ProFTPD Version 1.3.1

Compiled-in modules:
mod_core.c
mod_xfer.c
mod_auth_unix.c
mod_auth_file.c
mod_auth.c
mod_ls.c
mod_log.c
mod_site.c
mod_delay.c
mod_tls.c
mod_cap.c



what did i wrong what can i do?


thanks :)

Great How-To. Got it all set up now :)

I wonder if its possible for me as "main user" on the computer to save files to Download folder with subfolders. But I only want 1 user to be able to add files there.

Bad idea in general to connect with your main user which have root access especially because he has root access.

Anyway to allow your user it is as simple as adding your user in LIMIT LOGIN section and create an alias for him if you use aliases.

If you want to go further proftp offers you a second way to handle users able to login via virtual users :
http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-VirtualUsers.html

Bad idea in general to connect with your main user which have root access especially because he has root access.

Anyway to allow your user it is as simple as adding your user in LIMIT LOGIN section and create an alias for him if you use aliases.

If you want to go further proftp offers you a second way to handle users able to login via virtual users :
http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-VirtualUsers.html
Maybe I stated my question a little confusing.
Let's call my main account on my ubuntu box for "bob". I want "bob" to have write and read permission to the /home/FTP-share/download/(including subfolders) without sudo command. Since I will RSS download to that directory.


Edit:
I fixed it with this

cd /home
sudo chown -R <username>.<usergrp> FTP-shared

without the <> ofc.

Maybe tweak the group and user directive so that files uploaded on the FTP server are owned by the user of your choice.

I think it is where to look.

I had some real problems with this. But I am totally new so I thought maybe I had made a silly mistake. I typed up my problems in the Beginners Section here (http://ubuntuforums.org/showthread.php?t=971268#post6107743).

hi i,m totaly newbie to linux & with this tutorial i was able to install gproftp but i want change home directory to /home from /var but can't find they way to do it.:confused:

very nice tutorial..

i thank you

I get an error when I try to click on the GUI. I go to "Applications>System Tools>GADADMIN-PROFTPD and I get a box that says:

Could Not Launch The Menu Item:

Failed to execute child process "su-to-root" (No such file or directory)

How do I get the program to open??

limit transfer speed /and/ failed transfers
- is there a way to limit speed transfer per group or directory ?
- I have limit MaxClientsPerUser and MaxClientsPerHost to 2 (max simultaneous transfers)
but there is a problem when I use ftp client and put a bunch of files to queue. only two they start to transfer, which is okay, but all others shoud be waiting in queue are cancelled to "failed transfer"
thank you in advance

_

I get an error when I try to click on the GUI. I go to "Applications>System Tools>GADADMIN-PROFTPD and I get a box that says:

Could Not Launch The Menu Item:

Failed to execute child process "su-to-root" (No such file or directory)

How do I get the program to open??


It's an Intrepid bug. you have to install newest version from

http://debian.cs.binghamton.edu/debi...3.5-2_i386.deb

sudo dpkg -i gadmin-proftpd_0.3.5-2_i386.deb

you should find all the needed tutorials there :
http://www.castaglia.org/proftpd/

hi i,m totaly newbie to linux & with this tutorial i was able to install gproftp but i want change home directory to /home from /var but can't find they way to do it.:confused:

don't change the home dir! make a link to home


mkdir mounted_var
mount --bind /var /home/your_username/mounted_var


if you want to access every time you boot, put
the line into # sudo vim /etc/fstab

/var /home/your_username/mounted_var none bind 0 0



or another solution: make a symlink


ln -s /var /home/your_username

this folder you can't list via ftp if you are grounded to "home"

Just wanted to say "Thanks" for all the great information. So, thanks!:guitar:

First: Great Post, Very Informative. Thanks.

I am noobie 1, and I am learning. Much apologies...

I have been running a Samba file/print server (ubuntu desktop) for some time successfully.

I would like to now set up an FTPs.

Do I need to disable samba?
Does samba settings create a security hole, or risk?
Will both run at the same time?
Can I keep the shared samba directories separate from the FTP directories?

Second Note:

I tried firestarer when I first got things up and running (samba), however it disabled my ability to print over the network. All attempts to correct (port allowing...) were unsuccessful, so I got rid of firestarter. Now I block non-local traffic to the file server(samba) through my router.

If I use PROFTPD would you recommend "firestarter"?

Thank You

ccl

If you're inside a firewall/router, you probably don't need something like firestarter. I used to use it, but have removed as it really didn't ever catch anything. Samba directories and FTP directories are set through the respective config files, so yes, you can keep them separate if you like.

It all depends on what you are doing with your FTP server... are you using this internal to your network, or are you using it to share files on the Internet?? If the latter, you'll want to make sure you chroot the FTP users so they can't browse your server.

Samba/Proftpd run on separate ports, so no security hole if your behind the router. If your FTP is a private one, I recommend changing the default port it runs on (which is 21) because most crack attempts will be blindly set on that port. Also look into hosts.allow/hosts.deny settings as well as a package called fail2ban.

This basically locks people out from your system after x attempts...

Thanks,

I a behind a router/firewall. my samba file server is set up for local network only.

It works great!!! It was super cheap to set up, and the best investment ever. I would recomend it to anyone.

I think I will set up the FTP on another machine at first, just to play with it and get the security settings, and sharing figured out. I do not want to mess up my current configuration.

Thanks Again.

CCL

I'm having trouble getting TLS to work. The mod_tls section of my proftpd.conf looks like

<IfModule mod_tls.c>
TLSEngine on
TLSLog /var/log/proftpd/tls.log
#TLSProtocol TLSv1
TLSProtocol SSLv23

# Are clients required to use FTP over TLS when talking to this server?
TLSRequired off
#TLSRequired on

# Server's certificate
TLSRSACertificateFile /etc/apache2/ftpcert/server.crt
TLSRSACertificateKeyFile /etc/apache2/ftpcert/server.key

# CA the server trusts
TLSCACertificateFile /etc/apache2/ftpcert/ca.crt

# Authenticate clients that want to use FTP over TLS?
TLSVerifyClient off
</IfModule>


Although I'm able to connect using TLS/SSL encryption (FTPS), I'm unable to download any files - I get a 'Download Failed' error message. I get the following errors

I/O error
Download failed
No available certificate or key corresponds to the SSL cipher suites which are enabled.



220 you're at home
AUTH TLS
234 AUTH TLS successful
PBSZ 0
200 PBSZ 0 successful
PROT P
200 Protection set to Private
USER jay
331 Password required for jay
PASS ********
230 welcome !!!
NOOP
200 NOOP command successful
TYPE I
200 Type set to I
SIZE /download/test.txt
213 5
NOOP
200 NOOP command successful
MDTM /download/test.txt
213 20081224173213
NOOP
200 NOOP command successful
NOOP
200 NOOP command successful
SYST
215 UNIX Type: L8
STAT /download
211-Status of /download:
211-drwxr-xr-x 2 (?) (?) 4096 Dec 24 17:32 .
211-drwxr-xr-x 4 (?) (?) 4096 Dec 24 16:16 ..
211--rwxrwxr-x 1 (?) (?) 5 Dec 24 17:32 test.txt
211 End of status
CWD /download
250 CWD command successful
FEAT
211-Features:
MDTM
AUTH TLS
PBSZ
PROT
REST STREAM
SIZE
211 End
PORT 96,14,230,244,195,117
200 PORT command successful
RETR test.txt
150 Opening BINARY mode data connection for test.txt (5 bytes)
QUIT

Here's snippets from my tls.log

Dec 26 21:08:19 mod_tls/2.1.2[16323]: TLS/TLS-C requested, starting TLS handshake
Dec 26 21:08:22 mod_tls/2.1.2[16323]: TLSv1/SSLv3 connection accepted, using cipher RC4-MD5 (128 bits)
Dec 26 21:08:23 mod_tls/2.1.2[16323]: Protection set to Private
Dec 26 21:08:45 mod_tls/2.1.2[16324]: TLS/TLS-C requested, starting TLS handshake
Dec 26 21:08:48 mod_tls/2.1.2[16324]: TLSv1/SSLv3 connection accepted, using cipher RC4-MD5 (128 bits)
Dec 26 21:08:48 mod_tls/2.1.2[16324]: Protection set to Private
Dec 27 03:08:54 mod_tls/2.1.2[16324]: starting TLS negotiation on data connection


Any idea what's going on?

please for the love of god

You should look at the proftpd forum, when no answer are given there on ubuntuforums the proftpd forum is the place where to go.

Your issue is above my current proftpd knowledge.

You haven't specified that you need to change group and owner to userftp. Otherwise, they'll both be root and someone logging in as userftp won't be able to write to download, for instance.

chown userftp download

chgrp userftp download

HTH

Hi all,

I have been trying to get ftp working on my ubuntu 8.04 virtual machine for some time now. I have followed this guide, and replaced the proftpd.conf file with the one in the first post. (See attached file)

I must point out that I have lampp installed, hosting a couple of sites on this machine, and that it seems to come with proftpd already. I have tried the tutorial, then stopped and started the proftpd service, but still no luck getting a login using my PC on the same lan, and filezilla client.

Under System - Administration - GPROFTPD,
I check the settings there, and at the top right it says, STATUS : DEACTIVATED

Even after starting the proftpd service from the terminal.

I have used /home/ftp as my ftp home directory, and added the upload / download dirs and permissions too.

Any ideas as to why this is not working? attached is my config file...

Thanks in advance!

102055

Did you try to start it manually via /etc/init.d?
Did you check the /var/log/ftp.log for problems?

Did you try to start it manually via /etc/init.d?
Did you check the /var/log/ftp.log for problems?

Hi etamax,

The ftp server doesn't seem to be even initializing, as the log file under /var/log/ftp.log doesn't exist yet.

I have been trying to start the service by using :

sudo /etc/init.d/proftpd start

It returns a status of : * Starting ftp server proftpd
-warning: the DisplayFirstChdir directive is deprecated and will be removed in a future release. Please use the DisplayChdir directive. [ OK ]

As I said in the GPROFTPD gui, status says : Deactivated. Even after starting from init.d manually.

Can you start it at a debug level 6? Then see if there is a problem...

sudo proftpd -nd6

Can you start it at a debug level 6? Then see if there is a problem...

sudo proftpd -nd6

etamax, you are the man! Thank you.

Ran that in "debug" mode, and the last line I saw indicated my problem.

It said something along the lines of failed to initialize, port 21 already in use. Went into my proftpd.conf file, and changed the port it uses to something else, connected from my client on that port number, and it works! Once again thank you.

Now that I have identified the issue, how do I figure out what is using 21 at the moment, and how do I kill off this process? I need to do some wordpress updates, and the built in web updater uses a standard FTP updater, which obviously connects on port 21 and nothing else, so I need proftpd to use 21 in the end.

Thanks for the help so far! :D

^_^
To find out which port is in LISTEN status, you can try with:

netstat -anp --tcp --udp | grep LISTEN

^_^
To find out which port is in LISTEN status, you can try with:

netstat -anp --tcp --udp | grep LISTEN

Haha, ok well I ran that as root, and it shows inetd as using port 21.

No idea how I'm gonna get rid of inetd now though - if I do, are there any other processes that are going to be relying on it?

I have proftpd running now for my ftp needs so this shouldn't be an issue.

bonjour frodon
I'm in the newbie category and have a very simple and specific machine to machine application (on my desk) and I need my ftp server on the ubuntu machine. So gproftpd is ideal for me - but after configuring it (I have the setup working from a windows server - ip address - single user - which I duplicated) the server remains "deactivated" without giving me any diagnostics - also looked at /var/log/..
Also even though I save the configuration (last tab) before exiting - changes are lost when i restart
When I do try to connect I predictably get told "421 Service not available, remote server has closed connection"
What could I still be missing?

bonjour frodon
I'm in the newbie category and have a very simple and specific machine to machine application (on my desk) and I need my ftp server on the ubuntu machine. So gproftpd is ideal for me - but after configuring it (I have the setup working from a windows server - ip address - single user - which I duplicated) the server remains "deactivated" without giving me any diagnostics - also looked at /var/log/..
Also even though I save the configuration (last tab) before exiting - changes are lost when i restart
When I do try to connect I predictably get told "421 Service not available, remote server has closed connection"
What could I still be missing?

slouchez, try running that command that etamax gave me :

sudo proftpd -nd6

That will tell you if there is a problem with port 21... For me the last line told me that port 21 was in use by another process, which I have now been able to identify and work around.

Update! etamax, thank you very much for your help. After finding out what process it was (inetd) I went to the inetd.conf file and removed the FTP reference. killed inetd process and restarted it, then configured my proftpd.conf to use port 21 again instead of my custom port I had used yesterday to test, restarted that and I now have a fully functional FTP server again!

Once again thank you! :D

Ok so now my ftp is running well on local lan, I am getting issues with remote access :(

I have configured port forwarding on my router for 20 and 21 to forward to internal IP of the FTP server. So that seems fine. I have also done 60000-60100 for passive connections, and done the masquerading and passive ports config in my proftpd.conf file. When it starts it says Masqueading as .... and my static IP.

I can connect to FTP server perfectly on LAN, but not remotely. Can't figure out why though. I am using FileZilla client.

Status: Resolving IP-Address for www.mydomain.co.uk
Status: Connecting to mystaticIP:21...
Status: Connection established, waiting for welcome message...
Response: 220 Inactivity timer = 120 seconds. Use 'site idle <secs>' to change.
Command: USER shogan
Response: 331 Password required.
Command: PASS ********
Response: 530 Permission denied
Error: Could not connect to server

That is using the exact same user and password as the internal FTP test which works... Tried resetting the password too. Any more ideas? :)

If it works on your LAN on not outside then it's surely a firewall/router problem. Are you sure that you have forwarded the needed ports on your router ?

If it works on your LAN on not outside then it's surely a firewall/router problem. Are you sure that you have forwarded the needed ports on your router ?

Almost 100% sure as I have done all the other port forwarding for web, https, rdp on windows box, pptp vpn, etc. in the same way. I will however go and double check it just to be sure. I have setup proftpd to use port 21 so I should in theory, only require port 21 to be open to the ubuntu machine right?

If i look at the /etc/services files port 20 is required too for ftp-data. I think there we just need to find what port forwarding is missing.

If i look at the /etc/services files port 20 is required too for ftp-data. I think there we just need to find what port forwarding is missing.

frodon, thanks for the reply :)

I have just swapped out my crap thomson router for a good old netgear dg834 and re-did all my port forwarding. FTP is now working 100% from external too, so as you said it had to be port forward issues on the router itself. Thanks for the guide, I have also now changed my default FTP home location to my site so I can now upload content via FTP...

:D

I use proftpd from an year now but the only thing still dont understand how to fix is the info of folders and files of the home directories. I have more than 5 accounts on my server, I mean every account have its own home directory, I create them like this (example username: tony20 homefoldername: tony

useradd tony20 -d /home/tony -s /bin/false
passwd tony20

and then I see that all the files and folders on /home/tony get this info User: tony20 Group: tony20

Is that possible to make that this folders and files take the info like this user: ftp-user and group: ftp-group
to make this thing in automatic when you create the accounts.

Thanks

Okay, I have looked through this entire thread (even doing the step by step on the first page) I still get a 530 Login incorrect error. What am I missing. The shell login is right. the home dir is fine and chmod 755. I can log into the ftp using my own username and password that is the admin of the box from anywhere, but any user I create for the ftp never gets passed the incorrect error.

Thanks for any help.

Why not just use sftp ? and chroot your user to their $HOME dir, or make default shell /bin/sh ?

Nice tutorial for ProFTPD w/MySQL backend here:

http://howtoforge.com/howtos/ftp

I've done the install but I get a "segmentation fault" when I try and run gadmin-proftpd
I've also tried it from a sudo command and the menu item.

Nothing work, any ideas?

Okay, I have looked through this entire thread (even doing the step by step on the first page) I still get a 530 Login incorrect error. What am I missing. The shell login is right. the home dir is fine and chmod 755. I can log into the ftp using my own username and password that is the admin of the box from anywhere, but any user I create for the ftp never gets passed the incorrect error.

Thanks for any help.Could you post your proftpd.conf file so we can have a look at it ?

Thanks.

I've done the install but I get a "segmentation fault" when I try and run gadmin-proftpd
I've also tried it from a sudo command and the menu item.

Nothing work, any ideas?

It's a known bug. You will have to compile the lastest package for it to work.

peace

All I get is the error message saying it couldn't find the package.

Enable the "universe" repositories in system > admin > software sources.
peace

Okay, I have gproftpd, a file on my hard drive at /home/file.txt and a chum.

There are no special folders, or anything like that, that either I or my friend have made. Literally, I've done nothing yet except the things listed above.

Let's say I have ip address 87.100.92.2 and my friend has ip address 86.90.17.50

How the fsck do I send him the bloody file?

Sorry, don't have much time to check google at the moment.

Other non-gproftpd solutions are welcome, the simpler the better!

Thanks!

Okay, I have gproftpd, a file on my hard drive at /home/file.txt and a chum.

There are no special folders, or anything like that, that either I or my friend have made. Literally, I've done nothing yet except the things listed above.

Let's say I have ip address 87.100.92.2 and my friend has ip address 86.90.17.50

How the fsck do I send him the bloody file?

Sorry, don't have much time to check google at the moment.

Other non-gproftpd solutions are welcome, the simpler the better!

Thanks!

email it to him?

Good idea. And it made me laugh.

Hey,
i folloewd every step and now i have a server running. :)
-I'm able to connect to myself
-I see myself in the ftptop

Need Help with this: i can connect, send password but then it stucks on "loading files names", ive tried with 2 different client and with firefox. with firefox i stall half way loading.

i don't know if it's related to my conf file but i attached it anyway.
I took the defaults and modified it with some of your advise.
Take note i use a 2nd hardrive for sharing so my ftp path is '/media/louserv/loushared' also use 'louserv' instead of ftpuser


Tweaking help please: The second thing i need help with, is i want to create an separate full access folder for each user and one shared (read only) folder. I will only have few friend connecting to my ftp.
exemple:
one Read only folder (/media/louserv/loushared/shared)
one folder for me (/media/louserv/loushared/lou
on for my friend julie (/media/louserv/loushared/julie)
and so on....

is there a way i can access my shared folder with full access localy and keep it read only in the ftp?

Thank so much for your help and time
lou

Is "/media/louserv/loushared" the home directory of the user you use for FTP connection ?

For your tweaking you have some explanation on how filter based on user in first post then the "DefaultRoot ~" command alone will lock all users in their home directory. Finally you would need to create one shared directory inside the home directory of each user and mount your /media/louserv/loushared/shared directory there. There're surely many other options to do this, this one is just the most secure i have in mind.

Is "/media/louserv/loushared" the home directory of the user you use for FTP connection ?

For your tweaking you have some explanation on how filter based on user in first post then the "DefaultRoot ~" command alone will lock all users in their home directory. Finally you would need to create one shared directory inside the home directory of each user and mount your /media/louserv/loushared/shared directory there. There're surely many other options to do this, this one is just the most secure i have in mind.

Yes, loushared is the home directory of user 'louserv' (i know it's confusing since the label of my hdd is called louserv too)
if i understood correctly i can make my shared folder wherever i want on my system and just mount it into the user's home if i want him to have access.

To allow a friend into my FTP, where do i set his userename and password?
the GUI dosen't work on my system. Is it linked with the user on my system? I saw your exemple of user1 and user2 with different access, but still i wonder how to create those user.

And this morning as i woke up, i had a flash and now i wonder if an VPN would be more what i'm looking for.

Merci beaucoup de votre aide!
And thank for the prompt reply, all my student-friend-with-limited-space-laptop are thanking you as well ):P
lou

Yes, loushared is the home directory of user 'louserv' (i know it's confusing since the label of my hdd is called louserv too)
if i understood correctly i can make my shared folder wherever i want on my system and just mount it into the user's home if i want him to have access.Yes it's the most convenient way i found to do it, i don't know all the way to do though.



To allow a friend into my FTP, where do i set his userename and password?He just need to have the username and password of a user listed in your ftp config.


the GUI dosen't work on my system. Is it linked with the user on my system? I saw your exemple of user1 and user2 with different access, but still i wonder how to create those user.Forget the GUI, your use is not common and i'm not sure you will be able to do what you want to do with the GUI.

And this morning as i woke up, i had a flash and now i wonder if an VPN would be more what i'm looking for.I can't really answer you by lack of VPN knowledge but ssh can also be an option for you, many ftp client are able to connect ssh server for file transfer stuff it is called SFTP.

I feel dumb asking you this but,

To create a user on the ftp, i need to:
1-Create the user and password in my system (system -> admin -> usergroup) (example: User=julie pwd=1234)
2-I set his home folder to 'media/louserv/loushared/julie'
3-Add 'UserAlias julienick julie' to the .conf file
And from there, julie can access my FTP by login in as 'julienick' and need to use the password 1234 i've set on my system. Is that right?

Sorry to ask you all these question, i really apreciate your help. I saw in the symapect packge manager the proftp-doc pacakge, i will download it an will read it when i get home tonight.

You should have all you need in first post about user creation but you are right with 1, 2 and 3. However you must also add in the LIMIT LOGIN section each user you want to be able to login the FTP server.

You should have all you need in first post about user creation but you are right with 1, 2 and 3. However you must also add in the LIMIT LOGIN section each user you want to be able to login the FTP server.

Thank you so much for all your help, i will re-read you post. Im far from france but i definitively own you an (ubuntu grided-style) coffee ;)

thank again ):P

EDIT (Added): So if there is a way to mount the share folder into an user folder, this give us the possibility to mount an external device (such as a cd-rom) into the ftp. (remind me of those BBS-cd-rom we use to have in the old day :P)

I also made a huge clean up in the system and on the shared disk. Removing confusing names and rebuilding the directory tree. Hope this will work fine in a fews.

Here it is, all done, running smooth and like i wanted.
Here some pointers for ppl who wants to make multiple user with private folders.

To create a private folder for every user:

1.Create the user: (almost same as creating 'userftp' (in frodon's How-To))
-Using the GUI (system > Admin > user&group) create a userid.
--Set the path of the home folder to '/home/FTP-shared/user2/'
--Set '/bin/false'
--Set group to 'userftp'

2.Remove 'Examples.lnk' from the newly created home folder.
-Open terminal window and go to 'cd /home/FTP-shared'
--Take ownership of the folder (sudo chown youruserhere /home/FTP-shared/user2)
--Delete the file '/home/FTP-shared/user2/Examples.lnk'
--Give back the ownership to user2 (sudo chown user2 /home/FTP-shared/user2)
I don't know if it is necessary to remove this file, but i do it since it link the user into your filesystem.

3.Set Permision Localy for user2
-Open terminal window and go to 'cd /home/FTP-shared'
--Set permisision to 700 (or 755) for user2 (sudo chmod 700 /home/FTP-shared/user2)

4.Set Permission inside proftpd.conf:
-Open terminal window and edit the proftpd.conf files (sudo gedit /etc/proftpd/proftpd.conf)

4.1.Add the user to #Valid Login
#Valid Login
<Limit LOGIN>
AllowUser userftp
AllowUser user2
DenyALL
</Limit>

4.2.Set Private access to user2 folder
# user2
<Directory /home/FTP-shared/user2>
Umask 022 022
AllowOverwrite on
<Limit ALL>
Order Allow,Deny
AllowUser user2
Deny ALL
</Limit>
</Directory>

To add a 3rd user, simply repeate step 1,2,3

at 4.1, simply add the line for user3
#Valid Login
<Limit LOGIN>
AllowUser userftp
AllowUser user2
AllowUser user3
DenyALL
</Limit>

at 4.2, copy/paste the section for user2 and change the user to user3

# user2
<Directory /home/FTP-shared/user2>
Umask 022 022
AllowOverwrite on
<Limit ALL>
Order Allow,Deny
AllowUser user2
Deny ALL
</Limit>
</Directory>

# user3
<Directory /home/FTP-shared/user3>
Umask 022 022
AllowOverwrite on
<Limit ALL>
Order Allow,Deny
AllowUser user3
Deny ALL
</Limit>
</Directory>

Frodon: Thank you so much again for this How-To!

Frodon: Thank you so much again for this How-To!You're welcome, glad to see you server is up and running. I can't tell you how much time i spent the first time i tried to set up a FTP server, at this time i was new to linux too so i let you guess ;)

First off, thank you to frodon for making this guide. It is well written and easy to follow.
I was able to get through all the setup and configuration, also I followed the steps to configure sftp.
When I completed all of these steps, I tried to start the server and I get this error.


tim@tim-desktop:~$ sudo /etc/init.d/proftpd start
[sudo] password for tim:
* Starting ftp server proftpd - mod_dso/0.4: module 'mod_ctrls_admin.c' already loaded
- Fatal: LoadModule: error loading module 'mod_ctrls_admin.c': Operation not permitted on line 15 of '/etc/proftpd/modules.conf'
[fail]

I tried to search for mod_ctrls_admin.c but a lot the results just point back to examples of /etc/proftpd/proftpd.conf.
Here is my proftpd.conf

Include /etc/proftpd/modules.conf
#
# /etc/proftpd/proftpd.conf -- This is a basic ProFTPD configuration file.
# To really apply changes reload proftpd after modifications.
#

# Includes DSO modules
Include /etc/proftpd/modules.conf

# Set off to disable IPv6 support which is annoying on IPv4 only boxes.
UseIPv6 on
# If set on you can experience a longer connection delay in many cases.
IdentLookups off

# Choose here the user alias you want
UserAlias ftp76User ftp76user

ServerName "ubuntu-ftp"
ServerType standalone
DeferWelcome on

MultilineRFC2228 on
DefaultServer on
ShowSymlinks off

TimeoutNoTransfer 600
TimeoutStalled 100
TimeoutIdle 2200

DisplayLogin welcome.msg
DisplayChdir .message true
ListOptions "-l"

RequireValidShell off

TimeoutLogin 20

RootLogin off

#It's better for debug to create log files ;-)
ExtendedLog /var/log/ftp.log
TransferLog /var/log/xfer.log
SystemLog /var/log/syslog.log


DenyFilter \*.*/

UseFtpUsers off

#Allow to restart a download
AllowStoreRestart on

# Use this to jail all users in their homes
# DefaultRoot ~

# Users require a valid shell listed in /etc/shells to login.
# Use this directive to release that constrain.
# RequireValidShell off

# Port 21 is the standard FTP port.
Port 1980

# In some cases you have to specify passive ports range to by-pass
# firewall limitations. Ephemeral ports can be used for that, but
# feel free to use a more narrow range.
# PassivePorts 49152 65534

# If your host was NATted, this option is useful in order to
# allow passive tranfers to work. You have to use your public
# address and opening the passive ports used on your firewall as well.
# MasqueradeAddress 1.2.3.4

# This is useful for masquerading address with dynamic IPs:
# refresh any configured MasqueradeAddress directives every 8 hours
<IfModule mod_dynmasq.c>
# DynMasqRefresh 28800
</IfModule>

# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 8

# Set the user and group that the server normally runs at.
User nobody
Group nogroup

# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
Umask 022 022
# Normally, we want files to be overwriteable.
AllowOverwrite on

# Uncomment this if you are using NIS or LDAP via NSS to retrieve passwords:
PersistentPasswd off

MaxClients 8
MaxClientsPerHost 8
MaxClientsPerUser 8
MaxHostsPerUser 8

# Display a message after a successful login
AccessGrantMsg "welcome!!"
#This message is depsayed for each access good or not
ServerIdent on "you're at home"

# Set /home/FTP-shared as home directory
DefaultRoot /home/FTP-shared

# Lock all the users in home directory, ********* really important **********
DefaultRoot ~

MaxLoginAttempts 5

#Valid Logins
<Limit LOGIN>
AllowUser ftp76user
DenyALL
</Limit>

<Directory /home/FTP-shared>
Umask 022 022
AllowOverwrite off
<Limit MKD STOR DELE XMKD RNTO RMD XRMD>
DenyAll
</Limit>
</Directory>

<Directory /home/FTP-shared/music/*>
Umask 022 022
AllowOverwrite on
<Limit READ RMD DELE>
DenyAll
</Limit>
</Directory>

<Directory /home/FTP-shared/upload>
Umask 022 022
AllowOverwrite on
<Limit READ RMD DELE>
DenyAll
</Limit>

<Limit STOR CWD MKD>
AllowAll
</Limit>
</Directory>

# This is required to use both PAM-based authentication and local passwords
# AuthOrder *mod_auth_pam.c mod_auth_unix.c

# Be warned: use of this directive impacts CPU average load!
# Uncomment this if you like to see progress and transfer rate with ftpwho
# in downloads. That is not needed for uploads rates.
#
# UseSendFile off

# Choose a SQL backend among MySQL or PostgreSQL.
# Both modules are loaded in default configuration, so you have to specify the backend
# or comment out the unused module in /etc/proftpd/modules.conf.
# Use 'mysql' or 'postgres' as possible values.
#
#<IfModule mod_sql.c>
# SQLBackend mysql
#</IfModule>


<IfModule mod_quotatab.c>
QuotaEngine off
</IfModule>

<IfModule mod_ratio.c>
Ratios off
</IfModule>


# Delay engine reduces impact of the so-called Timing Attack described in
# http://security.lss.hr/index.php?page=details&ID=LSS-2004-10-02
# It is on by default.
<IfModule mod_delay.c>
DelayEngine on
</IfModule>

<IfModule mod_ctrls.c>
ControlsEngine off
ControlsMaxClients 2
ControlsLog /var/log/proftpd/controls.log
ControlsInterval 5
ControlsSocket /var/run/proftpd/proftpd.sock
</IfModule>

<IfModule mod_ctrls_admin.c>
AdminControlsEngine off
</IfModule>

#
# Alternative authentication frameworks
#
#Include /etc/proftpd/ldap.conf
#Include /etc/proftpd/sql.conf


<IfModule mod_tls.c>
TLSEngine on
TLSLog /var/ftpd/tls.log
TLSProtocol TLSv1

# Are clients required to use FTP over TLS when talking to this server?
TLSRequired off

# Server's certificate
TLSRSACertificateFile /etc/ftpcert/server.crt
TLSRSACertificateKeyFile /etc/ftpcert/server.key

# CA the server trusts
TLSCACertificateFile /etc/ftpcert/ca.crt

# Authenticate clients that want to use FTP over TLS?
TLSVerifyClient off
</IfModule>


#
# This is used for FTPS connections
#
#Include /etc/proftpd/tls.conf

# A basic anonymous configuration, no upload directories.

# <Anonymous ~ftp>
# User ftp
# Group nogroup
# # We want clients to be able to login with "anonymous" as well as "ftp"
# UserAlias anonymous ftp
# # Cosmetic changes, all files belongs to ftp user
# DirFakeUser on ftp
# DirFakeGroup on ftp
#
# RequireValidShell off
#
# # Limit the maximum number of anonymous logins
# MaxClients 10
#
# # We want 'welcome.msg' displayed at login, and '.message' displayed
# # in each newly chdired directory.
# DisplayLogin welcome.msg
# DisplayFirstChdir .message
#
# # Limit WRITE everywhere in the anonymous chroot
# <Directory *>
# <Limit WRITE>
# DenyAll
# </Limit>
# </Directory>
#
# # Uncomment this if you're brave.
# # <Directory incoming>
# # # Umask 022 is a good standard umask to prevent new files and dirs
# # # (second parm) from being group and world writable.
# # Umask 022 022
# # <Limit READ WRITE>
# # DenyAll
# # </Limit>
# # <Limit STOR>
# # AllowAll
# # </Limit>
# # </Directory>
#
# </Anonymous>


Here is my modules.conf


#
# This file is used to manage DSO modules and features.
#

# This is the directory where DSO modules reside

ModulePath /usr/lib/proftpd

# Allow only user root to load and unload modules, but allow everyone
# to see which modules have been loaded

ModuleControlsACLs insmod,rmmod allow user root
ModuleControlsACLs lsmod allow user *

LoadModule mod_ctrls_admin.c
LoadModule mod_tls.c

# Install proftpd-mod-mysql or proftpd-mod-pgsql to use this
#LoadModule mod_sql.c

# Install proftpd-mod-ldap to use this
#LoadModule mod_ldap.c

#
# 'SQLBackend mysql' or 'SQLBackend postgres' directives are required
# to have SQL authorization working. You can also comment out the
# unused module here, in alternative.
#

# Install proftpd-mod-mysql to use this
#LoadModule mod_sql_mysql.c

# Install proftpd-mod-pgsql to use this
#LoadModule mod_sql_postgres.c

LoadModule mod_radius.c
LoadModule mod_quotatab.c
LoadModule mod_quotatab_file.c

# Install proftpd-mod-ldap to use this
#LoadModule mod_quotatab_ldap.c

# Install proftpd-mod-pgsql or proftpd-mod-mysql to use this
#LoadModule mod_quotatab_sql.c
LoadModule mod_quotatab_radius.c
LoadModule mod_wrap.c
LoadModule mod_rewrite.c
LoadModule mod_load.c
LoadModule mod_ban.c
LoadModule mod_wrap2.c
LoadModule mod_wrap2_file.c
# Install proftpd-mod-pgsql or proftpd-mod-mysql to use this
#LoadModule mod_wrap2_sql.c
LoadModule mod_dynmasq.c


# keep this module the last one
LoadModule mod_ifsession.c


I'm pretty sure that everything is setup correctly, but I'm sure anything is possible.

You have the line Include /etc/proftpd/modules.conf twice in your proftpd.conf ;)

ok, I got rid of the stray "include" line and now it says that my certificate file doesn't exist. Specifically:

tim@tim-desktop:~$ sudo /etc/init.d/proftpd start
[sudo] password for tim:
* Starting ftp server proftpd
- Fatal: TLSRSACertificateFile: '/etc/ftpcert/server.crt' does not exist on line 214 of '/etc/proftpd/proftpd.conf'
[fail]


I think that this is my question. Where does the certificate file come from? I tried to run the .crt file, which I assume is the certificate file, and it was blank.

The certificate comes from you, it belongs to you to create a certificate for your encryption.
Just follow the steps in first post and you should succeed creating one. Once you will have one in the right directory this error will disappear.

Bad idea in general to connect with your main user which have root access especially because he has root access.

Anyway to allow your user it is as simple as adding your user in LIMIT LOGIN section and create an alias for him if you use aliases.

If you want to go further proftp offers you a second way to handle users able to login via virtual users :
http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-VirtualUsers.html

Ok, so we then use a user to run the process 'userftp'

What if:
-I download and extract the package in home/userftp/
-I ./configure --prefix=/home/userftp/proftpd
-make, make install
-Configure the ftp
-Set owning and persmission of /home/userftp to userftp 750
-Run the ftp as userftp

Using this method,
1) can i simply chroot userftp to /home/ftpuser/?
2) does it create security "flaw" if i mount one of my /home/me/folder into the /home/ftpuser/download/?
3) what about the /etc/ and /var/, will they be inside the chrotted folder also?
4)is there any file i need to leave outside the chroot?

Thx for any input, if im succesfful ill send a post to help chroot the server and install ot in a 'more' secure way

thx again frodon for your time.
lou

g'day,
thansk so much for starting this thread.tihs looks like it might just be what i need

im getting extremely frustrated trying to get this s/w to run consistently and any assistance would be great.


i have a thread already with what i have done so far, and now my ftp server has decided to stop talking to my lan, let alone talk to the internet at all.


my config follows

ServerType standalone
DefaultServer on
Umask 022
ServerName "0.0.0.0"
ServerIdent on "My FTP Server"
ServerAdmin email@example.org
IdentLookups off
UseReverseDNS off
Port 21
MasqueradeAddress "xxx.xxx.xxx.xxx"
TimesGMT off
MaxInstances 30
MaxLoginAttempts 3
TimeoutLogin 300
TimeoutNoTransfer 120
TimeoutIdle 120
DisplayLogin welcome.msg
DisplayChdir .message
User nobody
Group nobody
DirFakeUser off nobody
DirFakeGroup off nobody
DefaultTransferMode binary
AllowForeignAddress off
AllowRetrieveRestart on
AllowStoreRestart on
DeleteAbortedStores on
TransferRate RETR 220
TransferRate STOR 250
TransferRate STOU 250
TransferRate APPE 250
SystemLog /var/log/secure
RequireValidShell off
<IfModule mod_tls.c>
TLSEngine off
TLSRequired off
TLSVerifyClient off
TLSProtocol SSLv23
TLSLog /var/log/proftpd_tls.log
TLSRSACertificateFile /etc/gadmin-proftpd/certs/cert.pem
TLSRSACertificateKeyFile /etc/gadmin-proftpd/certs/key.pem
TLSCACertificateFile /etc/gadmin-proftpd/certs/cacert.pem
TLSRenegotiate required off
</IfModule>
<IfModule mod_ratio.c>
Ratios off
SaveRatios off
RatioFile "/restricted/proftpd_ratios"
RatioTempFile "/restricted/proftpd_ratios_temp"
CwdRatioMsg "Please upload first!"
FileRatioErrMsg "FileRatio limit exceeded, upload something first..."
ByteRatioErrMsg "ByteRatio limit exceeded, upload something first..."
LeechRatioMsg "Your ratio is unlimited."
</IfModule>
<Limit LOGIN>
AllowUser cocos
DenyALL
</Limit>

<Anonymous /media/disk/coco-photos>
User cocos
Group dez
AnonRequirePassword on
MaxClients 5 "The server is full, hosting %m users"
DisplayLogin welcome.msg
<Limit LOGIN>
Allow from all
Deny from all
</Limit>
<Limit LIST NLST RETR PWD XPWD SIZE STAT CWD XCWD CDUP XCUP >
AllowAll
</Limit>
<Limit STOR STOU APPE RNFR RNTO DELE MKD XMKD SITE_MKDIR RMD XRMD SITE_RMDIR SITE SITE_CHMOD SITE_CHGRP MTDM >
DenyAll
</Limit>
</Anonymous>



i have given my pc a static ip of 192.168.1.1
router is a billion 7402LM
i have enabled port forward of port 20 & 21

if i try and connect on my lan now i get his (output from my client - filezilla)
(im trying to connect from the same pc just to test if it works or not)

Status: Connecting to 127.0.0.1:21...
Status: Connection established, waiting for welcome message...
Response: 220 My FTP Server
Command: USER testing
Response: 331 Password required for testing
Command: PASS *******
Response: 230 Anonymous access granted, restrictions apply
Command: SYST
Response: 215 UNIX Type: L8
Command: FEAT
Response: 211-Features:
Response: LANG en
Response: MDTM
Response: UTF8
Response: REST STREAM
Response: SIZE
Response: 211 End
Command: OPTS UTF8 ON
Response: 200 UTF8 set to on
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is the current directory
Command: TYPE I
Response: 200 Type set to I
Command: PASV
Response: 227 Entering Passive Mode (xxx,xxx,xxx,xxx,xxx,xxx).
Command: LIST
Error: Connection timed out
Error: Failed to retrieve directory listing



any ideas/suggestions would be great to get it talking on the lan consistantly and get it talking to the net as well would be greatly appreciated.

thanks

Sorry stinger30au, we offer support for this tutorial only here.
General proftpd config debug belongs elsewhere.

Maybe drop your question in the proftpd forum if you don't get answers on ubuntuforums.