HOWTO : Create a FTP server with user access (proftpd)

[ikkinu]

1- Enable TLS/SSL encryption (FTPS)
The FTP file sharing protocol is an old protocol which was created when internet was still a secure place, therefore the default FTP protocol is not that secure.
For example the password and username for login are transmitted in plain text which obviously isn't secure.
That why, to fit the needs of our generation, encryption solutions were developed and one of them is TLS/SSH encryption.
This will encrypt the username and password and all the data you send, obviously to use it the FTP client must support SFTP protocol.

here are the steps to enable TLS/SSH encryption (FTPS):

Paste these commands in a terminal :

Code:

sudo apt-get install build-essential
sudo apt-get install libssl-dev
cd /etc
sudo mkdir ftpcert
cd ftpcert/
sudo openssl genrsa -des3 -out server.key 1024
sudo openssl req -new -key server.key -out server.csr
sudo openssl genrsa -des3 -out ca.key 1024
sudo openssl req -new -x509 -days 365 -key ca.key -out ca.crt 
sudo wget http://frodubuntu.free.fr/ubuntu/sign.sh
sudo chmod +x sign.sh
sudo ./sign.sh server.csr

HI all,
when I type sudo ./sign.sh server.csr I get this error:

CA signing: server.csr -> server.crt:
Using configuration from ca.config
Enter pass phrase for ./ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName RINTABLE:'IL'
stateOrProvinceName RINTABLE:'Ikkland'
localityName RINTABLE:'Ikktown'
organizationName RINTABLE:'Project ikkinu'
organizationalUnitNameRINTABLE:'Ftp Dpt.'
commonName RINTABLE:'ikkinu'
emailAddress :IA5STRING:'ikkinu@inventati.org'
Certificate is to be certified until Dec 5 19:24:50 2007 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
CA verifying: server.crt <-> CA cert
server.crt: /C=IL/ST=Ikkland/L=Ikktown/O=Project ikkinu/OU=Ftp Dpt./CN=ikkinu/emailAddress=xxx@xxx.xxx
error 18 at 0 depth lookup:self signed certificate
/C=IL/ST=Ikkland/L=Ikktown/O=Project ikkinu/OU=Ftp Dpt./CN=ikkinu/emailAddress=xxx@xxx.xxx
error 7 at 0 depth lookup:certificate signature failure
12603:error:04067084:rsa routines:RSA_EAY_PUBLIC_DECRYPT:data too large for modulus:rsa_eay.c:645:
12603:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:a_verify.c:168:

Can anyone help me?
Thanks

[dannyboy79]

this happened to me, I couldn't figure it out so I just performed the steps over and over again, chosing different names for each of the prompts and finally it worked. don't know what exactly made it work but it did. for country name, I put US, for state I spelled out WISCONSIN, for city I spellled out my city, for company name I put NA1 (not applicable 1) for org unit name, I put not applicable 1 (spelled out this time), for commmon name I spelled out my first name, for email, I put my real email address. that is all for server.key, then for the next one, I think it was ca.key, I did everything the same except added "2" instead of the "1" where I used NA and not applicable. good luck. I have to be honest, despite not getting errors when I self signed the certificate, I still can't even ftp into my site. I use xinetd which may be the problem. also, are you using the new mod_tls by way of mod_dso? good luck

[dannyboy79]

Maybe someon can help. I've followed all the instructions on how to setup the FTP server. When I try to restart the server I get this error:

..localhost - mod_delay/0.4: error opening DelayTable '/var/run/proftpd/proftpd.delay': No such file or directory

Everything is setup as outlined in the first post. I don't think this has to do with config, my guess is there is something wrong with the install. I've tried uninstalling completly and then reinstalling, but I get the same error.

How do I fix this?
Thanks.

you simply need to create the /var/run/proftpd/ dir and you'll be set. I don't know why it wouldn't have been created wehen you installed Proftpd. unless you compiled it yourself, since I did, I had that same error as well. For the future, if it tells you that a file or folder doesn't exist, then do a locate or find for it and if the folder isn't there, then linux needs you to create the folder so that proftpd has a place to put the proftpd.delay file when you log into your server. good luck

[glenncruz]

Yes of course, it is explained in the "advanced tricks" part of the guide in the first post.
All you need is to create the users, create all the directoties then restrict the access depending of the user.

Hello Sir Frodon

my ftp work with multiple users but one question is there a way to hide the download folders on the other accounts?

[frodon]

I know there is one but i don't remember exactly where i read that so i would have to search a little bit, give me one week and i will try to give you an answer.
Feel free to PM me in one week to remind me your question if i forgot to search

[dannyboy79]

Maybe someon can help. I've followed all the instructions on how to setup the FTP server. When I try to restart the server I get this error:

..localhost - mod_delay/0.4: error opening DelayTable '/var/run/proftpd/proftpd.delay': No such file or directory

Everything is setup as outlined in the first post. I don't think this has to do with config, my guess is there is something wrong with the install. I've tried uninstalling completly and then reinstalling, but I get the same error.

How do I fix this?
Thanks.

simply create the folder /var/run/proftpd/ and you should be fine! proftpd is telling you that it can't create the file because the directory isn't there, so create the dir, and then the server will be able to create the file when some1 tried to connect and all will be good. this happened to me because I compiled version 1.3 myself and I needed to create this folder for the scoreboard file as well as the delay file.

[frodon]

Hello Sir Frodon

my ftp work with multiple users but one question is there a way to hide the download folders on the other accounts?

Ok, the command to do this is HideNoAccess.

In each directory section try adind this command the beginning, example :

Code:

Directory /home/FTP-shared/download/*>
Umask 022 022
AllowOverwrite off
HideNoAccess on

        <Limit ALL>
		Order Allow,Deny
		AllowUser user1
		Deny ALL
	</Limit>

	<Limit MKD STOR DELE XMKD RNEF RNTO RMD XRMD>
	DenyAll
	</Limit>
</Directory>

I'm not sure it will work because i never used it.

I found an interesting thread for you where a user is trying to configure his server in the same way than you :
http://forums.proftpd.org/phpBB2/vie...t=hidenoaccess

[addicted_to_the_net]

Hi, just a note on the TLS part of your excellent HowTo. I found that the server would disconnect immediatly after the TLS handshake, this is what it said in the log:

ssl3_get_record:wrong version number

Found the fix on this site: http://forums.proftpd.org/phpBB2/viewtopic.php?t=1075&

Basically I changed the entry "TLSProtocol TLSv1" found in the proftpd.conf file to read "TLSProtocol SSLv23" and it worked after the restart of proftpd.

Does this sound right? Anyone else have this problem?

Also just to clarify, when I removed the password for the rsa key (so that I didn't have to enter everytime the server starts) your guide says to make the file accessable only for root. How would I do this? (still learning)

Thank you very much

[knoc]

I'm new to this so here is a pretty basic question:

What would my ftp address be if I were to access my FTP server from a browser? Is gFTP the only way to access it?

[stijn_pol]

I'm new to this so here is a pretty basic question:

What would my ftp address be if I were to access my FTP server from a browser? Is gFTP the only way to access it?

You need to know 2 things to access your FTP server: IP-address en port number. When trying to access your FTP server in a LAN, use your local IP-address to test the connection with the server. For example: 192.168.1.101 with port 1980, this goes for gFTP.
Using a browser you should go to the following URL: ftp://192.168.1.101:1980.
Voila, my first post!!

UBUNTU YEAH!