ProFTPD TLS Configuration on Ubuntu 24.04 | Best Setup

As you may know, ProFTPD is a powerful, free, and open-source FTP server renowned for its extensive features. It facilitates the secure and efficient transfer, upload, and download of files over the internet. Importantly, it supports TLS/SSL encryption, ensuring secure connections. This article provides a comprehensive guide to ProFTPD TLS Configuration on Ubuntu 24.04, enabling you to establish a secure FTP server.

Install and Configure ProFTPD Over TLS/SSL on Ubuntu 24.04

Before initiating the ProFTPD setup, ensure you have a fresh installation of Ubuntu 24.04 and a configured root password. It is also highly recommended that you set up a basic UFW firewall.

Follow the steps outlined below to complete the ProFTPD TLS Configuration on Ubuntu 24.04.

Step 1. Install ProFTPD on Ubuntu 24.04

Begin by updating and upgrading your system using the following command:

apt update && apt upgrade -y

Next, install ProFTPD on Ubuntu 24.04 with this command:

apt install proftpd -y

Once the installation is complete, start and enable the ProFTPD service with the following commands:

# systemctl start proftpd
# systemctl enable proftpd

Verify that the ProFTPD service is active and running on Ubuntu 24.04 by executing the following command:

systemctl status proftpd

The output should resemble the following:

verify ProFTPD service is active and running on Ubuntu 24.04

Additionally, verify the installed ProFTPD version using the following command:

proftpd --version

**Output**
ProFTPD Version 1.3.8b

Step 2. Create an FTP User Account on Ubuntu 24.04

Now, create a dedicated user account for the FTP server. Execute the following command:

adduser **ftpuser**

Set a secure password for the FTP user.

Step 3. Generate an SSL Certificate for ProFTPD

To ensure a secure FTP connection, generate an SSL/TLS certificate for ProFTPD. The OpenSSL package is typically installed by default on Ubuntu 24.04. If not, install it using the command:

apt install openssl -y

Then, generate the SSL/TLS certificate for ProFTPD using the following command:

openssl req -x509 -newkey rsa:1024 -keyout /etc/ssl/private/proftpd.key -out /etc/ssl/certs/proftpd.crt -nodes -days 365

Provide the requested information for your SSL certificate as shown below:

After completing the certificate request, set the appropriate permissions for your SSL certificate files:

chmod 600 /etc/ssl/private/proftpd.key
chmod 600 /etc/ssl/certs/proftpd.crt

Step 4. ProFTPD TLS Configuration on Ubuntu 24.04

Now, modify the ProFTPD configuration file to implement the necessary TLS settings. Open the file using your preferred text editor (e.g., Vi or Nano):

vi /etc/proftpd/proftpd.conf

Locate the following lines in the file and adjust their values as indicated:

UseIPv6 **on**
ServerName "**FTP Server**"
Port **3225**

Note: Changing the default port from 21 to 3225 enhances security.

Also, find the following lines and uncomment them by removing the "#" character:

RequireValidShell on
AuthOrder mod_auth_pam.c* mod_auth_unix.c
Include /etc/proftpd/tls.conf

Save and close the file after making the changes.

Remember to open the ProFTPD port in the firewall:

# ufw allow 3225
# ufw reload

Next, edit the ProFTPD TLS configuration file and specify the SSL certificate details:

vi /etc/proftpd/tls.conf

Uncomment the following lines:

TLSEngine                               on
TLSRSACertificateFile                   /etc/ssl/certs/proftpd.crt
TLSRSACertificateKeyFile                /etc/ssl/private/proftpd.key
TLSLog /var/log/proftpd/tls.log
TLSProtocol SSLv23
TLSRequired on

The configuration should look like this:

Save and close the file. Apply the changes by restarting the ProFTPD service:

systemctl restart proftpd

Step 5. Access ProFTPD Server with FileZilla FTP client

At this point, your ProFTPD server is installed and secured with SSL/TLS. This section demonstrates how to access it from a Windows client using FileZilla. Download the FileZilla Client from the official website for your operating system.

After the download is complete, install FileZilla following the on-screen instructions. Launch FileZilla. Click on "File" and select "Site Manager":

In the Site Manager, click on "New Site" and enter your FTP server’s IP address in the "Host" field. Specify the FTP port, username, and password. Click "Connect."

After the FTP connection is established, you should see a screen similar to this:

That’s it! You are done.

Conclusion

You have successfully completed the ProFTPD TLS Configuration on Ubuntu 24.04 and accessed your FTP server using the FileZilla client. You can now securely upload and download files from the FTP server through the encrypted connection.

Hope you enjoyed it. Please subscribe to us on Facebook, X, and YouTube.

You may also like to read the following articles:

Discover A Safer sudo Replacement in Rust on Ubuntu 25.10

Install Ntopng on Ubuntu 24.04

How to update Kali Linux with new key?

Install Cacti Monitoring on Ubuntu 24.04

Alternative Solutions for Secure File Transfer on Ubuntu 24.04

While ProFTPD with TLS offers a robust solution for secure file transfer, other options exist. Two notable alternatives include using SFTP (Secure FTP) with OpenSSH and setting up a cloud-based storage solution with client-side encryption.

1. SFTP with OpenSSH

SFTP (Secure File Transfer Protocol) is a network protocol that provides secure file access, transfer, and management over any reliable data stream. Unlike FTP, SFTP encrypts both the commands and the data being transferred, making it inherently more secure. OpenSSH provides an SFTP server implementation.

Explanation:

Instead of running a separate FTP server like ProFTPD, you can leverage the existing OpenSSH server on your Ubuntu 24.04 system to provide SFTP access. This simplifies the setup process as OpenSSH is often already installed and configured. Security is enhanced because SFTP utilizes the SSH protocol’s strong encryption. User authentication is handled through the standard system user accounts, simplifying user management.

Configuration Steps:

Ensure OpenSSH is installed: Most Ubuntu 24.04 installations have OpenSSH pre-installed. If not, install it with:
```
sudo apt install openssh-server
```
Configure SSH for SFTP (Optional, but Recommended): To further enhance security, you can restrict users to SFTP-only access and chroot them to a specific directory. This prevents them from gaining shell access.
- Create a group for SFTP-only users (e.g., sftpusers):
```
sudo groupadd sftpusers
```
- Edit the /etc/ssh/sshd_config file:
```
sudo nano /etc/ssh/sshd_config
```
- Add the following lines at the end of the file. Important: Ensure this block is at the end of the file to avoid conflicts with other SSH configurations. Replace /var/sftp with the directory where you want to restrict SFTP users.
```
Match Group sftpusers
    ChrootDirectory /var/sftp/%u
    ForceCommand internal-sftp
    AllowTcpForwarding no
    X11Forwarding no
```
  Explanation of the options:
  - Match Group sftpusers: This section applies only to users belonging to the sftpusers group.
  - ChrootDirectory /var/sftp/%u: This chroots (restricts) the user to their home directory under /var/sftp. The %u expands to the username. You’ll need to create this directory structure.
  - ForceCommand internal-sftp: This forces the use of the internal SFTP server, preventing the user from executing any other commands.
  - AllowTcpForwarding no: Disables TCP forwarding, preventing SSH tunneling.
  - X11Forwarding no: Disables X11 forwarding.
- Create the /var/sftp directory and set appropriate ownership and permissions:
```
sudo mkdir -p /var/sftp
sudo chown root:root /var/sftp
sudo chmod 755 /var/sftp
```
- Create the user’s home directory under /var/sftp and set ownership:
```
sudo mkdir /var/sftp/ftpuser
sudo chown ftpuser:sftpusers /var/sftp/ftpuser
```
  Replace ftpuser with the actual username. The ownership should be the SFTP user and the sftpusers group.
- Restart the SSH service:
```
sudo systemctl restart ssh
```
Add users to the sftpusers group:
```
sudo usermod -a -G sftpusers ftpuser
```
Connect using an SFTP client: Use any SFTP client (e.g., FileZilla, WinSCP) and connect to the server using the username, password, and SSH port (default is 22).

Code Example (Creating the SFTP user’s home directory):

USER="sftpuser" # Replace with the desired username
BASE_DIR="/var/sftp"

sudo mkdir -p "$BASE_DIR/$USER"
sudo chown "$USER:sftpusers" "$BASE_DIR/$USER"

2. Cloud-Based Storage with Client-Side Encryption

Explanation:

This approach utilizes a cloud storage service (e.g., Nextcloud, Seafile, ownCloud, or even commercial options like Tresorit or pCloud) combined with client-side encryption. The file transfer happens through the cloud service’s infrastructure, and the encryption ensures that only the user with the correct key can decrypt the files. This is particularly useful for scenarios where direct server access is undesirable or impractical.

Configuration Steps (using Nextcloud as an example):

Install Nextcloud Server: Set up a Nextcloud server on a separate machine or use a hosted Nextcloud service. Instructions for installation are available on the Nextcloud website.
Install Nextcloud Client: Install the Nextcloud client on the user’s machine (Ubuntu, Windows, macOS).
Configure Client-Side Encryption: Within the Nextcloud client, enable client-side encryption. You’ll be prompted to create an encryption key. Important: Securely store this key, as losing it will result in permanent data loss.
Upload/Download Files: Files uploaded to the encrypted folder will be automatically encrypted by the client before being sent to the Nextcloud server. Similarly, files downloaded from the server will be automatically decrypted by the client.

Advantages:

Ease of Use: Nextcloud clients provide a user-friendly interface for file management.
Collaboration: Nextcloud supports sharing files and folders with other users, with encryption ensuring only authorized users can access the content.
Accessibility: Files are accessible from any device with the Nextcloud client.

Disadvantages:

Reliance on a Third Party (or self-hosted infrastructure): The security depends on the cloud provider’s infrastructure and the strength of the client-side encryption. Self-hosting mitigates the third-party reliance but increases the administrative overhead.
Performance Overhead: Encryption and decryption can add a performance overhead, especially for large files.

Code Example (Illustrative – shows how to encrypt a file client-side using a Python library like cryptography – this would be part of the client application, not a server configuration):

from cryptography.fernet import Fernet

# Generate a key (keep this secret!)
key = Fernet.generate_key()
f = Fernet(key)

# Encrypt the file
with open("my_secret_file.txt", "rb") as file:
    file_data = file.read()

encrypted_data = f.encrypt(file_data)

with open("my_secret_file.txt.enc", "wb") as file:
    file.write(encrypted_data)

print("File encrypted!")

# To decrypt (on the client who has the key):
# with open("my_secret_file.txt.enc", "rb") as file:
#     encrypted_data = file.read()
#
# decrypted_data = f.decrypt(encrypted_data)
#
# with open("my_secret_file.txt", "wb") as file:
#     file.write(decrypted_data)

Note: This Python code is a simplified illustration. A real-world client-side encryption implementation would involve more sophisticated key management, error handling, and integration with the cloud storage service’s API.

These alternative solutions provide secure file transfer options that cater to different needs and security requirements on Ubuntu 24.04. SFTP offers a simplified and secure alternative to traditional FTP, while cloud-based storage with client-side encryption provides flexibility and enhanced security for remote access and collaboration. ProFTPD TLS Configuration on Ubuntu 24.04 is still a viable solution when direct server control and customization are paramount.