====== Install software ====== Install ProFTPd:


sudo apt-get install proftpd-mysql

You can find ProFTPd Administrator here: http://sourceforge.net/projects/proftpd-adm/ I assume you already has a MySQL server installed. ====== proFTPd Administrator ====== ===== Setup Apache ===== Make the following site by creating the file proftpd in /etc/apache2/sites-available. Listen 666 DocumentRoot "/var/www/proftpd_admin" ServerName localhost:666 ServerAdmin you@example.com ErrorLog /var/log/apache2/proftpd_error_log TransferLog /var/log/apache2/proftpd_access_log SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /etc/apache2/ssl.crt/server.crt SSLCertificateKeyFile /etc/apache2/ssl.key/server.key SSLOptions +StdEnvVars SSLRequireSSL SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog /var/log/apache2/pureftpd_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" AllowOverride AuthConfig Order deny,allow Allow from all Now extract proftpd administrator into this directory. Word of caution! This virtual host is not restricted in any way so anyone with access to port 666/tcp on your server can configure the ftp server. Alternatively you can protect it with username/password. See howto [[indexes:digest_authentication|here]] ===== Setup MySQL ===== Inside /var/www/proftpd_admin/misc/database_structure_mysql you will find the files creating the database structure. Go inside db_structure.sql and edit the last three lines where the user proftpd is created and granted rights on the database: ... ... GRANT ALL ON usertable TO proftpd@localhost IDENTIFIED BY 'abc123'; GRANT ALL ON grouptable TO proftpd@localhost IDENTIFIED BY 'abc123'; GRANT ALL ON xfer_stat TO proftpd@localhost IDENTIFIED BY 'abc123'; Next import the files by running these commands:


mysql -uroot -p < db_structure.sql
mysql -uroot -p < powerdns.sql
mysql -uroot -p < upgrade_to_v0.9.sql
mysql -uroot -p <  vhosts.sql

Now you should have a database called proftpd_admin with a lot of tables in it. ===== Setup file structure ===== Out of the box proftpd administrator uses /ftp as the root of the ftp users. I like to keep it in /var/ftp. Make sure you have this folder. ===== ProFTPd config ===== Inside the folder /var/www/proftpd_admin/misc/sample_config you will find two files. Copy the file called proftpd_quota.conf to /etc/proftpd and call it proftpd.conf. Insert in the first line: Include /etc/proftpd/modules.conf Otherwise you will not be loading the needed modules for sql authentication. Also this part of the config: ... ... AllowOverwrite off HideNoAccess off AllowAll DenyGroup !admins AllowOverwrite on HideNoAccess on DenyGroup !admins AllowAll As I like to use /var/ftp instead it should look like this: AllowOverwrite off HideNoAccess off AllowAll DenyGroup !admins AllowOverwrite on HideNoAccess on DenyGroup !admins AllowAll If you want to give access to all users, and not just the ones member of the admins group, simply remove the directory statements. ===== Create/Delete user script ===== You can get proftpd administrator to run some scripts when you create or delete a user. This has some limitations as the script is run with the same credentials as the webserver user. To get around this in a somewhat acceptable way we can utilize sudo. Append this to the sudoers file: # Cmnd alias specification Cmnd_Alias CREATE_USER = /var/www/proftpd_admin/misc/user_script/create_user.sh Cmnd_Alias DELETE_USER = /var/www/proftpd_admin/misc/user_script/delete_user.sh # User privilege specification www-data ALL=(ALL) NOPASSWD: CREATE_USER www-data ALL=(ALL) NOPASSWD: DELETE_USER What this does is to allow the two scripts create_user.sh and delete_user.sh to be run as root by the webserver. It works and it is a compromise and I don't like it! ===== Setup TLS/SSL ===== To get ftp working with tls/ssl we first need to make a certificate. It sounds scary, it's not. All you have to do is run one command and include a conf file to proftpd.conf. Use this oneliner to make the certificate:


openssl req -x509 -days 3650 -newkey rsa:1024 -keyout /etc/proftpd/proftpd.key -nodes -out /etc/proftpd/proftpd.crt

Fill out the questions but pay attention to the Common Name, it should be the DNS name of your ftp server. Next make a file called tls.conf in /etc/proftpd: TLSEngine on TLSLog /var/log/proftpd/tls.log TLSProtocol SSLv23 # # Server's certificate # TLSRSACertificateFile /etc/proftpd/proftpd.crt TLSRSACertificateKeyFile /etc/proftpd/proftpd.key # # CA the server trusts #TLSCACertificateFile /etc/ssl/certs/CA.pem # or avoid CA cert TLSOptions NoCertRequest # # Authenticate clients that want to use FTP over TLS? # TLSVerifyClient off # # Are clients required to use FTP over TLS when talking to this server? # TLSRequired off # # Allow SSL/TLS renegotiations when the client requests them, but # do not force the renegotations. Some clients do not support # SSL/TLS renegotiations; when mod_tls forces a renegotiation, these # clients will close the data connection, or there will be a timeout # on an idle data connection. # #TLSRenegotiate required off Insert the statement: Include /etc/proftpd/tls.conf at the top of your proftpd.conf file. Restart proftpd and you should be able to connect securely with a tls/ssl enabled ftp client.