A base install of Debian squeeze does not include some of the tools required to establish a secure FTP server.

I started at

http://www.debian-administration.org/article/228/Setting_up_an_FTP_server_on_Debian

The ProFTP reference for TLS is somewhat sparse for step-by-step requiring some degree of thinking. Which is fine except if I am in a hurry.

How-to-Forge regarding Debian Etch gave some information that was relevant but missing a couple of steps that apply in the later Squeeze version of Debian (6.0.2).

So my steps for future reference are as follows:

Start by installing and establishing a basic FTP server. Not secured but functioning is the goal.

[bash]
#apt-get install proftpd-basic proftpd-doc
[/bash]

During the ProFTP install it will prompt for inetd or stand-alone, select stand-alone.

Create a test user account and password with adduser on the Debian system.

Test with a FileZilla install for a basic FTP connection on port 21. If this is working a basic connection will allow the user to see the entire server.

Based on the config /etc/proftpd/proftpd.conf setting to chroot the user to their /home/ directory will restrict the user login to only their home directory. Enable the line by removing the # sign at the start of the line in /etc/proftpd/proftpd.conf

[text]
DefaultRoot
[/text]

Stop and restart the proftpd service

[bash]
#service proftpd restart
[/bash]

Test again with a FileZilla install for a chroot FTP connection on port 21. It will probably fail unless the next step was done previously.

Check tail /var/log/proftpd/proftpd.log for errors like this:

[text]
Aug 09 16:30:44 server_name proftpd[9625] fq_server_name (::ffff:ip_address[::ffff:ip_address]): Preparing to chroot to directory ‘/home/username/’
Aug 09 16:30:44 server_name proftpd[9625] fq_server_name (::ffff:ip_address[::ffff:ip_address]): chroot to ‘/home/username/’ failed for user ‘username’: Operation not permitted
Aug 09 16:30:44 server_name proftpd[9625] fq_server_name (::ffff:ip_address[::ffff:ip_address]): error: unable to set default root directory
[/text]

The issue is that chroot is not installed by default and therefore a Filezilla connection should fail.

[bash]
apt-get install chrootuid
[/bash]

Stop and restart the proftpd service

[bash]
#service proftpd restart
[/bash]

Test again with a FileZilla install for a basic FTP connection on port 21 to the users home directory.

Once that is working adding TLS takes a few more steps.

Find and enable the following line by removing the # sign at the start of the line in

/etc/proftpd/proftpd.conf

[text]
include /etc/proftpd/tls.conf
[/text]

Install openssl

[bash]
# apt-get install openssl
[/bash]

Follow the details on How-to-Forge for creating a self-signed certificate for the FTP server in Step 3 Creating The SSL Certificate For TLS.

Step 4 Enabling TLS In ProFTPd is no longer correct for this version of Debian. The tls section is no longer in the /etc/proftpd/proftpd.conf but as a separate file in the same directory

Edit /etc/proftpd/tls.conf instead of /etc/proftpd/proftpd.conf

Turn on the appropriate sections and edit the relevant paths to suit your certificate locations.

Stop and restart the proftpd service

[bash]

#service proftpd restart

[/bash]

Modify the Filezilla settings to use Require explicit FTP over TLS and test again. The prompt for the certificate acceptance is because it is self-signed and tick the box to retain the certificate so that the prompt disappears.

Note that the self-signed certificate is valid only for 365 days and in a year it will need to be renewed.

I also referenced http://www.delphi3000.com/articles/article_4881.asp regarding the differences between SFTP and FTPS.

And this section of the ProFTP documentation for chroot information.