A base install of Debian squeeze does not include some of the tools required to establish a secure FTP server.<\/p>\n
I started at<\/p>\n
http:\/\/www.debian-administration.org\/article\/228\/Setting_up_an_FTP_server_on_Debian<\/a><\/p>\n The ProFTP reference for TLS<\/a> is somewhat sparse for step-by-step requiring some degree of thinking. Which is fine except if I am in a hurry.<\/p>\n How-to-Forge regarding Debian Etch<\/a> gave some information that was relevant but missing a couple of steps that apply in the later Squeeze version of Debian (6.0.2).<\/p>\n So my steps for future reference are as follows:<\/p>\n Start by installing and establishing a basic FTP server. Not secured but functioning is the goal.<\/p>\n [bash] During the ProFTP install it will prompt for inetd or stand-alone, select stand-alone.<\/p>\n Create a test user account and password with adduser on the Debian system.<\/p>\n Test with a FileZilla<\/a> install for a basic FTP connection on port 21. If this is working a basic connection will allow the user to see the entire server.<\/p>\n Based on the config \/etc\/proftpd\/proftpd.conf setting to chroot the user to their \/home\/ directory will restrict the user login to only their home directory. Enable the line by removing the # sign at the start of the line in \/etc\/proftpd\/proftpd.conf<\/p>\n [text] Stop and restart the proftpd service<\/p>\n [bash] Test again with a FileZilla<\/a> install for a chroot FTP connection on port 21. It will probably fail unless the next step was done previously.<\/p>\n Check tail \/var\/log\/proftpd\/proftpd.log for errors like this:<\/p>\n [text] The issue is that chroot is not installed by default and therefore a Filezilla connection should fail.<\/p>\n [bash] Stop and restart the proftpd service<\/p>\n [bash] Test again with a FileZilla<\/a> install for a basic FTP connection on port 21 to the users home directory.<\/p>\n Once that is working adding TLS takes a few more steps.<\/p>\n Find and enable the following line by removing the # sign at the start of the line in<\/p>\n \/etc\/proftpd\/proftpd.conf<\/p>\n [text] Install openssl<\/p>\n [bash] Follow the details on How-to-Forge for creating a self-signed certificate<\/a> for the FTP server in Step 3 Creating The SSL Certificate For TLS.<\/p>\n Step 4 Enabling TLS In ProFTPd is no longer correct for this version of Debian. The tls section is no longer in the \/etc\/proftpd\/proftpd.conf but as a separate file in the same directory<\/p>\n Edit \/etc\/proftpd\/tls.conf instead of \/etc\/proftpd\/proftpd.conf<\/p>\n Turn on the appropriate sections and edit the relevant paths to suit your certificate locations.<\/p>\n Stop and restart the proftpd service<\/p>\n [bash]<\/p>\n #service proftpd restart<\/p>\n [\/bash]<\/p>\n Modify the Filezilla settings to use Require explicit FTP over TLS and test again. The prompt for the certificate acceptance is because it is self-signed and tick the box to retain the certificate so that the prompt disappears.<\/p>\n Note that the self-signed certificate is valid only for 365 days and in a year it will need to be renewed.<\/p>\n I also referenced http:\/\/www.delphi3000.com\/articles\/article_4881.asp<\/a> regarding the differences between SFTP and FTPS.<\/p>\n
\n#apt-get install proftpd-basic proftpd-doc
\n[\/bash]<\/p>\n
\nDefaultRoot
\n[\/text]<\/p>\n
\n#service proftpd restart
\n[\/bash]<\/p>\n
\nAug 09 16:30:44 server_name proftpd[9625] fq_server_name (::ffff:ip_address[::ffff:ip_address]): Preparing to chroot to directory ‘\/home\/username\/’
\nAug 09 16:30:44 server_name proftpd[9625] fq_server_name (::ffff:ip_address[::ffff:ip_address]): chroot to ‘\/home\/username\/’ failed for user ‘username’: Operation not permitted
\nAug 09 16:30:44 server_name proftpd[9625] fq_server_name (::ffff:ip_address[::ffff:ip_address]): error: unable to set default root directory
\n[\/text]<\/p>\n
\napt-get install chrootuid
\n[\/bash]<\/p>\n
\n#service proftpd restart
\n[\/bash]<\/p>\n
\ninclude \/etc\/proftpd\/tls.conf
\n[\/text]<\/p>\n
\n# apt-get install openssl
\n[\/bash]<\/p>\n