FTP

This will install and configure the FTP Service ProFTPD and manage virtual FTP users.

Warning

For your daily project work, FTP(S) is not required and not recommended! Access through SSH (SCP/SFTP) is far more superior and secure (see SSH).

Use FTP only to transfer files from and to certain directories if the other side does not support SCP.

Note

There exist different protocols and tools, that are named pretty similar and could lead to confusion:

  • FTP (File Transfer Protocol, not encrypted, not recommended)

  • FTPS (FTP over SSL/TLS, the same protocol, but over an encrypted transport layer)

  • SCP (older protocol, uses SSH and is therefore encrypted in transport)

  • SFTP (SSH File Transfer Protocol, newer version of SCP, also uses SSH, encrypted in transport)

For details, see the Wikipedia page on that matter

The instructions on this page let you configure FTPS on your server. If your client can use SCP or SFTP, you don’t need to set up anything as these are ready for you out of the box without any further confiugration.

Installation / configuration

There’s no global on/off switch. As soon as you configure Users / Directories below, the ProFTPd services get’s provisioned and configured on your server.

Users

Let’s you add FTP users to the system.

  • password: crypt password as used in /etc/passwd (see below)

  • uid: Linux system user id of desired user. Lookup on server before adding.

  • gid: Linux system group id of desired group. Lookup on server before adding.

  • home: access for the FTP user is restricted to this directory

Configure the ftp::users hash within the Custom JSON Server Level Configuration:

{
  "ftp::users": {
    "alice": {
      "password": "$6$1sLLOf5.$GAZDHYXEjs0MpR5uHBAR5eD00MpUasTgbyIP27PZ8WprL98XeU01N502ogYn1JKrgqEiTXn1/lkFBNZ46zZHY/",
      "uid": "1005",
      "gid": "1005",
      "home": "/home/examplenet/www/webcam/"
    }
  }
}

Tip

The password has to be encrypted. Use the following command to encrypt your desired password: mkpasswd -m sha-512

Tip

Use the “id” command to determine the appropriate uid/gid

Directories

Let’s you configure directories and their access permissions for the usage via FTP.

Configure the ftp::directories hash within the Custom JSON Server Level Configuration:

{
  "ftp::directories": {
    "/home/examplenet/tmp/": {
      "limit": {
        "WRITE": {
          "DenyAll": null,
          "AllowUser": "alice"
        }
      }
    }
  }
}

The above will result in the following ProFTPD configuration:

<Directory /home/examplenet/tmp/>
    <Limit WRITE>
        DenyAll undef
        AllowUser alice
    </Limit>
</Directory>

TLS Certificates

TLS is enabled and required by default, resulting in an encrypted connection between FTP-Client and FTP-Server for both authentication and data transfer.

Warning

You can disable the TLS requirement by setting the ftp::wrapper::proftpd::tlsrequired string to off.

As the FTP connection is not encrypted anymore, this option is strongly discouraged for security reasons! Please contact us to find another solution.

Default Certificate

If not configured otherwise (see below), a self signed certificate bearing the hostname of the server will be created and used for ProFTPD.

Own Certificate

Specify your own certificate with the tls_key and tls_crt options.

Configure the ftp::wrapper::proftpd::tls_crt and ftp::wrapper::proftpd::tls_key strings within the Custom JSON Server Level Configuration:

{
  "ftp::wrapper::proftpd::tls_crt": "-----BEGIN CERTIFICATE-----\nMY-TLS-CERTIFICATE\n",
  "ftp::wrapper::proftpd::tls_key": "-----BEGIN PRIVATE KEY-----\nMY-TLS-KEY"
}

Own Certificate from File

Another option is to use existing certificates that are already existing as files on your server. For example certificates you’ve provided for a website via the Cockpit or the ones that got provisioned via AutoSSL / Let’s Encrypt.

Configure the locations with the ftp::wrapper::proftpd::tls_crt_file and ftp::wrapper::proftpd::tls_key_file strings within the Custom JSON Server Level Configuration.

For own certificates, you can use the following paths:

{
  "ftp::wrapper::proftpd::tls_crt_file": "/etc/apache2/certs/<websitename>.crt",
  "ftp::wrapper::proftpd::tls_key_file": "/etc/apache2/certs/<websitename>.key"
}

For Let’s Encrypt certificates you can set the same configuration from above but need to look up path to the certificate by running letsencrypt-show as Generic Admin User on the server.

Firewall Rules

By default, firewall rules to allow incoming ports 21 (FTP) and 49152-49162 (FTP data) will be added. And you don’t need to change that, unless you’d like to restrict which systems are allowed to connect to the FTP service.

To disable those default rules, set ftp::wrapper::proftpd::nftables to false within the Custom JSON Server Level Configuration:

{
  "ftp::wrapper::proftpd::nftables": false
}

And then configure Firewall Rules for your specific use case (e.g. only allow certain IPs to connect via FTP).

Note

Please make sure to allow access from our internal monitoring system within your custom firewall ruleset:

  • IPv4: 185.17.70.112

  • IPv6: 2a04:503:0:1008::112