I assume that anyone knows what FTP is, otherwise please look here: http://en.wikipedia.org/wiki/File_Transfer_Protocol. The main use case is to create safe FTP for our friends. It means that our server will be visible to anyone, but only a few people will be able to log in.
We are starting from FTP server instalation:
$ sudo apt-get install proftpd
For remove it just type:
$ sudo apt-get autoremove proftpd
Setting up proftpd-basic (1.3.2e-4ubuntu0.1) ...
Adding system user `ftp' (UID 117) ...
Adding new user `ftp' (UID 117) with group `nogroup' ...
Creating home directory `/home/ftp' ...
`/usr/share/proftpd/templates/welcome.msg' -> `/home/ftp/welcome.msg.proftpd-new'
ProFTPd is started from inetd/xinetd.
Neither inetd nor xinetd appears installed: check your configuration.
ProFTPd configuration as usual is in /etc/proftpd/.
$ sudo mcedit /etc/proftpd/proftpd.conf
Let change a little bit out configuration
ServerType standalone ServerName "MyLocalFTP" #Port can be changed to any value between 0 and 65535 (2^16 - 1). Note that some ports #can be already used by other services. Best practice is to use port numbers after 1023. Port 21
Add MyLocalFTP to known host names:
$ sudo mcedit /etc/hosts
127.0.1.1 myname-pc MyLocalFTP
To check if it works:
$ ping MyLocalFTP
If you know IPs of your freinds, then you can also add limitation to your proftpd.conf file:
<Limit LOGIN> Deny from all Allow from 188.8.131.52 Allow from 184.108.40.206 Allow from 220.127.116.11 </Limit>
Now remove anonymous access to your FTP server. First step is remove user ftp and his home directory
$ sudo userdel -r ftp
Then remove all
<Anonymous ... > ... </Anonymous>
tags from your proftpd.conf file.
Now we start to add logins and passwords for our friends. Because of security, we assume that only virtual users will have acces to our FTP server. Virtual user is user without system account, recognized only by proftpd, and connected to access rights of existing system user. Good practice is use one system user for all yours virtual users. We will use the simplest virtual user authentication mechanism: the AuthUserFile, which is a flat text file in the same format as the system /etc/passwd file. The AuthUserFile configuration directive is handled by the mod_auth_file module.
Please find such lines in proftpd.conf file:
User myserweruser Group myserwergroup
Now find User-ID and Group-ID of myserweruser and his group
$ cat /etc/passwd | grep myserweruser
Columns in /etc/passwd file contains:
* Password ( contains the encrypted password)
* User-ID (access privileges)
* Group-ID (user’s primary group)
* Home directory
Virtual users can be easly added by the ftpasswd tool. Ftpasswd tool is a Perl script, distributed with the ProFTPD source code, under the contrib/ directory. A copy can also be found online:
$ cd /etc/proftpd
$ sudo wget http://www.castaglia.org/proftpd/contrib/ftpasswd
$ sudo chmod 755 ftpasswd
$ sudo ftpasswd --passwd --name=kate --home=/home/ftp/kate --shell=/bin/false --uid=xxx --gid yyy
$ sudo ftpasswd --group --name=myserwergroup --gid=yyy --member=kate
$ sudo mkdir /home/ftp
$ sudo chmod +x /home/ftp
$ sudo mkdir /home/ftp/kate
$ sudo chown -R myserweruser:myserwergroup /home/ftp/kate
$ sudo chmod 751 /home/ftp/kate
Once you have created your AuthUserFile and AuthGroupFile with the ftpasswd tool, you need to configure your proftpd.conf to use those files by adding the following directives:
RequireValidShell off AuthUserFile /path/to/ftpd.passwd AuthGroupFile /path/to/ftpd.group
Now jail all users in their homes.
$ sudo killall -HUP proftpd
$ sudo /etc/init.d/proftpd restart
Now we have successfully configured FTP server, but our freinds have only access to their folders in /home/ftp. If you would like to share your files from i.e. /media/MyMusic with kate, then the easiest way is to make symbolic link to /media/MyMusic in their home folders
sudo ln -s /media/MyMusic SharedMusic
sudo chown o+r /media/MyMusic
$ sudo mcedit /etc/proftpd/proftpd.conf
VRootOptions allowSymlinks <IfModule mod_vroot.c> VRootEngine on DefaultRoot ~ VRootAlias /media/MyMusic /home/kate/SharedMusic </IfModule>
Other tips & tricks:
How to test my FTP server?
Just use ftp command, like:
$ ftp 127.0.0.1
and follow by instructions.
How to limit connections pool?
MaxClientsPerHost 1 MaxClients 10 "Too many connections"
How to forbid system users to log in to out FTP service?
Our configuration still allows system users to log in to our FTP service. To forbid this you can edit /etc/ftpusers file. Users listed in /etc/ftpusers file can not log on FTP, unless you have UseFtpUsers off line uncommended.
Add add all your system logins to /etc/ftpusers file:
$ vim /etc/ftpusers
and make sure that UseFtpUsers off is commented in your proftpd.conf file
$ vim /etc/proftpd/proftpd.conf
comment or remove line:
# UseFtpUsers off
Unable to list folders containing 
The FTP client as ususal uses the LIST command, but sometimes it would like to use MLSD command. The MLSD command is newly supported in proftpd-1.3.2. To work around this, you could use the following in your proftpd.conf:
<IfModule mod_facts.c> FactsAdvertise off </IfModule>
In effect, this tells clients not to use the new MLSD command.
When I’m trying to run my FTP server, I get the message like: Current connections will be dropped:
Just remove /etc/shutmsg file:
$ sudo cp /etc/shutmsg /etc/shutmsg.org
$ sudo rm /etc/shutmsg
Sample proftpd.conf file
# Includes DSO modules Include /etc/proftpd/modules.conf # Set off to disable IPv6 support which is annoying on IPv4 only boxes. UseIPv6 on # If set on you can experience a longer connection delay in many cases. IdentLookups off ServerName "MyLocalFTP" ServerType standalone DeferWelcome off MultilineRFC2228 on DefaultServer on ShowSymlinks on TimeoutNoTransfer 600 TimeoutStalled 600 TimeoutIdle 1200 DisplayLogin welcome.msg DisplayChdir .message true ListOptions "-l" DenyFilter \*.*/ # Use this to jail all users in their homes DefaultRoot ~ # Users require a valid shell listed in /etc/shells to login. # Use this directive to release that constrain. RequireValidShell off AuthUserFile /etc/proftpd/ftpd.passwd AuthGroupFile /etc/proftpd/ftpd.group # Port 21 is the standard FTP port. Port 21 MaxClientsPerHost 1 MaxClients 10 "Too many connections" # To prevent DoS attacks, set the maximum number of child processes # to 30. If you need to allow more than 30 concurrent connections # at once, simply increase this value. Note that this ONLY works # in standalone mode, in inetd mode you should use an inetd server # that allows you to limit maximum number of processes per service # (such as xinetd) MaxInstances 5 # Set the user and group that the server normally runs at. User myserweruser Group myserwergroup # Umask 022 is a good standard umask to prevent new files and dirs # (second parm) from being group and world writable. Umask 022 022 # Normally, we want files to be overwriteable. AllowOverwrite off TransferLog /var/log/proftpd/xferlog SystemLog /var/log/proftpd/proftpd.log VRootOptions allowSymlinks <IfModule mod_vroot.c> VRootEngine on DefaultRoot ~ VRootAlias /media/MyMusic /home/kate/SharedMusic </IfModule> <IfModule mod_quotatab.c> QuotaEngine off </IfModule> <IfModule mod_ratio.c> Ratios off </IfModule> <Limit LOGIN> AllowUser kate DenyALL </Limit> # Delay engine reduces impact of the so-called Timing Attack described in # http://security.lss.hr/index.php?page=details&ID=LSS-2004-10-02 # It is on by default. <IfModule mod_delay.c> DelayEngine on </IfModule> <IfModule mod_ctrls.c> ControlsEngine off ControlsMaxClients 2 ControlsLog /var/log/proftpd/controls.log ControlsInterval 5 ControlsSocket /var/run/proftpd/proftpd.sock </IfModule> # In case when our files or folders can contains  brackets in the names, then # tell the ftp client to not use MLSD command <IfModule mod_facts.c> FactsAdvertise off </IfModule> <IfModule mod_ctrls_admin.c> AdminControlsEngine off </IfModule>