GSP
Quick Navigator

Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
* Sign Up! *

Support
Customer Portal
Contact Us
Online Help
Handbooks
Domain Status
Man Pages

FAQ
Virtual Servers
Pricing
Billing
Technical

Network
Facilities
Connectivity
Topology Map

Miscellaneous
Server Agreement
Year 2038
Credits
 

USA Flag

 

 

FTP with ProFTPD: Setup and TLS Encryption

bullet Introduction

For most file transfers, SFTP is the better tool — it is encrypted, already installed, and needs no setup. But some legacy devices, embedded systems, and older publishing tools speak only FTP. When you have a specific need like that, ProFTPD — the highly configurable FTP daemon that has long served GSP VPSs — is available on both FreeBSD 15 and Rocky Linux 10. Crucially, ProFTPD can wrap FTP in TLS (called FTPS), so logins and file contents need not travel in the clear. This page installs ProFTPD, sets up a basic configuration, and — most importantly — turns on encryption.

WARNING: Plain, unencrypted FTP sends your password and every byte of your files across the network in cleartext. Do not run it that way. Require TLS (the Enabling Encryption section below), restrict access to networks you trust or a VPN, and treat any FTP password as more exposed than your SSH credentials. Where you have the choice, prefer SFTP.

 

bullet Installing ProFTPD

Install the package, then enable and start the service. On FreeBSD 15:

# pkg install proftpd
# sysrc proftpd_enable=YES
# service proftpd start
#                              # configuration lives in /usr/local/etc/proftpd.conf

On Rocky Linux 10, ProFTPD comes from the EPEL repository:

# dnf install epel-release
# dnf install proftpd proftpd-utils
# systemctl enable --now proftpd
#                              # configuration lives in /etc/proftpd.conf

The TLS module (mod_tls) that provides encryption is built into ProFTPD on both systems, so there is no separate package to install for FTPS.

 

bullet A Basic Configuration

Edit the configuration file (/usr/local/etc/proftpd.conf on FreeBSD, /etc/proftpd.conf on Rocky Linux). A sound starting point locks each user into their own home directory and refuses anonymous access:

ServerName            "GSP VPS"
ServerType            standalone
DefaultServer         on
Port                  21
UseIPv6               off
User                  nobody
Group                 nogroup        # use "nobody" on FreeBSD
DefaultRoot           ~              # chroot each user into their home directory
RequireValidShell     off            # allow accounts that have no login shell
AllowOverwrite        on

<Limit LOGIN>
  AllowAll
</Limit>

DefaultRoot ~ is the key line: it confines each logged-in user to their home directory so they cannot wander the rest of the file system. Validate the file with proftpd -t before restarting the service (service proftpd restart on FreeBSD, systemctl restart proftpd on Rocky Linux). FTP users authenticate with their normal Unix account password.

 

bullet Enabling Encryption (FTPS with TLS)

FTPS secures FTP with the same TLS that protects HTTPS. There are two flavors. Explicit FTPS (often shown as “FTPES”) connects to the normal port 21 and then issues an AUTH TLS command to upgrade the connection to encrypted — this is the modern default and the one to use. Implicit FTPS is encrypted from the first byte on port 990 and exists mainly for old clients. Both are handled by mod_tls.

You need a certificate and key. The simplest choice is to reuse the Let’s Encrypt certificate you already have for your web site (a self-signed pair also works for a private tool). Add an mod_tls block to the configuration:

<IfModule mod_tls.c>
  TLSEngine                 on
  TLSLog                    /var/log/proftpd/tls.log
  TLSProtocol               TLSv1.2 TLSv1.3
  TLSRSACertificateFile     /etc/letsencrypt/live/example.com/fullchain.pem
  TLSRSACertificateKeyFile  /etc/letsencrypt/live/example.com/privkey.pem
  TLSRequired               on        # require encryption for BOTH login and data
  TLSVerifyClient           off
  TLSOptions                NoSessionReuseRequired
</IfModule>

Point the two certificate paths at your own files (on FreeBSD they will be under /usr/local/etc/ wherever your ACME client wrote them). The most important directive is TLSRequired:

 TLSRequired 
 Effect 
 on  Encrypt both the login (control) and the file (data) channels — recommended 
 ctrl  Encrypt only the login channel; file transfers may be in the clear 
 data  Encrypt only file transfers 
 off  Allow unencrypted connections (not recommended) 

Leave it at on so a client can never fall back to sending your password or files unencrypted. Restart ProFTPD after editing, and confirm the TLS handshake succeeds by watching /var/log/proftpd/tls.log as you connect.

 

bullet Passive Mode and the Firewall

FTP opens a second connection for the actual file data. In passive mode (what every modern client uses) the server opens that connection on a high-numbered port, so you must pin the range and open it in the firewall — especially with FTPS, where the firewall cannot read the encrypted control channel to learn the port on its own:

PassivePorts        49152 65534
# MasqueradeAddress 203.0.113.10     # only if the VPS sits behind NAT

On Rocky Linux 10, open the ports and let SELinux permit ProFTPD to read and write files:

# firewall-cmd --permanent --add-service=ftp
# firewall-cmd --permanent --add-port=49152-65534/tcp
# firewall-cmd --reload
# setsebool -P ftpd_full_access on

On FreeBSD 15, allow port 21 and the same passive range in your pf ruleset.

 

bullet Connecting with a Client

Use a client that supports FTPS — FileZilla is a good free choice. Create a connection with Protocol FTP, Encryption “Require explicit FTP over TLS”, port 21, and your VPS username and password. On the first connection the client shows the server’s certificate for you to accept. From the command line, lftp connects with TLS when you set ftp:ssl-force true. (The same FileZilla can also do SFTP if you would rather skip FTP altogether.)

 

bullet Documentation

Read man proftpd and man proftpd.conf on the VPS, or the online manual pages. The ProFTPD project’s site at proftpd.org documents every directive, and its mod_tls reference covers the full set of encryption options. See also HTTPS & SSL for obtaining the certificate, and Securing Your VPS for the firewall.


Toll Free 1-866-GSP-4400 • 1-301-464-9363 • service@gsp.com
Copyright © 1994-2026 GSP Services, Inc.