 |
|
| |
| Introduction
| |
For most file transfers, SFTP is
the better tool — it is encrypted, already installed, and needs no setup. But some legacy devices,
embedded systems, and older publishing tools speak only FTP. When you have a specific need like
that, ProFTPD — the
highly configurable FTP daemon that has long served GSP VPSs — is available on both
FreeBSD 15 and Rocky Linux 10. Crucially, ProFTPD can wrap FTP in TLS (called FTPS),
so logins and file contents need not travel in the clear. This page installs ProFTPD, sets up a basic
configuration, and — most importantly — turns on encryption.
|
WARNING: Plain, unencrypted FTP sends your password and every byte of your files
across the network in cleartext. Do not run it that way. Require TLS (the
Enabling Encryption section below), restrict access to networks you trust or a VPN, and
treat any FTP password as more exposed than your SSH credentials. Where you have the choice,
prefer SFTP.
|
| |
| Installing ProFTPD
| |
Install the package, then enable and start the service. On FreeBSD 15:
# pkg install proftpd
# sysrc proftpd_enable=YES
# service proftpd start
# # configuration lives in /usr/local/etc/proftpd.conf
On Rocky Linux 10, ProFTPD comes from the
EPEL repository:
# dnf install epel-release
# dnf install proftpd proftpd-utils
# systemctl enable --now proftpd
# # configuration lives in /etc/proftpd.conf
The TLS module (mod_tls) that provides encryption is built into ProFTPD on both systems, so
there is no separate package to install for FTPS.
| |
| A Basic Configuration
| |
Edit the configuration file (/usr/local/etc/proftpd.conf on FreeBSD,
/etc/proftpd.conf on Rocky Linux). A sound starting point locks each user into their own home
directory and refuses anonymous access:
ServerName "GSP VPS"
ServerType standalone
DefaultServer on
Port 21
UseIPv6 off
User nobody
Group nogroup # use "nobody" on FreeBSD
DefaultRoot ~ # chroot each user into their home directory
RequireValidShell off # allow accounts that have no login shell
AllowOverwrite on
<Limit LOGIN>
AllowAll
</Limit>
DefaultRoot ~ is the key line: it confines each logged-in user to their home directory so
they cannot wander the rest of the file system. Validate the file with proftpd -t before
restarting the service (service proftpd restart on FreeBSD, systemctl restart proftpd on
Rocky Linux). FTP users authenticate with their normal Unix account password.
| |
| Enabling Encryption (FTPS with TLS)
| |
FTPS secures FTP with the same TLS that protects HTTPS. There are two flavors. Explicit FTPS
(often shown as “FTPES”) connects to the normal port 21 and then issues an
AUTH TLS command to upgrade the connection to encrypted — this is the modern default and the
one to use. Implicit FTPS is encrypted from the first byte on port 990 and exists mainly for
old clients. Both are handled by mod_tls.
You need a certificate and key. The simplest choice is to reuse the
Let’s Encrypt certificate you
already have for your web site (a self-signed pair also works for a private tool). Add an
mod_tls block to the configuration:
<IfModule mod_tls.c>
TLSEngine on
TLSLog /var/log/proftpd/tls.log
TLSProtocol TLSv1.2 TLSv1.3
TLSRSACertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
TLSRSACertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
TLSRequired on # require encryption for BOTH login and data
TLSVerifyClient off
TLSOptions NoSessionReuseRequired
</IfModule>
Point the two certificate paths at your own files (on FreeBSD they will be under
/usr/local/etc/ wherever your ACME client wrote them). The most important directive is
TLSRequired:
| TLSRequired |
Effect |
| on | Encrypt both the login (control) and the file (data) channels — recommended |
| ctrl | Encrypt only the login channel; file transfers may be in the clear |
| data | Encrypt only file transfers |
| off | Allow unencrypted connections (not recommended) |
Leave it at on so a client can never fall back to sending your password or files unencrypted.
Restart ProFTPD after editing, and confirm the TLS handshake succeeds by watching
/var/log/proftpd/tls.log as you connect.
| |
| Passive Mode and the Firewall
| |
FTP opens a second connection for the actual file data. In passive mode (what every modern
client uses) the server opens that connection on a high-numbered port, so you must pin the range and open
it in the firewall — especially with FTPS, where the firewall cannot read the encrypted control
channel to learn the port on its own:
PassivePorts 49152 65534
# MasqueradeAddress 203.0.113.10 # only if the VPS sits behind NAT
On Rocky Linux 10, open the ports and let SELinux permit ProFTPD to read and write
files:
# firewall-cmd --permanent --add-service=ftp
# firewall-cmd --permanent --add-port=49152-65534/tcp
# firewall-cmd --reload
# setsebool -P ftpd_full_access on
On FreeBSD 15, allow port 21 and the same passive range in your
pf ruleset.
| |
| Connecting with a Client
| |
Use a client that supports FTPS — FileZilla is a good free choice. Create a connection
with Protocol FTP, Encryption “Require explicit FTP over TLS”, port 21, and
your VPS username and password. On the first connection the client shows the server’s certificate
for you to accept. From the command line, lftp connects with TLS when you set
ftp:ssl-force true. (The same FileZilla can also do
SFTP if you would rather skip FTP
altogether.)
| |
| Documentation
| |
Read man proftpd and man proftpd.conf on the VPS, or the
online manual pages. The ProFTPD
project’s site at proftpd.org
documents every directive, and its mod_tls reference covers the full set of encryption options. See
also HTTPS & SSL for obtaining the
certificate, and Securing Your VPS
for the firewall.
|
Toll Free 1-866-GSP-4400 • 1-301-464-9363 • service@gsp.com
Copyright © 1994-2026 GSP Services, Inc.
|