How to install ProFTPD with TLS on CentOS 7.2

This tutorial describes the installation and configuration of ProFTPD on a CentOS 7.2 Server. ProFTPD is an FTP daemon for Unix and Linux operating systems and distributed under the GNU Public License (GPL).

1 Preliminary Note

This tutorial is based on a CentOS server, so you should set up a basic CentOS 7.2 server installation before you continue with this tutorial. The system should have a static IP address. I use as my IP address in this tutorial and as the hostname.

2 Install and configure ProFTPD

2.1 Installation:

We require Software from EPEL repository, enable it as follows:

yum -y install epel-release

Then import the EPEL GPG-key:

rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7

and update the packages:

yum -y update

We will install ProFTPD and OpenSSL as follows:

yum install -y proftpd openssl proftpd-utils

We need to start the service and enable it to start at boot automatically.

systemctl start proftpd.service
systemctl enable proftpd.service

If you have firewalld installed, then configure the Firewall with firewall-cmd to open the FTP port:

firewall-cmd --add-service=ftp --permanent
firewall-cmd --reload

We can check the ProFTPD version as follows:

proftpd -v

[root@server1 ~]# proftpd -v
ProFTPD Version 1.3.5b
[root@server1 ~]#

2.2 Creating ProFTPD Users

I will create a group ftpgroup and a user tom for ProFTPD. I will set /ftpshare as home directory for the user tom.

groupadd ftpgroup

Next I will add the user srijan in ftpgroup:

useradd  -G ftpgroup tom -s /sbin/nologin -d /ftpshare
passwd tom

[root@server1 ~]# passwd tom
Changing password for user srijan.
New password: <--ftppassword
Retype new password: <--ftppassword
passwd: all authentication tokens updated successfully.
[root@server1 ~]# 

Set the permissions for the ftpshare directory:

chmod -R 1750 /ftpshare/

Now we are ready for ProFTPD connection. But the connections are not encrypted yet, we will solve this in the next chapter.

3 Enabling TLS In ProFTPD

In order to enable TLS in ProFTPD, open /etc/proftpd/proftpd.conf. Before editing the file, its better to backup the original file and then edit the file with nano.

cp -pf /etc/proftpd.conf /etc/proftpd.conf.bak
nano /etc/proftpd.conf

Add and modify the lines as shown in red.

DefaultRoot ~ !adm PassivePorts 6000 6100

<IfDefine TLS> TLSEngine on TLSRequired on TLSRSACertificateFile /etc/pki/tls/certs/proftpd.pem TLSRSACertificateKeyFile /etc/pki/tls/certs/proftpd.pem TLSCipherSuite ALL:!ADH:!DES TLSOptions NoCertRequest TLSVerifyClient off TLSRenegotiate ctrl 3600 data 512000 required off timeout 300 TLSLog /var/log/proftpd/tls.log # <IfModule mod_tls_shmcache.c> # TLSSessionCache shm:/file=/var/run/proftpd/sesscache # </IfModule> #</IfDefine>

I have added 6000 and 6100 ports for allowing passive mode of ftp, similarily I will allow the passive mode through the CentOS firewalld service as follows:

firewall-cmd --add-port=6000-6100/tcp --permanent
firewall-cmd --reload

We can check the ports status as follows:

firewall-cmd --list-ports

[root@server1 ~]# firewall-cmd --list-ports
[root@server1 ~]#

Additionally, we need to tell SELINUX to allow the read/write of the files.

setsebool -P allow_ftpd_full_access=1

In order to use TLS, we must create an SSL certificate. I will create it in /etc/pki/tls/certs, we can generate the SSL certificate as follows:

openssl req -x509 -nodes -newkey rsa:1024 -keyout /etc/pki/tls/certs/proftpd.pem -out /etc/pki/tls/certs/proftpd.pem

[root@server1 certs]# openssl req -x509 -nodes -newkey rsa:1024 -keyout /etc/pki/tls/certs/proftpd.pem -out /etc/pki/tls/certs/proftpd.pem
Generating a 1024 bit RSA private key
writing new private key to '/etc/pki/tls/certs/proftpd.pem'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [XX]:<--DE
State or Province Name (full name) []:<--Hamburg
Locality Name (eg, city) [Default City]:<--Luneberg
Organization Name (eg, company) [Default Company Ltd]:<--Howtoforge
Organizational Unit Name (eg, section) []:<--Development
Common Name (eg, your name or your server's hostname) []:<
Email Address []:<
[root@server1 certs]#

Give the above values in red as per your choice, I have just given an example.

Now for security purpose, I will make the certificates only readable as follows:

chmod  0440 /etc/pki/tls/certs/proftpd.pem

Finally restart the ProFTPD service as follows:

systemctl restart proftpd.service

We can connect to the ProFTPD server with Filezilla software, you must have Filezilla installed on the client computer to connect to the server. Open Filezilla and give the details as follows:

Enter the account details in FileZilla.

Details will be:

Host =
Protocol = FTP
User = tom
Port = can be blank if you have not customized it another port than 21
Password = ftppassword (just created above)

Note: Since we have encryted our connection in above step so we will be using Encryption with Require explicit FTP over TLS

If you have not configured TLS then you can use Use Plain FTP

Accept the SSL cert

It will ask for trusting the certificate, press OK

FileZilla Connected to ProFTPd.

It will be connected to the FTP-shared directory with TLS connection.

4 Anonymous ftp access in ProFTPD

We can make an anonymous ftp account in ProFTPD, just add these lines in the ProFTPD configuration file:

nano /etc/proftpd.conf

And add these lines at the end of the file.

###Anonymous share##### <Anonymous ~ftp> User ftp Group ftp UserAlias anonymous ftp DirFakeUser on ftp DirFakeGroup on ftp MaxClients 10 <Directory *> <Limit WRITE> DenyAll </Limit> </Directory> </Anonymous>

Now we need to restart the FTP service:

systemctl restart proftpd.service

Now connect through Filezilla to the anon account as follows:

Anonymous login

Note: Since we have encryted our connection in above step so we will be using Encryption with Require explicit FTP over TLS

If you have not configured TLS then you can use Use Plain FTP

Press Connect.

Anonymous FTP login successful.

We are successfully connected to the server with an Anonymous user.

Congratulations! Now we have successfully configured ProFTPD server environment in CentOS 7.2 :)

Share this page:

Suggested articles

1 Comment(s)

Add comment


From: Nigel Aves

Great tutorial but I'm confussed on a couple of points.


How is the group "ftpgroup" associated to ProFTP so that only the user tom is a valid login? I have other logins on my server that I do not wish to have access to FTP.


You mention a user "srijan" but it does not seem to be used anywhere.


In /etc/sysconfig/ there is a file called proftp


the file contains:


# Set PROFTPD_OPTIONS to add command-line options for proftpd.

# See proftpd(8) for a comprehensive list of what can be used.


# The following "Defines" can be used with the default configuration file:

# -DANONYMOUS_FTP : Enable anonymous FTP

# -DDYNAMIC_BAN_LISTS : Enable dynamic ban lists (mod_ban)

# -DQOS : Enable QoS bits on server traffic (mod_qos)

# -DTLS : Enable TLS (mod_tls)


# For example, for anonymous FTP and dynamic ban list support:





Should I be using -DTLS optoion for startup?   



Many Thanks - Nigel.