Mohan Balasundaram bio photo

Mohan Balasundaram

DevOps Consultant

Email Twitter LinkedIn Github Gist

##SFTP server setup using Proftpd server with xferlog

Lately I have been tasked with setting up a new sftp server, due to openssh’s inability to log all file transactions properly. so we explored all the options available and settled with the proftpd as that seems the most popular one and has a widely accepted sftp user base. Proftpd has a learning curve,like every other piece of software so please bare with me with this long article.

NOTE: Special Requirement Setup for an example client named RMP will be discussed on part2 of this article so anything refering to rmp in the config is to address that requirement.

##Our Requirements:

  • Multiple Nested folder Access control for specific users ( jailed home folders / shared folder access/ read only access / hide folders which users don’t have permission etc..)
  • Key / Password based authentication
  • xferlog log format for file transactions
  • Simple to setup and Maintain
  • Use only virtual users and not system accounts

##Installation: We are going to use Centos6.6 Server patched to the latest update & Proftpd (version 1.3.5-4.0) avialable at the time of writing this article. To keep the installation simple and consistent we are going to grab the rpms from city-fan repository (, as the rpms are not available in epel repos.

####Install the packages:

yum -y  localinstall \

##Configuration: we are going to run the proftpd server with user ‘proftpd’ and group ‘ftpgroup’. so please add the relevant user/group.

#add group - choose a high number for groupid/userid
groupadd -g 2001 ftpgroup

#add user
useradd -g ftpgroup -u 2001 -C "Proftpd System Account" -r proftpd

####Config Files/Directory Structure: (Note: We have a special requirement of a shared folder setup for example client RMP which will be discussed in the part2 section of this article)

#Main config file:
[root@server02 ~]# ls -lh /etc/proftpd.conf
-rw-r-----. 1 root root 11K Jan  8 15:41 /etc/proftpd.conf

#Backup original config file before editing for reference
[root@server02 ~]# cp -v /etc/proftpd.conf{,.original}

#Folder Layout and corresponding permissions
#please create the folders/files with the corresponding permissions.
[root@server02 ~]# ls -lh /etc/proftpd
total 16K
drwx------. 2 proftpd ftpgroup 4.0K Dec 18 16:31 authorized_keys
drwxr-x---. 2 proftpd ftpgroup 4.0K Jan  8 11:50 clients
-r--------. 1 proftpd ftpgroup  151 Dec 22 16:26
-r--------. 1 proftpd ftpgroup 1.1K Dec 24 12:33 sftpd.passwd

#Note: sftpd.passwd, will be created when virtual users/groups are added below.

#Key Based Authentication keys folder
[root@server02 ~]# ls -lh /etc/proftpd/authorized_keys/
total 8.0K
-rw-r--r--. 1 root root 468 Dec 18 15:31 user2
-rw-r--r--. 1 root root 468 Dec 18 16:31 user3

#Modular clients ACL Requirements config folder
[root@server02 ~]# ls -lh /etc/proftpd/clients/
total 4.0K
-rwxr-x---. 1 proftpd ftpgroup 993 Jan  8 11:50 rmp.conf

Update the config file as per the following link. proftpd.conf. please go through the config file as most of the bits are self explanatory.

#Jailed users/Chroot home is achieved by the below line in proftpd.conf

#Everyone Else mapped to thier home directory
DefaultRoot        ~ !adm

####Enable the mod_ban for blocking repeated failed logins.

#NOTE: To optimize mod_ban check the mod_ban section in proftpd.conf

[root@server02 ~]# cat /etc/sysconfig/proftpd
# Set PROFTPD_OPTIONS to add command-line options for proftpd.
# See proftpd(8) for a comprehensive list of what can be used.
# The following "Defines" can be used with the default configuration file:
# -DANONYMOUS_FTP       : Enable anonymous FTP
# -DDYNAMIC_BAN_LISTS   : Enable dynamic ban lists (mod_ban)
# -DQOS                 : Enable QoS bits on server traffic (mod_qos)
# -DTLS                 : Enable TLS (mod_tls)
# For example, for anonymous FTP and dynamic ban list support:

####Update sftpasswd script to reflect your setup to manage sftp virtual users

#copy the existing ftpasswd script as sftpasswd
cp /usr/bin/ftpasswd /usr/bin/sftpasswd

#Edit the file and update the code as below.
vi /usr/bin/sftpasswd

#replace from line 37 from the below:
my $default_passwd_file = "./ftpd.passwd";
my $default_group_file = "./";

#replace to
my $base_folder = "/etc/proftpd";
my $default_passwd_file = $base_folder."/sftpd.passwd";
my $default_group_file = $base_folder."/";

#Verify Syntax of that script
[root@server02 bin]# perl -c /usr/bin/sftpasswd
/usr/bin/sftpasswd syntax OK

####Verify Configs and start Service

#Check Syntax
[root@server02 bin]# proftpd -t
Checking syntax of configuration file
2015-01-12 23:39:14,269 server02.test.local proftpd[9182]: processing configuration directory '/etc/proftpd/clients'
Syntax check complete.

#start the service
[root@server02 bin]# service proftpd start
Starting proftpd:                                          [  OK  ]

#Enable auto start
[root@server02 bin]# chkconfig proftpd on

####Create Virtual SFTP Users/Group

#Add Virtual Group - will create file if it didnt exist
sftpasswd --group --gid=2001 --name=sftpgroup

#Add Virtual Users - will prompt for password for each user separately - will create sftpd.passwd file if it didnt exist
sftpasswd --passwd --name=user1 --home=/sftp/home/user1 --shell=/bin/false --uid=2001 --gid=2001

sftpasswd --passwd --name=user2 --home=/sftp/home/user2 --shell=/bin/false --uid=2001 --gid=2001

sftpasswd --passwd --name=user3 --home=/sftp/home/user3 --shell=/bin/false --uid=2001 --gid=2001

#check if /etc/proftpd/sftpd.{group,passwd} are updated properly. Note: system user/group id doesnt have to match virtual user/group id.

[root@server02 proftpd]# cat /etc/proftpd/

[root@server02 proftpd]# cat /etc/proftpd/sftpd.passwd

#Clients Home Folder Layouts (create the folders as below and set it to be owned by system proftpd.ftpgroup)
[root@server02 ~]# ls -lh /sftp/home/
drwxr-xr-x. 2 proftpd ftpgroup 4.0K Dec 17 18:10 user1
drwxr-xr-x. 2 proftpd ftpgroup 4.0K Dec 17 18:11 user2
drwxr-xr-x. 2 proftpd ftpgroup 4.0K Dec 18 16:59 user3

#Reload the sftp server
[root@server02 bin]# service proftpd restart
Shutting down proftpd:                                     [  OK  ]
Starting proftpd:                                          [  OK  ]

The above setup will provide you a sftp server running on port 2022 with password based authentication, for which ever client if you prefer to enable key based authentication please drop the users key in /etc/proftpd/authorized_keys/ folder with as file name

####Key Based Authentication:

#Generate ssh keys 
[root@server02 .ssh]# ssh-keygen -b 2048
# it should create a file under .ssh as

#convert the key from openssh format to SSH2 format.
[root@server02 .ssh]# ssh-keygen -e -f > user2

#please makesure that the comment is not too longer than the key as it may cause issues sometimes
[root@server02 .ssh]# cat user2
Comment: "2048-bit RSA, root@server02.test.local"

Drop the above key in /etc/proftpd/authorized_keys/ folder as user2 and user2 should now be able to login using key based authentication. As this article is already too long special requirements are to be discussed in the part2 of this article.