Definitive instructions for installing secure Proftpd with OpenSSL – Part 1

Proftpd is a remarkably versatile Unix/Linux FTP server daemon that has been in under active maintenance for more than 20 years. Downloading the base package from a stable Linux repository or performing a default installation from the latest source will net you a solid and easy to use server.

But what if you want more that just a default installation? There are hundreds of configurable options and more than a few dozen contributed or 3rd party modules, each with their own quirks/caveats that can lead a mostly Windows person down a thousand rabbit holes if you aren’t careful or have a strong background in Linux administration. In addition, while the base install of ProFTPd / OpenSSL from a stable repository will work “out of the box”, there’s a good chance that you won’t have the latest version of ProFTPd and OpenSSL (or source) due to delays from extensive vetting by Canonical.

This multi-part tutorial is my re-cap of months of monkeying around with Proftpd, following hundreds of different links, reading pages and pages of info, finally getting it to work they way I want it to.

Please link back to these instructions so others may find them on Google. (You know how it works — only pages with the highest number of incoming links get the best search position. If this guide helped you, help others find it too.)


  • You are a Windows professional or advanced user who “tinkers” with Linux as a hobby or as a non-critical part of your job. Expert Linux isn’t required, but you should understand basic commands like cat, tail, ls, grep, etc. You need to know how to use “vi” or some other command line text editor.
  • You have a [mostly] vanilla installation of ubuntu 10.04.04 LTS server that has been fully updated with all security patches and application updates. It’s entirely probable newer versions of Ubuntu will work fine (12.04 as of this writing) but this guide has only been tested with 10.04. The SSH server daemon needs to be installed either manually or as a part of an initial server load.
  • I make use of the Webmin utility to handle several basic Linux administrative tasks. As I mentioned, the audience for this guide is a mostly Windows person who tinkers. You’re not here to learn how to create new user accounts from a command line.

We’ll be compiling, installing, and configuring ProFTPd to use a non-standard port number, SSL, behind a firewall, and on a non-routable IP block.

Let’s get started…

In order to “roll our own” version, we need to get some development utilities from both stable Canonical and unsupported Debian repositories. Don’t worry, we’ll uninstall these utilities when we’re finished to reduce the server footprint and enhance security.

Server Prep

  1. SSH into your Ubuntu server.
  2. Install compiler and dependencies
    sudo apt-get install build-essential
  3. Edit apt repository source URLs, change local cache size, and update. (needed for additional packages to get a clean compile of proftpd with external OpenSSL source)
    1. Edit repository sources
      sudo vi /etc/apt/sources.list
    2. add this line somewhere, save and close
      deb squeeze main
    3. Open repository config file
      sudo vi /etc/apt/apt.conf.d/70debconf
    4. Add this line somewhere, save and close
      APT::Cache-Limit "100000000";
    5. Update your package cache
      sudo apt-get update
      sudo apt-get update --fix-missingThe second command above will likely generate the following error:
      W: GPG error: squeeze Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY AED4B06F473041FA
      Ignore it! From the accepted answer:

If you are not extremely paranoid, or in a high security environment, then just let apt-get install debian-archive-keyring install, and ignore the warning.

  • install additional support packages (fixes a compile issue. reference 1, reference 2.)
    sudo apt-get install zlib1g zlib1g-devNote
    If you happen to run sudo aptitude after the steps above, you’ll see that your system is outdated by several hundred package updates. Ignore these. As soon as you uninstall the development utilities, remove the Debian repository URI, and update aptitude, your system will return to fully updated status (assuming it was before you started)

Download, Compile, and Install OpenSSL

  1. Create some directories we’ll need for the latest version of OpenSSL. You may chose to download the tarball to the “src” directory if you wish. Personally, I save full, unmodified, zipped src if I need to completely redo a compile or installation in the future.
    sudo mkdir /etc/openssl
    sudo mkdir /etc/openssl/install
    sudo mkdir /etc/openssl/src
  2. Change directories to “install”
    cd /etc/openssl/install
  3. Download latest version of OpenSSL source code
    sudo wget -c version can be found at and is usually marked red. Copy the URL of the tar file to your clipboard and paste it into your SSH command. NOTE: This guide was written using the version of OpenSSL noted. YMMV for other versions.
  4. Copy the tar file to our src directory
    sudo cp ./openssl-1.0.1c.tar.gz ../src/
  5. change directories to “src”
    cd ../src
  6. Unzip the package
    sudo tar zxvf ./openssl-1.0.1c.tar.gz
  7. Delete the tar file
    sudo rm -f ./openssl-1.0.1c.tar.gz
  8. Change directories to where the unzipped source is
    cd ./openssl-1.0.1c
  9. Configure the source for compile. There are extra switches you can use for this command, but I’m not going to cover them or promise they are compatible with later steps in this guide. If you want to know what the switches below are for, Google it. reference
    sudo ./config no-threads -fPIC
  10. Compile the source code to an installer
    sudo make
    (Use sudo make clean to reset the configuration back to default… helpful for trying different configuration options)
  11. Test the installer
    sudo make test
  12. Install OpenSSL
    sudo make install

OpenSSL and source is now installed.

Continue to Step 2 – ProFTPd installation

Leave a Reply

Your email address will not be published. Required fields are marked *