Replacing psa-proftpd by proftpd-basic

The version of ProFTPD that is shipped with Plesk since version 9.5 contains a bug that leads to vulnerability. Until Parallels releases a fix you should not use the FTP server shipped with Plesk.

On RHEL, CentOS and Fedora you can simply use the Plesk repository of Atomic Rocket Turtle. It contains a patched version of psa-proftpd. On Debian based systems one possible solution is to replace the package psa-proftpd by proftpd-basic which is shipped with Debian and Ubuntu Karmic and newer.

WARNING: The solution described on this page works for us on our own servers (Plesk 9.5.3 on Ubuntu Hardy). This does not mean that it will work on your servers with your own configuration. If you follow these tips you DO IT ON YOUR OWN RISK. Neither we nor Parallels are responsible for any damage on your system that is caused by the steps described below. Also please note that replacing the psa-proftpd package leads to a lack of functionality because psa-proftpd includes some special patches from Parallels. I tested this method also with Plesk 10.0.1 on Debian Lenny and it did NOT work! You have been warned...

Due to dependency issues, you can't simply replace psa-proftpd by proftpd-basic. On our server we use a dummy package that depends on proftpd-basic and provides psa-proftpd. You can download it here:

Remove psa-proftpd and install proftpd-replacement via

dpkg -r --ignore-depends=psa-proftpd-inetd psa-proftpd
dpkg -i proftpd-replacement_1.0_all.deb

After that let apt install proftpd-basic and all necessary dependencies by running

apt-get -f install

Make sure to keep all existing configuration files and configure ProFTPD to be run by inetd.

Note that this will fail on Ubuntu Hardy because there is no package named proftpd-basic! If you're running Ubuntu Hardy have a look into the next section.

Ubuntu 8.04 LTS (Hardy)

Ubuntu 8.04 LTS shipps with ProFTPD v. 1.3.1. The package is named proftpd and not proftpd-basic, which causes problems when using our package proftpd-replacement. There are two possibilities:

We didn't want to use ProFTPD v. 1.3.1 so we backported version 1.3.3a-5 from Ubuntu Natty. This version includes a patch for the bug mentioned above. You can download our package for Ubuntu Hardy i386 here:

Remove psa-proftpd and install proftpd-basic:

dpkg -r --ignore-depends=psa-proftpd-inetd psa-proftpd
dpkg -i proftpd-basic_1.3.3a-5\~bico1_i386.deb

For amd64 you can build a package on your own by using our source packages:

... and the following commands: (you will need to install debhelper out of hardy-backports and maybe some other build-dependencies)

dpkg-source -x proftpd-dfsg_1.3.3a-5\~bico1.dsc
cd proftpd-dfsg-1.3.3a
dpkg-buildpackage -rfakeroot

After installing proftpd-basic you should be able to install proftpd-replacement or, if you did so already, to configure it:

apt-get -f install

Problems we ran into

  1. Where is proftpd.conf?
    Depending on which package you have installed and which one was installed before, proftpd.conf may change its position from /etc/proftpd.conf to /etc/proftpd/proftpd.conf or vice versa.
  2. ProFTPD not working with xinetd
    On our system we use xinetd but ProFTPD wasn't configured for xinetd. To resolve this issue simply create a file /etc/xinetd.d/ftp: 
    service ftp
{
        disable = no
        socket_type = stream
        wait = no
        user = root
        server = /usr/sbin/in.proftpd
        log_on_success += DURATION USERID
        log_on_failure += USERID
        instances = 30
        nice = 10
}
    After that you need to restart xinetd.
  3. SSL/TLS not working with some FTP clients
    We use FTP over SSL/TLS as described in Parallels Knowledge Base. After upgrading to ProFTPD 1.3.3 we had to set an additional configuration line inside of this SSL section in proftpd.conf so that also older clients can use SSL/TLS: 
    TLSOptions	NoSessionReuseRequired