Install proftpd, create & delete ftp users (MUST BE RUN AS ROOT)

proftpd.sh

#!/usr/bin/env bash
# MUST BE RUN AS ROOT

usage_message(){
	echo Usage options:
	echo "1. Install proftpd: $0 -i <PASVADDR> <MIN_PORT> <MAX_PORT>"
	echo "2. Create ftp user: $0 -c <FTPUSER> <FTPPASS>"
	echo "3. Delete ftp user: $0 -d <FTPUSER>"
}

install_proftpd(){
	apt-get update && sudo apt-get -y upgrade
	apt-get -y install proftpd ftp whois

cat << EOF > /etc/proftpd/conf.d/custom
DefaultRoot    ~/ftp/files
PassivePorts    $MIN_PORT $MAX_PORT
MasqueradeAddress    $PASVADDR
RequireValidShell    off
EOF
}

restart_proftpd(){
	systemctl restart proftpd.service
	systemctl status proftpd.service
}

firewall_rules(){
	iptables -A INPUT -i lo -j ACCEPT
	iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
	iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
	iptables -A INPUT -p icmp -j REJECT
	iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
	iptables -A OUTPUT -p tcp --dport 25 -j REJECT
	iptables -A INPUT -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
	iptables -A INPUT -p tcp -m tcp --dport 20 -m conntrack --ctstate ESTABLISHED -j ACCEPT
	iptables -A INPUT -p tcp -m tcp --sport $MIN_PORT:$MAX_PORT --dport $MIN_PORT:$MAX_PORT -m conntrack --ctstate RELATED,ESTABLISHED,NEW -j ACCEPT
	iptables -A OUTPUT -p tcp -m tcp --sport 21 -m conntrack --ctstate ESTABLISHED -j ACCEPT
	iptables -A OUTPUT -p tcp -m tcp --sport 20 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
	iptables -A OUTPUT -p tcp -m tcp --sport $MIN_PORT:$MAX_PORT --dport $MIN_PORT:$MAX_PORT -m conntrack --ctstate ESTABLISHED -j ACCEPT
	iptables -P INPUT DROP
	iptables -P FORWARD DROP
	iptables -P OUTPUT ACCEPT
}

create_user(){
	useradd --create-home --password $(mkpasswd -m sha-512 $FTPPASS) --shell=/bin/false $FTPUSER

	mkdir /home/$FTPUSER/ftp
	chown nobody:nogroup /home/$FTPUSER/ftp
	chmod a-w /home/$FTPUSER/ftp

	mkdir /home/$FTPUSER/ftp/files
	chown $FTPUSER:$FTPUSER /home/$FTPUSER/ftp/files
}

delete_user(){
	userdel -rf $FTPUSER
}


if [[ $# -eq 0 ]] ; then
    usage_message
    exit 0
fi

while getopts c:d:i:R: option
do
case "${option}"
in
c)
	echo ">> CREATING FTP USER $2 WITH PASSWORD $3"
	echo
	FTPUSER=$2
	FTPPASS=$3
	create_user
	restart_proftpd
	;;
d)
	echo ">> DELETING FTP USER $2"
	echo
	FTPUSER=$2
	delete_user
	restart_proftpd
	;;
i) 
	echo ">> INSTALLING proftpd IN IP $2 WITH $3 TO $4 PASV PORT RANGE"
	echo
	PASVADDR=$2
	MIN_PORT=$3
	MAX_PORT=$4
	install_proftpd
	# TODO firewall_rules
	restart_proftpd
	;;
R) 
	restart_proftpd
	;;
*)	
    usage_message
    exit 0
	;;
esac
done

TODO.sh

improve...

---------

-A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
# -A INPUT -p tcp -m tcp --dport 990 -j ACCEPT
-A INPUT -p tcp -m multiport --dports $MIN_PORT:$MAX_PORT -j ACCEPT

---------

apt-get -y install proftpd openssl

---------

Country_Name=ES
State_Name=Catalunya
Locality=Barcelona
Organization="Example Co"
Common_Name=www.example.com


openssl req -x509 -nodes -days 3650 -newkey rsa:2048 \
  -keyout cert.pem -out cert.pem \
  -subj "/C=$Country_Name/ST=$State_Name/L=$Locality/O=$Organization/CN=$Common_Name"

---------

Include /etc/proftpd/tls.conf

---------

<IfModule mod_tls.c>
	TLSEngine                  	on
	TLSLog                    	/var/log/proftpd/tls.log
	TLSProtocol					SSLv23
	TLSCipherSuite				AES128+EECDH:AES128+EDH
	TLSOptions                 	NoCertRequest AllowClientRenegotiations
	TLSRSACertificateFile      	cert.pem
	TLSRSACertificateKeyFile   	cert.pem
	TLSVerifyClient            	off
	TLSRequired                	off
	RequireValidShell          	no
</IfModule>