File Transfer Protocol (FTP) is a TCP protocol for downloading files between computers. In the past, it has also been used for uploading but, as that method does not use encryption, user credentials as well as data transferred in the clear and are easily intercepted. So if you are here looking for a way to upload and download files securely, see the section on OpenSSH in Remote Administration instead.
FTP works on a client/server model. The server component is called an FTP daemon . It continuously listens for FTP requests from remote clients. When a request is received, it manages the login and sets up the connection. For the duration of the session it executes any of commands sent by the FTP client.
Access to an FTP server can be managed in two ways:
In the Anonymous mode, remote clients can access the FTP server by using the default user account called "anonymous" or "ftp" and sending an email address as the password. In the Authenticated mode a user must have an account and a password. This latter choice is very insecure and should not be used except in special circumstances. If you are looking to transfer files securely see SFTP in the section on OpenSSH-Server. User access to the FTP server directories and files is dependent on the permissions defined for the account used at login. As a general rule, the FTP daemon will hide the root directory of the FTP server and change it to the FTP Home directory. This hides the rest of the file system from remote sessions.
vsftpd - FTP Server Installation
vsftpd is an FTP daemon available in Ubuntu. It is easy to install, set up, and maintain. To install vsftpd you can run the following command:
sudo apt install vsftpd
Anonymous FTP Configuration
By default vsftpd is not configured to allow anonymous download. If you wish to enable anonymous download edit /etc/vsftpd.conf by changing:
anonymous_enable=Yes
During installation a ftp user is created with a home directory of /srv/ftp . This is the default FTP directory.
If you wish to change this location, to /srv/files/ftp for example, simply create a directory in another location and change the ftp user"s home directory:
sudo mkdir /srv/files/ftp sudo usermod -d /srv/files/ftp ftp
After making the change restart vsftpd :
Finally, copy any files and directories you would like to make available through anonymous FTP to /srv/files/ftp , or /srv/ftp if you wish to use the default.
User Authenticated FTP Configuration
By default vsftpd is configured to authenticate system users and allow them to download files. If you want users to be able to upload files, edit /etc/vsftpd.conf :
write_enable=YES
Now restart vsftpd:
sudo systemctl restart vsftpd.service
Now when system users login to FTP they will start in their home directories where they can download, upload, create directories, etc.
Similarly, by default, anonymous users are not allowed to upload files to FTP server. To change this setting, you should uncomment the following line, and restart vsftpd :
anon_upload_enable=YES
Enabling anonymous FTP upload can be an extreme security risk. It is best to not enable anonymous upload on servers accessed directly from the Internet.
The configuration file consists of many configuration parameters. The information about each parameter is available in the configuration file. Alternatively, you can refer to the man page, man 5 vsftpd.conf for details of each parameter.
Securing FTP
There are options in /etc/vsftpd.conf to help make vsftpd more secure. For example users can be limited to their home directories by uncommenting:
chroot_local_user=YES
You can also limit a specific list of users to just their home directories:
chroot_list_enable=YES chroot_list_file=/etc/vsftpd.chroot_list
After uncommenting the above options, create a /etc/vsftpd.chroot_list containing a list of users one per line. Then restart vsftpd:
sudo systemctl restart vsftpd.service
Also, the /etc/ftpusers file is a list of users that are disallowed FTP access. The default list includes root, daemon, nobody, etc. To disable FTP access for additional users simply add them to the list.
FTP can also be encrypted using FTPS. Different from SFTP, FTPS is FTP over Secure Socket Layer (SSL). SFTP is a FTP like session over an encrypted SSH connection. A major difference is that users of SFTP need to have a shell account on the system, instead of a nologin shell. Providing all users with a shell may not be ideal for some environments, such as a shared web host. However, it is possible to restrict such accounts to only SFTP and disable shell interaction. See the section on OpenSSH-Server for more.
To configure FTPS , edit /etc/vsftpd.conf and at the bottom add:
Also, notice the certificate and key related options:
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
By default these options are set to the certificate and key provided by the ssl-cert package. In a production environment these should be replaced with a certificate and key generated for the specific host. For more information on certificates see Certificates.
Now restart vsftpd , and non-anonymous users will be forced to use FTPS :
sudo systemctl restart vsftpd.service
To allow users with a shell of /usr/sbin/nologin access to FTP, but have no shell access, edit /etc/shells adding the nologin shell:
# /etc/shells: valid login shells /bin/csh /bin/sh /usr/bin/es /usr/bin/ksh /bin/ksh /usr/bin/rc /usr/bin/tcsh /bin/tcsh / usr/bin/esh /bin/dash /bin/bash /bin/rbash /usr/bin/screen /usr/sbin/nologin
This is necessary because, by default vsftpd uses PAM for authentication, and the /etc/pam.d/vsftpd configuration file contains:
auth required pam_shells.so
The shells PAM module restricts access to shells listed in the /etc/shells file.
Most popular FTP clients can be configured to connect using FTPS. The lftp command line FTP client has the ability to use FTPS as well.
In this guide we will tell you how to install an FTP server on a VPS running Ubuntu OS. We will use the vsftpd server, which is considered the fastest and most secure FTP server for UNIX systems.
FTP or F ile T transfer P rotocol is a protocol for receiving and transmitting files on the network. Using a client/server model and SSL/TLS security, FTP allows users to exchange files with remote computers securely, efficiently and reliably by transferring data over the TCP/IP protocol.
FTP works similar to HTTP or SMTP, with the only difference being that it is responsible for securely transferring data from a sender to a recipient, rather than a web page from a server to a user or an email across the Internet. This guide covers creating an FTP server on Ubuntu OS version 16.04.
Note: The current guide is based on Ubuntu OS version 16.04. But you can apply the same steps to create an FTP server on Ubuntu 14.04.
First of all, let's update all packages before installing the vsftpd daemon. To do this, run the command:
Sudo apt-get update
Wait until all processes are completed and you will see a confirmation message:
Then install the vsftpd daemon with the following command:
Sudo apt-get install vsftpd
You will receive a notification asking for confirmation, click Y And Enter to continue installation.
Once the installation is complete, let's make a backup of the original configuration file so we can start with a clean settings file:
Sudo cp /etc/vsftpd.conf /etc/vsftpd.conf.original
Now we can move on to the next step and configure the firewall.
Step 2 – Allow FTP traffic on the firewall
To allow an FTP server deployed on Ubuntu OS to communicate with the outside world, you need to configure a path through the firewall. First, let's see if the firewall is enabled. Run the following command to determine the status:
Sudo ufw status
If you see a message like this:
Ufw: command not found
This means that the firewall is not installed and you can proceed to the next step.
If the output shows rules or a message that the firewall is active, you need to determine how it will process FTP traffic. Let's do the following, open ports 20 and 21 for FTP traffic; ports 40000-50000 will be reserved as a passive port range that will eventually be set in the configuration file; port 990 will be used when TLS is enabled. Let's run the following commands:
Sudo ufw allow 20/tcp sudo ufw allow 21/tcp sudo ufw allow 990/tcp sudo ufw allow 40000:50000/tcp
Now let's look at the status:
The result will look something like this:
Output Status : active To Action From -- -- -- -- -- -- 990 / tcp ALLOW Anywhere 20 / tcp ALLOW Anywhere 21 / tcp ALLOW Anywhere 40000 : 50000 / tcp ALLOW Anywhere 20 / tcp (v6) ALLOW Anywhere ( v6) 21 / tcp (v6) ALLOW Anywhere (v6) 990 / tcp (v6) ALLOW Anywhere (v6) 40000 : 50000 / tcp (v6) ALLOW Anywhere (v6)Now, all the necessary ports are open and available to us and we can move on to the next step.
Step 3 – Create a User Directory
In the third step of creating an Ubuntu FTP server, you need to select a user who will connect via FTP. To do this, create a new user by running the following command:
sudo adduser alexFill in the password and other details when prompted. Ideally, from a security perspective, FTP should be limited to one specific directory. Vsftpd uses chroot to create this protection. With chroot enabled, the local user is limited to his home directory (default). However, it may be that due to vsftpd's security, the user will not be able to create anything in the directory. We are not removing write permissions from the home directory, instead we will make an ftp directory that will behave like a chroot while still being writable, allowing files to be stored. Use this command to create the FTP directory:
sudo mkdir /home/alex/ftpSet ownership:
sudo chown nobody : nogroup /home/alex/ftpFinally, remove the write permissions:
sudo chmod a - w/home/alex/ftpNow, using the following command, check the permissions:
sudo ls - la /home/alex/ftpAt the output we will see something like this:
total 8 dr - xr - xr - x 2 nobody nogroup 4096 Jun 29 11:32 . drwxr - xr - x 3 alex alex 4096 Jun 29 11:32 . .In the next step we will create a file containing directories and their permissions:
sudo mkdir /home/alex/ftp/files sudo chown alex : alex /home/alex/ftp/filesAnd finally, let's add a test file to the directory that we will use when testing something:
echo "vsftpd sample file" | sudo tee /home/alex/ftp/files/sample. txtStep 4 – Setting up vsftpd
To continue installing the FTP server on Ubuntu VPS, we need to configure vsftpd and our FTP access. In this tutorial, we will allow one user to connect via FTP using a local console. The two-step setup required for this is already installed in the configuration file ( vsftpd.conf). First, check that the settings in the file match those listed below:
sudo nano /etc/vsftpd. conf. . . # Allow anonymous FTP? (Disabled by default). anonymous_enable = NO # # Uncomment this to allow local users to log in. local_enable = YES . . .In the same file, let's continue deleting # turn on write_enable:
. . . write_enable = YES . . .We will also uncomment Chroot to make sure that the user connecting via FTP has access to files inside the allowed directory:
. . . chroot_local_user = YES . . .A few new values will also need to be added manually. You can simply paste them at the end of the file. At first, user_sub_token add local_root to the directory path. This will allow the configuration to work for the current user and any other user that is added later:
user_sub_token=$USER local_root=/home/$USER/ftpTo make sure that enough connections are available, we will limit the number of ports used in the configuration file:
pasv_min_port = 40000 pasv_max_port = 50000In this tutorial we plan to give access on an individual basis, so let's set the settings to only give access to users who are directly added to the list:
userlist_enable = YES userlist_file = /etc/vsftpd . userlist userlist_deny = NOFlag userlist_deny is responsible for switching logic, when it is set to “NO”, only those users who are in the list have access. When finished, click CTRL+X and confirm saving changes to the file.
Finally, let's continue creating and adding our user to the file:
echo "alex" | sudo tee - a /etc/vsftpd . userlistLet's check that the user is really active by running the command:
cat /etc/vsftpd. userlistThe conclusion should be “ alex”, as shown in the screenshot:
Restart the daemon using the following command to initiate the settings changes:
sudo systemctl restart vsftpdStep 5 – Making a secure FTP
By default, FTP does not do any data encryption, so we will use TLS/SSL to take care of security. As a first step, we need to create an SSL certificate and use it to secure our Ubuntu FTP server. First, let's run the following command:
Sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem
Flag - days makes the certificate valid for a year and we include the 2048-bit RSA private key in the same command. When prompted for the required information, enter it in the field provided.
After creating the certificate, open the configuration file again:
Sudo nano /etc/vsftpd.conf
At the end of the file there is a line with “ _rsa" Comment out these two lines:
# rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem # rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
Instead, we will point the config file to the certificate we created. Add these lines:
Rsa_cert_file=/etc/ssl/private/vsftpd.pem rsa_private_key_file=/etc/ssl/private/vsftpd.pem
Now we will enable SSL and make sure that only users with SSL enabled can contact us. Change the value ssl_enable on YES:
ssl_enable = YESNow add the following lines to continue creating security (this will prevent any anonymous connections using SSL):
Allow_anon_ssl=NO force_local_data_ssl=YES force_local_logins_ssl=YES
Configure TLS using:
Ssl_tlsv1=YES ssl_sslv2=NO ssl_sslv3=NO
Here we will add 2 more options. Firstly, reusing SSL will not be necessary because it could cause breaks for a large number of clients. Secondly, we will use a highly secure encryption code, which will mean that the key length is equal to (or greater than) 128 bits.
Require_ssl_reuse=NO ssl_ciphers=HIGH
Let's restart again for the changes to take effect:
Sudo systemctl restart vsftpd
Wonderful! So you have configured the FTP server on your Ubuntu VPS to work with the SSL/TLS protocol.
Step 6 – Checking Connection Using FileZilla
Today, FTP clients support setting TLS encryption, so this is a great opportunity to check if our Ubuntu FTP server is working as it should. To test the connection, we will use . To get started, launch FileZilla by clicking on the icon Site Manager.
Click on the button New Site in the window that appears, start filling in the information about the Ubuntu FTP server.
Fill in the required fields with information about your newly created Ubuntu FTP server. Since we configured it using TLS, we can check the encryption setting in “ explicit FTP over TLS” position. The final settings window looks like this:
Once configured, press Connect and a window will appear asking you to enter the FTP user password.
Finally, you will need to verify the SSL certificate on your FTP server on Ubuntu VPS.
After confirmation, the root directory with the test file will appear on your screen.
This is all! Now you can perform any file transfer from your computer to the Ubuntu FTP server and back.
Conclusion
In this tutorial, we walked step by step to create a secure way for a local user to transfer files via FTP with SSL/TLS on an Ubuntu FTP server. We also tested the connections using FileZilla to make sure everything worked.
FTP (File Transfer Protocol) – file transfer protocol. The FTP protocol allows you to transfer and download files from the server. Today, this protocol is not particularly popular, since it does not support data encryption. Instead of FTP, they use the SFTP protocol (data transfer via SSH), as well as the SCP protocol. This article discusses setting up a regular FTP server based on Ubuntu.
The FTP protocol operates in client-server mode. The server constantly listens for requests from remote clients on port 21. When a request is received, it controls the input and establishes a connection. During the session, the server executes any commands sent by the FTP client. TCP is used as the transport layer protocol. FTP uses two types of connections to transfer data:
- Control connection (port 21)
- Data connection (in active mode port 20, in passive mode any port greater than 1024)
The separation into control connection and data connection is efficient. This allows commands and files to be transferred independently of each other.
FTP supports two types of authentication:
- Anonymous (ftp or anonymous login, password – email)
- Authorized (each user has their own login and password)
When working via the FTP protocol, two modes can be established between the client and the server: active and passive. The control connection is the same for Active and Passive mode. The client initiates a TCP connection from a dynamic port (1024 - 65535) to port number 21 on the FTP server, after which authentication occurs. Further actions depend on which mode is selected.
In active mode, after authentication, the client also informs the server of its port number (from the dynamic range 1024 - 65535) so that the server can connect to the client to establish a data connection. The FTP server connects to the specified client port number using TCP port number 20 for data transfer.
In passive mode, after authentication, the server tells the client the TCP port number (from the dynamic range 1024 - 65535) to which it can connect to establish a data connection.
Thus, in active mode, the server is the connection initiator as it connects to the client. In passive mode, the connection initiator is the client.
The active mode is “harmful” for the client in the sense that when a server connects to it on a random port, such a connection will most likely be blocked by the firewall on the client side. Thus, it is necessary to open ports on the client side, which leads to security holes. On the other hand, this mode will be useful for the server, since the well-known port 20 is used for data transfer.
The passive mode is “harmful” for the server, but “beneficial” for the client. The client will make both connections to the server, but one of them will be to a random high port, such a connection will be blocked by the server-side firewall.
Passive mode is typically used when there is a firewall between the client and server.
The most popular FTP commands are:
| Team | Description |
| USER | Specify username |
| PASS | Specify password |
| LIST | View directory contents |
| CWD | Changing the current directory |
| RETR | Transfer a file from server to client |
| STOP | Transfer a file from client to server |
| TYPE | Set transfer mode |
| DELE | Delete a file |
| MDK | Create directory |
| RMD | Delete directory |
| PASV | Use passive mode |
| QUIT | Logging out and disconnecting |
FTP has three transfer modes:
- Streaming – continuous data transfer as a stream (no processing, processing performed by TCP)
- Block - FTP divides the data into blocks (header, data field, file size in bytes) and transfers them to TCP
- Compression mode with a single algorithm
FTP server is a “library” of files on a hosting, used to store files of different formats. The most popular ftp servers are vsftpd and proftpd. FTP servers are needed to host large volumes of data for public and private downloading. Often, servers are used for anonymous (guest) access to open source distributions of software, music and photos. Access for anonymous users allows, as a rule, only to view directories and download the necessary information, but on some servers it’s the other way around - there are special directories where any user can upload a file for sharing.
With non-anonymous access, there are more possibilities, but they are limited to the directory where access is granted.
Let's move on to setting up the server. We will work with such a scheme. 
Both the administrator and the user will have access to the FTP server. Administrator and user have authorized access. In this case, it is necessary to configure access rights so that the administrator has unlimited access, and the user has access only to his home directory. You also need to configure anonymous access.
In Ubuntu, the vsftpd daemon is available for the DHCP server. We install a DHCP server, this is done with the command:
testServer$ sudo apt-get install vsftpd
By default, anonymous uploading is disabled. You need to change the configuration in the /etc/vsftpd.conf file.
testServer$ sudo nano /etc/vsftpd.conf
We find the line “anonymous_enable” there and assign it the value “Yes”. This line is responsible for access to the FTP server for anonymous users.
You also need to uncomment two lines: “write_enable” and “chroot_local_user”. The first line is responsible for the ability to write to the server, the second line blocks the ability of local users to climb to a directory higher than their home folder.
At the end of the configuration file we add two settings:
These settings set home folders for anonymous and local users.
Save the file configuration using the Ctrl + X key combination (when prompted to replace the current file, select Yes). Next you need to reboot the FTP server with the command
testServer$ sudo service vsftpd restart
The next stage is creating users.
Create a superuser with the command:
testServer$ sudo adduser superuser
Give it a password:
testServer$ sudo passwd superuser
We give him unlimited rights:
testServer$ sudo adduser superuser sudo
Create a regular user:
testServer$ sudo adduser user
Give it a password:
testServer$ sudo passwd user
Enter new UNIX password: 12345
Create a user group to manage folders:
testServer$ sudo addgroup groupl
testServer$ sudo nano /etc/group
Find the line “groupl” using Ctrl + W.
We add our users superuser and user to this line.
Create folders for users:
testServer$ sudo mkdir /srv/ftp/upload
testServer$ sudo mkdir /srv/ftp/superuser
testServer$ sudo mkdir /srv/ftp/user
Set access rights for folders:
testServer$ sudo chmod 700 /srv/ftp/superuser
testServer$ sudo chmod 770 /srv/ftp/user
testServer$ sudo chmod 575 /srv/ftp/upload
Changing folder owners:
testServer$ sudo chown superuser: /srv/ftp/superuser
testServer$ sudo chown user:groupl /srv/ftp/user
testServer$ sudo chown:groupl /srv/ftp/upload
Thus, we get the following picture:
- Only the superuser user has access to the superuser folder, he is also the owner of this folder
- Both user and superuser have access to the user folder. This is because we set the permissions to 7 7 0. The second seven sets full rights for the user group groupl, to which we added superuser.
- Both user and superuser have full access to the upload folder. For everyone else, only read and execute permissions are set 5 75 . 5 = 101 (in binary). 101~r-x. That is, other users (and this includes anonymous) cannot write anything in the upload folder.
We check access rights and owners with the command:
testServer$ ls -l /srv/ftp
In order to check access to the FTP server, you need to type in the address bar in any browser:
ftp://172.16.1.2
In this case, we are logged in as an anonymous user, since we do not enter a name and password.
We see three folders superuser/, upload/, user/. Since we logged in as an anonymous user, we only have access to the folder upload/.
To log in as a superuser, enter:
ftp:// [email protected]
Enter your username: superuser, password: 12345 . Under superuser we get access to all folders.
Let's check the regular user one last time. To avoid having to enter your username and password every time you log in, you can write the following in the address bar:
ftp://user: [email protected]
Under user we can only get into folders upload/ And user/. To folder superuser/ Access closed.
Support the project
Friends, the Netcloud website is developing every day thanks to your support. We plan to launch new article sections, as well as some useful services.
You have the opportunity to support the project and contribute any amount you consider necessary.
From time to time, every system administrator has a need for an FTP server, most often this is due to the need to ensure automatic exchange of information between applications, for example, during automatic exchange of a distributed 1C information base, or to access files on a web server. Today we will tell you how to create such a server on the Ubuntu platform in less than half an hour.
But first, a little theory. The FTP (File Transfer Protocol) protocol is intended, as the name suggests, for transferring files and appeared in 1971, but despite its advanced age it continues to be widely used to this day. Although its use today is more technical in nature, end users typically use a browser and the HTTP protocol to access data. The advantages of FTP include the ability to resume downloading a file when the connection is lost and the ability to equally easily read files and write them. But there are also disadvantages, the most serious one being low security, so this issue should be given the closest attention.
FTP, like PPTP, uses different connections to send commands and transfer data. When initiating a connection, the client sends control commands to port 21 of the server, which in turn establishes an outgoing connection for data transfer on port 20, the port on the client side is determined as a result of negotiation. However, if the client is behind NAT, the connection cannot be established in this way, so an additional FTP passive mode was developed, when the connection for data transfer is established not by the server, but by the client, but with the parameters specified by the server. These points should be taken into account when forwarding FTP and when setting up a network filter.
For our server we will use vsftpd- simple, fast and secure FTP server. Since it will serve both external and internal networks, it makes sense to add this role to our . Server installation is extremely simple:
Apt-get install vsftpd
The server is configured through a configuration file /etc/vsftpd.conf it has a simple structure, is well commented and allows you to set up a server without any instructions with minimal knowledge. Let's consider its main parameters.
The server can be launched constantly, as a service, or started when necessary; the first option is more suitable for us:
Listen=YES
This option has a mutually exclusive entry, which should be given the following form:
Listen_ipv6=NO
Let's allow only local users to log in:
Anonymous_enable=NO
local_enable=YES
Let's allow users to write files and instruct the server to automatically set the necessary rights (755 for folders and 644 for files):
Write_enable=YES
local_umask=022
If you need to set a different set of rights: 775 and 664, then umask should be equal to 002.
By default, the server uses GMT time, so that files are set to your time zone, use the option:
Use_localtime=YES
Let's enable the log of uploaded and downloaded files:
Xferlog_enable=YES
Let's allow the server to establish connections to transmit data on port 20 (active mode):
Connect_from_port_20=YES
The following options specify the location and format for storing logs:
Xferlog_file=/var/log/vsftpd.log
xferlog_std_format=YES
Let's set session timeouts:
Idle_session_timeout=600
data_connection_timeout=120
Also, for security purposes, we isolate the user in his home directory and immediately allow writing to his root:
Chroot_local_user=YES
allow_writeable_chroot=YES
To work correctly with text data, you can enable ASCII support; this will allow, when transferring a text file from a Windows system to UNIX (Linux), to correctly replace line breaks from CR+LF to LF to correctly display the content and perform the reverse conversion when transferring it back.
Ascii_upload_enable=YES
ascii_download_enable=YES
You can only enable one option, for uploading or downloading. Please note that when transferring a binary file in ASCII mode, the latter may be damaged.
Quite an interesting option:
Ls_recurse_enable=YES
It allows recursive browsing of directories, on the one hand it is convenient, on the other hand it can cause a large load on the server if, for example, you get a listing of a directory containing a large number of files and directories.
We leave all other options as default, although you can edit the server greeting by writing whatever you like:
Ftpd_banner=Welcome to Roga i Kopyta LLC FTP
At the end of the configuration file, we will set the settings for passive mode; it is recommended to explicitly set the ports so that you can specify them during forwarding if the server is behind NAT or in firewall rules:
Pasv_enable=YES
pasv_min_port=62000
pasv_max_port=62999
Restart the server (this must be done every time after making changes to the configuration):
Service vsftpd restart
and try to connect with any FTP client using the credentials of an existing user. We must get into his home directory and be isolated in it.
If an error occurs due to incorrect operation of vsftpd and the seccomp security system:
500 OOPS: prctl PR_SET_SECCOMP failed
add an undocumented option to the file:
Seccomp_sandbox=NO
However, remember that FTP is an insecure protocol, so allowing any local user to the server, as is done now, is not the best option. To avoid this situation, vsftpd has a built-in user control mechanism. Let's add the option to the configuration file:
Userlist_enable=YES
and create a user list file:
Touch /etc/vsftpd.user_list
Default vsftpd prohibits access to the server for users specified in this list even before entering a password, i.e. implements the principle of allowing everyone who is not prohibited. But it would be much better to implement a different approach: everyone who is not allowed is prohibited. Those. allow access only to specified users. To do this, add an option:
Userlist_deny=NO
Now only explicitly specified users will have access to the FTP server; they should be specified in vsftpd.user_list one per line, for example:
Ivanov
petrov
Unless otherwise specified, when connecting via FTP, users are taken to their home directory. This is not always convenient; you often need to redirect them to another directory. If this is a common folder for everyone, say /var/ftp, then you can set the option:
Local_root=/var/ftp
Which will redirect all users to the specified directory and isolate them there.
This is the simplest situation, real tasks are usually more complicated, let’s say we need to set the user Ivanova as the root directory /var/www/example1.com, and Petrov /var/www/example2.com so that each of them works with their own folder. For these purposes, you can use another feature of vsftpd - user settings that override the settings of the main configuration file.
To do this, add an option:
User_config_dir=/etc/vsftpd_user_conf
Then we will create the directory itself
Mkdir /etc/vsftpd_user_conf
To set the user’s own settings in this directory, you should create a file with the user’s name and add the necessary options to it. The changes are applied without restarting the FTP server the next time the client connects.
Let's create a file with settings for Ivanov:
Tocuh /etc/vsftpd_user_conf/ivanov
and add an option to it:
Local_root=/var/www/example1.com
The next time you connect, the user's root directory will change to the specified one. Also in this file we can set any personal options, for example, other umask or file permissions. However, we cannot use global settings here: connection, logging, authentication options, they will simply be ignored.
If you need to hide the real owners of files and folders, you can use the option:
Hide_ids=YES
In this case, instead of real owners and groups, ftp:ftp will be indicated, this can be useful in the case of a public server or if there are strangers in the user list to whom you do not want to reveal the real user names of your system.
As you can see, we actually created a working FTP server in less than half an hour.
F TP (File Transfer Protocol) is a standard network protocol used to transfer files to and from a remote network. For more secure and faster data transfer, use SCP.
There are many open source FTP servers available for Linux. The most popular and widely used are PureFTPd, ProFTPD and vsftpd. In this article we will install vsftpd. This is a stable, secure and fast FTP server. We'll also show you how to configure vsftpd to restrict user access to their home directory and encrypt all transmissions using SSL/TLS.
Although this article is written for Ubuntu 18.04, the same instructions apply to Ubuntu 16.04 and any Debian-based distribution, including Debian, Linux Mint, and Elementary OS.
Prerequisites
Installing vsftpd on Ubuntu 18.04
The vsftpd package is available in the repositories. To install it, simply run the following commands:
Sudo apt update sudo apt install vsftpd
The vsftpd service will automatically start after the installation process is complete. Check it by printing the service status:
Sudo systemctl status vsftpd
The output will look something like this, indicating that the vsftpd service is active and running:
* vsftpd.service - vsftpd FTP server Loaded: loaded (/lib/systemd/system/vsftpd.service; enabled; vendor preset: enabled) Active: active (running) since Mon 2018-10-15 03:38:52 PDT; 10min ago Main PID: 2616 (vsftpd) Tasks: 1 (limit: 2319) CGroup: /system.slice/vsftpd.service `-2616 /usr/sbin/vsftpd /etc/vsftpd.conf
Setting up vsftpd
The vsftpd server can be configured by editing the /etc/vsftpd.conf file. Most settings are documented inside a configuration file. For all available options, visit the official vsftpd page.
In the following sections, we'll look at some of the important settings needed to set up a secure vsftpd installation.
Start by opening the vsftpd configuration file:
Sudo nano /etc/vsftpd.conf
1. FTP access
We allow only local users to access the FTP server, find the anonymous_enable and local_enable directives, and check that your configuration matches the following lines:
/etc/vsftpd.conf
Anonymous_enable=NO local_enable=YES
2. Enable download
Uncomment the write_enable setting to allow changes to the file system, such as loading and deleting files.
/etc/vsftpd.conf
Write_enable=YES
3. Chroot
To prevent FTP users from accessing any files outside their home directories, uncomment the chroot setting.
/etc/vsftpd.conf
Chroot_local_user=YES
By default, to prevent security vulnerabilities, when chroot is enabled, vsftp will refuse to upload files if the directory in which users are locked is writable.
- Method 1.– The recommended way to allow downloads is to enable chroot and configure FTP directories. In this article, we will create an ftp directory inside the user's home that will serve as a chroot and write an uploads directory for uploading files.
/etc/vsftpd.conf
User_sub_token=$USER local_root=/home/$USER/ftp
- Method 2. Another option is to add the following directive to the vsftpd configuration file. Use this option if you must grant write access to your user's home directory.
/etc/vsftpd.conf
Allow_writeable_chroot=YES
4. Passive FTP connections
vsftpd can use any port for passive FTP connections. We will specify a minimum and maximum port range and then open the range in our firewall.
Add the following lines to the configuration file:
/etc/vsftpd.conf
Pasv_min_port=30000 pasv_max_port=31000
5. Restricting user login
To allow only certain users to log into the FTP server, add the following lines to the end of the file:
/etc/vsftpd.conf
Userlist_enable=YES userlist_file=/etc/vsftpd.user_list userlist_deny=NO
When this option is enabled, you need to explicitly specify which users can log in by adding usernames to the /etc/vsftpd.user_list file (one user per line).
6. Ensuring transmission using SSL/TLS
To encrypt FTP transfers using SSL/TLS, you need to have an SSL certificate and configure your FTP server to use it.
You can use one signed by a trusted certificate authority, or create a self-signed certificate.
If you have a domain or subdomain pointing to your FTP server's IP address, you can easily create a free SSL certificate for encryption.
In this article, we will generate a self-signed SSL certificate using the openssl command.
The following command will create a 2048-bit private key and a self-signed certificate that is valid for 10 years. Both the private key and the certificate will be saved in one file:
Sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem
Now that the SSL certificate has been created, open the vsftpd configuration file:
Sudo nano /etc/vsftpd.conf
Find the rsa_cert_file and rsa_private_key_file directives, change their pam value in the file path and set the ssl_enable directive to YES:
/etc/vsftpd.conf
Rsa_cert_file=/etc/ssl/private/vsftpd.pem rsa_private_key_file=/etc/ssl/private/vsftpd.pem ssl_enable=YES
Unless otherwise specified, the FTP server will only use TLS to provide secure connections.
Restart the vsftpd service
Once you're done editing, the vsftpd configuration file (excluding comments) should look something like this:
/etc/vsftpd.conf
Listen=NO listen_ipv6=YES anonymous_enable=NO local_enable=YES write_enable=YES dirmessage_enable=YES use_localtime=YES xferlog_enable=YES connect_from_port_20=YES chroot_local_user=YES secure_chroot_dir=/var/run/vsftpd/empty pam_service_name=vsftpd rsa_cert_file=/ etc/ssl/ private/vsftpd.pem rsa_private_key_file=/etc/ssl/private/vsftpd.pem ssl_enable=YES user_sub_token=$USER local_root=/home/$USER/ftp pasv_min_port=30000 pasv_max_port=31000 userlist_enable=YES userlist_file=/etc/vsftpd.us er_list userlist_deny=NO
Save the file and restart the vsftpd service for the changes to take effect:
Sudo systemctl restart vsftpd
Opening the firewall
If you are using a UFW firewall, you need to allow FTP traffic.
To open port 21(FTP command port), port 20(FTP data port) and 30000-31000(passive port range), run the following commands:
Sudo ufw allow 20:21/tcp sudo ufw allow 30000:31000/tcp
To avoid blocking, we will open port 22:
Sudo ufw allow OpenSSH
Reload the UFW rules by disabling and re-enabling UFW:
Sudo ufw disablesudo ufw enable
To test the changes:
Sudo ufw status Status: active To Action From -- ------ ---- 20:21/tcp ALLOW Anywhere 30000:31000/tcp ALLOW Anywhere OpenSSH ALLOW Anywhere 20:21/tcp (v6) ALLOW Anywhere (v6 ) 30000:31000/tcp (v6) ALLOW Anywhere (v6) OpenSSH (v6) ALLOW Anywhere (v6)
Creating an FTP User
To test our FTP server, we will create a new user.
- If you already have a user you want to give FTP access to, skip step 1.
- If you have set allow_writeable_chroot=YES in your config file, skip step 3.
- Create a new user named newftpuser: sudo adduser newftpuser
- Add the user to the list of allowed FTP users: echo "newftpuser" | sudo tee -a /etc/vsftpd.user_list
- Create an FTP directory tree and set the correct permissions: sudo mkdir -p /home/newftpuser/ftp/uploadsudo chmod 550 /home/newftpuser/ftpsudo chmod 750 /home/newftpuser/ftp/uploadsudo chown -R newftpuser: /home/newftpuser/ftp
As discussed in the previous section, the user will be able to upload their files to the ftp/upload directory.
At this point, your FTP server is fully functional and you should be able to connect to your server with any that can be configured to use TLS encryption, such as FileZilla.
Disabling shell access
By default, when creating a user, unless explicitly specified, the user will have access to the SSH server.
To disable shell access, we'll create a new shell that will simply print a message telling the user that their account is limited to FTP access only.
Create a shell /bin/ftponly and make it executable:
Echo -e "#!/bin/sh\necho "This account account is limited to FTP access only."" | sudo tee -a /bin/ftponlysudo chmod a+x /bin/ftponly
Add the new shell to the list of valid shells in the /etc/shells file
Echo "/bin/ftponly" | sudo tee -a /etc/shells
Change the user's shell to /bin/ftponly:
Sudo usermod newftpuser -s /bin/ftponly
Conclusion
In this article, you learned how to install and configure a secure and fast FTP server on your Ubuntu 18.04 system.
