FTP (File Transfer Protocol) is a standard network protocol used to transfer files to and from a remote network.
There are many open source FTP servers available for Linux. The most popular and widely used are PureFTPd
, and vsftpd
. In this tutorial we install vsftpd (Very Secure FTP Daemon). It’s a stable, secure, and fast FTP server. We’ll also show you how to configure vsftpd to restrict users to their home directory and encrypt all transmissions with SSL / TLS.
Although this tutorial was written for Ubuntu 18.04, the same instructions apply to Ubuntu 16.04 and any Debian-based distribution, including Debian, Linux Mint, and Elementary OS.
Use SCP or SFTP for safer and faster data transfers.
Before proceeding with this tutorial, make sure that you are logged in as a user with sudo permissions.
Install vsftpd on Ubuntu 18.04
The vsftpd package is available in the Ubuntu repositories. To install it, just run the following commands:
sudo apt update
sudo apt install vsftpd
The vsftpd service will start automatically after the installation process is complete. Check this by printing out the service status:
sudo systemctl status vsftpd
The output looks something like this, showing that the vsftpd service is up and running:
* vsftpd.service - vsftpd FTP server Loaded: loaded (/lib/systemd/system/vsftpd.service; enabled; vendor preset: enabled) Active: active (running) since Mon 2018-10-15 03:38:52 PDT; 10min ago Main PID: 2616 (vsftpd) Tasks: 1 (limit: 2319) CGroup: /system.slice/vsftpd.service `-2616 /usr/sbin/vsftpd /etc/vsftpd.conf
The vsftpd server can be accessed by editing the
/etc/vsftpd.conf File. Most of the settings are well documented in the configuration file. For all of the options available, visit the official vsftpd
In the following sections we will discuss some important settings that are required to configure a secure vsftpd installation.
First, open the vsftpd configuration file:
sudo nano /etc/vsftpd.conf
1. FTP access
We only allow local users to access the FTP server, see the
local_enable Instructions and check that your configuration matches the following lines:
2. Activate uploads
write_enable Setting to allow changes to the file system such as uploading and deleting files.
3. Chroot prison
To prevent FTP users from accessing files outside of their home directories, uncomment the
To avoid a security vulnerability, vsftpd by default refuses to upload files if chroot is enabled if the directory where the users are locked is writable.
Use one of the following methods to allow uploads when chroot is enabled.
Method 1. – The recommended method to allow uploads is to keep chroot enabled and configure FTP directories. In this tutorial, we’re going to create one
ftpDirectory within the user’s home that is chrooted and writable
uploadsDirectory for uploading files./etc/vsftpd.conf
Method 2. – Another option is to add the following directive in the vsftpd configuration file. Use this option if you need to give your user write access to their home directory./etc/vsftpd.conf
4. Passive FTP connections
vsftpd can use any port for passive FTP connections. We specify the minimum and maximum port range and later open the range in our firewall.
Add the following lines to the configuration file:
5. Restriction of user login
To allow only certain users to log on to the FTP server, add the following lines to the end of the file:
userlist_enable=YES userlist_file=/etc/vsftpd.user_list userlist_deny=NO
When this option is enabled, you must explicitly specify which users can log in by adding their usernames to the
/etc/vsftpd.user_list File (one user per line).
6. Securing transmissions with SSL / TLS
To use SSL / TLS to encrypt FTP transmissions, you need an SSL certificate and configure the FTP server to use it.
You can use an existing SSL certificate signed by a trusted certification authority or create a self-signed certificate.
If you have a domain or subdomain pointing to the IP address of the FTP server, you can easily create a free Let’s Encrypt SSL certificate.
We create a self-signed SSL certificate with the
The following command creates a 2048-bit private key and self-signed certificate that is valid for 10 years. Both the private key and the certificate are stored in the same file:
sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem
Once the SSL certificate has been created, open the vsftpd configuration file:
sudo nano /etc/vsftpd.conf
rsa_private_key_file Guidelines, change their values to those
pam File path and set the
ssl_enable Instruction on
rsa_cert_file=/etc/ssl/private/vsftpd.pem rsa_private_key_file=/etc/ssl/private/vsftpd.pem ssl_enable=YES
Unless otherwise noted, the FTP server only uses TLS to establish secure connections.
Restart the vsftpd service
Once you’re done editing, the vsftpd configuration file (with no comments) should look something like this:
listen=NO listen_ipv6=YES anonymous_enable=NO local_enable=YES write_enable=YES dirmessage_enable=YES use_localtime=YES xferlog_enable=YES connect_from_port_20=YES chroot_local_user=YES secure_chroot_dir=/var/run/vsftpd/empty pam_service_name=vsftpd rsa_cert_file=/etc/ssl/private/vsftpd.pem rsa_private_key_file=/etc/ssl/private/vsftpd.pem ssl_enable=YES user_sub_token=$USER local_root=/home/$USER/ftp pasv_min_port=30000 pasv_max_port=31000 userlist_enable=YES userlist_file=/etc/vsftpd.user_list userlist_deny=NO
Save the file and restart the vsftpd service for the changes to take effect:
sudo systemctl restart vsftpd
Open the firewall
If you are using a UFW firewall, you must allow FTP traffic.
21 (FTP command port), port
20 (FTP data port) and
30000-31000 (Passive port range), run the following commands:
sudo ufw allow 20:21/tcp
sudo ufw allow 30000:31000/tcp
To avoid being locked out, open the port
sudo ufw allow OpenSSH
Reload the UFW rules by disabling and re-enabling UFW:
sudo ufw disable
sudo ufw enable
To review the changes, do the following:
sudo ufw status
Status: active To Action From -- ------ ---- 20:21/tcp ALLOW Anywhere 30000:31000/tcp ALLOW Anywhere OpenSSH ALLOW Anywhere 20:21/tcp (v6) ALLOW Anywhere (v6) 30000:31000/tcp (v6) ALLOW Anywhere (v6) OpenSSH (v6) ALLOW Anywhere (v6)
Create FTP user
To test our FTP server, we will create a new user.
- If you already have a user you want to grant FTP access to, skip step 1.
- If you hire
allow_writeable_chroot=YESskip step 3 in your configuration file.
Create a new user named
sudo adduser newftpuser
Add the user to the list of allowed FTP users:
echo "newftpuser" | sudo tee -a /etc/vsftpd.user_list
Create the FTP directory tree and set the correct permissions:
sudo mkdir -p /home/newftpuser/ftp/upload
sudo chmod 550 /home/newftpuser/ftp
sudo chmod 750 /home/newftpuser/ftp/upload
sudo chown -R newftpuser: /home/newftpuser/ftp
As discussed in the previous section, the user can access their files on the
At this point, your FTP server is fully functional and you should be able to log in to any FTP client that can be configured to use TLS encryption, such as: FileZilla
Deactivating shell access
By default, when the user is created, the user has SSH access to the server if not explicitly specified.
To disable shell access, we’ll create a new shell that will simply print a message telling the user that their account is limited to FTP access only.
/bin/ftponly shell and make executable:
echo -e '#!/bin/shnecho "This account is limited to FTP access only."' | sudo tee -a /bin/ftponly
sudo chmod a+x /bin/ftponly
Append the new shell to the list of valid shells in the
echo "/bin/ftponly" | sudo tee -a /etc/shells
Change the user shell to
sudo usermod newftpuser -s /bin/ftponly
Use the same command to change the shell of all users whom you want to grant only FTP access.
In this tutorial, you learned how to install and configure a safe and fast FTP server on your Ubuntu 18.04 system.
If you have any questions or feedback, please feel free to leave a comment.