How to set up an FTP server using VSFTPD on Ubuntu 18.04

s2 0

FTP (File Transfer Protocol) is a standard network protocol used to transfer files to and from a remote network.

There are many open source FTP servers available for Linux. The most popular and widely used are PureFTPd
, ProFTPD
, and vsftpd
. In this tutorial we install vsftpd (Very Secure FTP Daemon). It’s a stable, secure, and fast FTP server. We’ll also show you how to configure vsftpd to restrict users to their home directory and encrypt all transmissions with SSL / TLS.

Although this tutorial was written for Ubuntu 18.04, the same instructions apply to Ubuntu 16.04 and any Debian-based distribution, including Debian, Linux Mint, and Elementary OS.

Use SCP or SFTP for safer and faster data transfers.

requirements

Before proceeding with this tutorial, make sure that you are logged in as a user with sudo permissions.

Install vsftpd on Ubuntu 18.04

The vsftpd package is available in the Ubuntu repositories. To install it, just run the following commands:

sudo apt updatesudo apt install vsftpd

The vsftpd service will start automatically after the installation process is complete. Check this by printing out the service status:

sudo systemctl status vsftpd

The output looks something like this, showing that the vsftpd service is up and running:

* vsftpd.service - vsftpd FTP server
   Loaded: loaded (/lib/systemd/system/vsftpd.service; enabled; vendor preset: enabled)
   Active: active (running) since Mon 2018-10-15 03:38:52 PDT; 10min ago
 Main PID: 2616 (vsftpd)
    Tasks: 1 (limit: 2319)
   CGroup: /system.slice/vsftpd.service
           `-2616 /usr/sbin/vsftpd /etc/vsftpd.conf

Configure vsftpd

The vsftpd server can be accessed by editing the /etc/vsftpd.conf File. Most of the settings are well documented in the configuration file. For all of the options available, visit the official vsftpd
Page.

In the following sections we will discuss some important settings that are required to configure a secure vsftpd installation.

First, open the vsftpd configuration file:

sudo nano /etc/vsftpd.conf

1. FTP access

We only allow local users to access the FTP server, see the anonymous_enable and local_enable Instructions and check that your configuration matches the following lines:

/etc/vsftpd.conf
anonymous_enable=NO
local_enable=YES

2. Activate uploads

Uncomment the write_enable Setting to allow changes to the file system such as uploading and deleting files.

/etc/vsftpd.conf
write_enable=YES

3. Chroot prison

To prevent FTP users from accessing files outside of their home directories, uncomment the chroot Setting.

/etc/vsftpd.conf
chroot_local_user=YES

To avoid a security vulnerability, vsftpd by default refuses to upload files if chroot is enabled if the directory where the users are locked is writable.

Use one of the following methods to allow uploads when chroot is enabled.

  • Method 1. – The recommended method to allow uploads is to keep chroot enabled and configure FTP directories. In this tutorial, we’re going to create one ftp Directory within the user’s home that is chrooted and writable uploads Directory for uploading files.

    /etc/vsftpd.conf
    user_sub_token=$USER
    local_root=/home/$USER/ftp
  • Method 2. – Another option is to add the following directive in the vsftpd configuration file. Use this option if you need to give your user write access to their home directory.

    /etc/vsftpd.conf
    allow_writeable_chroot=YES

4. Passive FTP connections

vsftpd can use any port for passive FTP connections. We specify the minimum and maximum port range and later open the range in our firewall.

Add the following lines to the configuration file:

/etc/vsftpd.conf
pasv_min_port=30000
pasv_max_port=31000

5. Restriction of user login

To allow only certain users to log on to the FTP server, add the following lines to the end of the file:

/etc/vsftpd.conf
userlist_enable=YES
userlist_file=/etc/vsftpd.user_list
userlist_deny=NO

When this option is enabled, you must explicitly specify which users can log in by adding their usernames to the /etc/vsftpd.user_list File (one user per line).

6. Securing transmissions with SSL / TLS

To use SSL / TLS to encrypt FTP transmissions, you need an SSL certificate and configure the FTP server to use it.

You can use an existing SSL certificate signed by a trusted certification authority or create a self-signed certificate.

If you have a domain or subdomain pointing to the IP address of the FTP server, you can easily create a free Let’s Encrypt SSL certificate.

We create a self-signed SSL certificate with the openssl Command.

The following command creates a 2048-bit private key and self-signed certificate that is valid for 10 years. Both the private key and the certificate are stored in the same file:

sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem

Once the SSL certificate has been created, open the vsftpd configuration file:

sudo nano /etc/vsftpd.conf

Find the rsa_cert_file and rsa_private_key_file Guidelines, change their values ​​to those pam File path and set the ssl_enable Instruction on YES:

/etc/vsftpd.conf
rsa_cert_file=/etc/ssl/private/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem
ssl_enable=YES

Unless otherwise noted, the FTP server only uses TLS to establish secure connections.

Restart the vsftpd service

Once you’re done editing, the vsftpd configuration file (with no comments) should look something like this:

/etc/vsftpd.conf
listen=NO
listen_ipv6=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
chroot_local_user=YES
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/private/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem
ssl_enable=YES
user_sub_token=$USER
local_root=/home/$USER/ftp
pasv_min_port=30000
pasv_max_port=31000
userlist_enable=YES
userlist_file=/etc/vsftpd.user_list
userlist_deny=NO

Save the file and restart the vsftpd service for the changes to take effect:

sudo systemctl restart vsftpd

Open the firewall

If you are using a UFW firewall, you must allow FTP traffic.

Open port 21 (FTP command port), port 20 (FTP data port) and 30000-31000 (Passive port range), run the following commands:

sudo ufw allow 20:21/tcpsudo ufw allow 30000:31000/tcp

To avoid being locked out, open the port 22:

sudo ufw allow OpenSSH

Reload the UFW rules by disabling and re-enabling UFW:

sudo ufw disablesudo ufw enable

To review the changes, do the following:

sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
20:21/tcp                  ALLOW       Anywhere
30000:31000/tcp            ALLOW       Anywhere
OpenSSH                    ALLOW       Anywhere
20:21/tcp (v6)             ALLOW       Anywhere (v6)
30000:31000/tcp (v6)       ALLOW       Anywhere (v6)
OpenSSH (v6)               ALLOW       Anywhere (v6)

Create FTP user

To test our FTP server, we will create a new user.

  • If you already have a user you want to grant FTP access to, skip step 1.
  • If you hire allow_writeable_chroot=YES skip step 3 in your configuration file.
  1. Create a new user named newftpuser:

    sudo adduser newftpuser
  2. Add the user to the list of allowed FTP users:

    echo "newftpuser" | sudo tee -a /etc/vsftpd.user_list
  3. Create the FTP directory tree and set the correct permissions:

    sudo mkdir -p /home/newftpuser/ftp/uploadsudo chmod 550 /home/newftpuser/ftpsudo chmod 750 /home/newftpuser/ftp/uploadsudo chown -R newftpuser: /home/newftpuser/ftp

    As discussed in the previous section, the user can access their files on the ftp/upload Directory.

At this point, your FTP server is fully functional and you should be able to log in to any FTP client that can be configured to use TLS encryption, such as: FileZilla
.

Deactivating shell access

By default, when the user is created, the user has SSH access to the server if not explicitly specified.

To disable shell access, we’ll create a new shell that will simply print a message telling the user that their account is limited to FTP access only.

Build the /bin/ftponly shell and make executable:

echo -e '#!/bin/shnecho "This account is limited to FTP access only."' | sudo tee -a  /bin/ftponlysudo chmod a+x /bin/ftponly

Append the new shell to the list of valid shells in the /etc/shells File:

echo "/bin/ftponly" | sudo tee -a /etc/shells

Change the user shell to /bin/ftponly:

sudo usermod newftpuser -s /bin/ftponly

Use the same command to change the shell of all users whom you want to grant only FTP access.

diploma

In this tutorial, you learned how to install and configure a safe and fast FTP server on your Ubuntu 18.04 system.

If you have any questions or feedback, please feel free to leave a comment.