VSFTPD ( Very Secure File Transfer Protocol Daemon ) is an FTP server on ubuntu. It is a default FTP server in Ubuntu, CentOS, Fedora, NimbleX, Slackware and RHEL Linux. It is licensed under the GNU General Public License. VSFTPD is Optimized for security, performance, and stability, and it protects against many security problems found in other FTP servers.
FTP (File Transfer Protocol) is a network protocol that was widely used for moving files between a client and server.
SFTP comes with Linux Server preinstalled and works just like FTP. To install vsftpd, execute the following commands. It will update our package list and install the vsftpd daemon.
sudo apt update
sudo apt install vsftpdAfter complete installation of vsftpd, The ftp service will automatically start. To check the status of vsftpd, write the following command
sudo service vsftpd statusOutput
● vsftpd.service - vsftpd FTP server
Loaded: loaded (/lib/systemd/system/vsftpd.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2021-06-13 12:10:44 UTC; 2min 10s ago
Main PID: 16732 (vsftpd)
Tasks: 1 (limit: 1136)
Memory: 828.0K
CGroup: /system.slice/vsftpd.service
└─16732 /usr/sbin/vsftpd /etc/vsftpd.conf
Jun 13 12:10:44 Programbr-Test systemd[1]: Starting vsftpd FTP server...
Jun 13 12:10:44 Programbr-Test systemd[1]: Started vsftpd FTP server.
Output is showing vsftpd is active (running).
Configure the Firewall to Allow FTP
Open ports 20 (FTP data port) and 21 (FTP command port) for FTP, and ports 40000-50000 for the range of passive FTP, port 990 for TLS.
sudo ufw allow 20/tcp
sudo ufw allow 21/tcp
sudo ufw allow 40000:50000/tcp
sudo ufw allow 990/tcpEnable the firewall. Press y and ENTER if warned about disrupting the SSH connection.
sudo ufw allow OpenSSHReload the ufw by disabling and re-enabling ufw.
sudo ufw disableoutput
Firewall stopped and disabled on system startup
sudo ufw enableoutput
Command may disrupt existing ssh connections. Proceed with operation (y|n)?
Enter y
output
Firewall is active and enabled on system startup
To Check ufw status
sudo ufw statusoutput
Status: active
To Action From
-- ------ ----
20/tcp ALLOW Anywhere
21/tcp ALLOW Anywhere
40000:50000/tcp ALLOW Anywhere
990/tcp ALLOW Anywhere
OpenSSH ALLOW Anywhere
20/tcp (v6) ALLOW Anywhere (v6)
21/tcp (v6) ALLOW Anywhere (v6)
40000:50000/tcp (v6) ALLOW Anywhere (v6)
990/tcp (v6) ALLOW Anywhere (v6)
OpenSSH (v6) ALLOW Anywhere (v6) Creating FTP User
We are going to create a new user that will use to log into FTP. Here I am creating a new user programbr.
Write the following command to create a new FTP user.
sudo adduser programbrThe system will ask you to create a password. Create the New password and Retype new password.
You may also be asked to enter some contact information ( Full Name, Room Number, Work Phone, Home Phone, Other). You can just press ENTER to each of these. At last system will ask, Is the information correct? [Y/n], Enter Y.
Configuring VSFTPD Access
By default, vsftpd server configuration is stored at the location /etc/vsftpd.conf. Read more at official VSFTPD.CONF page.
We are going to allow the user with a local shell account to connect with FTP. Start by opening the vsftpd configuration file.
To open the vsftpd configuration file, enter the following command.
sudo nano /etc/vsftpd.conf
In vsftpd.conf locate and uncomment the write_enable=YES by removing #. Doing this will allow users to allow filesystem changes, such as uploading files and removing files.
write_enable=YESIn vsftpd.conf locate and uncomment the chroot_local_user=YES by removing #. Doing this will limit users to their home directory and prevent the FTP-connected user from accessing any files or commands outside their home directory.
chroot_local_user=YESLimit the range of ports that can be used for passive FTP to make sure enough connections are available. By default, vsftpd uses active mode. To use passive mode, we have to set the minimum and maximum range of ports. We can use any port for passive FTP connections. When the passive mode is enabled, the FTP client opens a connection to the server on a random port in the range we have chosen.
pasv_min_port=40000
pasv_max_port=50000We can configure vstpd to allow certain user only (users have access only when they are explicitly added to a list). lets add the following line in vsftpd.conf to allow a certain user only.
userlist_enable=YES
userlist_file=/etc/vsftpd.userlist
userlist_deny=NOsave the file and exit the editor.
userlist_deny toggles the logic. When it is set to, YES, users on the list are denied FTP access. When it is set to, NO, only users on the list are allowed access.
We need to explicitly specify which users can log in by adding the user names to the /etc/vsftpd.userlist (one user per line).
Since, we have already created FTP user using sudo adduser programbr.
Now add user to /etc/vsftpd.userlist. Using the -a flag to append to the file.
echo "programbr" | sudo tee -a /etc/vsftpd.userlistNow, Check FTP User using following command
cat /etc/vsftpd.userlistoutput:
programbrRestart the vsftpd service for changes to take effect.
sudo systemctl restart vsftpdSecuring FTP
FTP does not encrypt any data including user credentials. So, we will encrypt the FTP transmissions with TLS/SSL, we will need to have an SSL certificate and configure the FTP server to use it. We are going to create a self-signed certificate using openssl.
We will generate a 2048-bit RSA key and self-signed SSL certificate that will be valid for 365 days. By setting both the -keyout and -out flags to the same value, the private key and the certificate will be located in the same file.
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pemProvide address information for your certificate. Provide the required information when prompted or keep the default configuration by pressing Enter.
Generating a RSA private key
............+++++
.....+++++
writing new private key to '/etc/ssl/private/vsftpd.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []: Once the SSL certificate is created open the vsftpd configuration file again.
sudo nano /etc/vsftpd.confFind two lines that begin with rsa_. Remove them and also change ssl_enable=NO to ssl_enable=YES.
Before, Withought change.
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
ssl_enable=NOAdd the following lines that point to the certificate and private key we created.
rsa_cert_file=/etc/ssl/private/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem
ssl_enable=YES
Restart the vsftpd service for changes to take effect.
sudo systemctl restart vsftpdDisabling Shell Access (Optional)
Now we are going to create a custom shell. That will print a message telling the user that their account is limited to FTP access only. This will not provide any encryption, but it will limit the access of a compromised account to files accessible by FTP. We are doing this because, by default, when creating a user, user will have SSH access to the server.
Run the following commands to create the ftponly in the bin directory.
sudo nano /bin/ftponlyAdd a message This account is limited to FTP access only.
#!/bin/sh
echo "This account is limited to FTP access only."Save and Exit the editor.
Change the permission and make it executable.
sudo chmod a+x /bin/ftponly
Now, Open shells in etc directory.
sudo nano /etc/shells
Add the following line.
/bin/ftponlyChange the user shell to /bin/ftponly using the following command.
sudo usermod programbr -s /bin/ftponly
Now you can login into your ftp server using
ssh username@your_server_ip