How to install FTP server (VSFTPD) on Ubuntu 20.04 / 18.04 / 18.10 / 19.04 / 19.10

Spread the love

VSFTPD ( Very Secure File Transfer Protocol Daemon ) is an FTP server on ubuntu. It is a default FTP server in Ubuntu, CentOS, Fedora, NimbleX, Slackware and RHEL Linux. It is licensed under the GNU General Public License. VSFTPD is Optimized for security, performance, and stability, and it protects against many security problems found in other FTP servers.

FTP (File Transfer Protocol) is a network protocol that was widely used for moving files between a client and server.

SFTP comes with Linux Server preinstalled and works just like FTP. To install vsftpd, execute the following commands. It will update our package list and install the vsftpd daemon.

sudo apt update
sudo apt install vsftpd

After complete installation of vsftpd, The ftp service will automatically start. To check the status of vsftpd, write the following command

sudo service vsftpd status

Output

● vsftpd.service - vsftpd FTP server
     Loaded: loaded (/lib/systemd/system/vsftpd.service; enabled; vendor preset: enabled)
     Active: active (running) since Sun 2021-06-13 12:10:44 UTC; 2min 10s ago
   Main PID: 16732 (vsftpd)
      Tasks: 1 (limit: 1136)
     Memory: 828.0K
     CGroup: /system.slice/vsftpd.service
             └─16732 /usr/sbin/vsftpd /etc/vsftpd.conf

Jun 13 12:10:44 Programbr-Test systemd[1]: Starting vsftpd FTP server...
Jun 13 12:10:44 Programbr-Test systemd[1]: Started vsftpd FTP server.

Output is showing vsftpd is active (running).

Configure the Firewall to Allow FTP

Open ports 20 (FTP data port) and 21 (FTP command port) for FTP, and ports 40000-50000 for the range of passive FTP, port 990 for TLS.

sudo ufw allow 20/tcp
sudo ufw allow 21/tcp
sudo ufw allow 40000:50000/tcp
sudo ufw allow 990/tcp

Enable the firewall. Press y and ENTER if warned about disrupting the SSH connection.

sudo ufw allow OpenSSH

Reload the ufw by disabling and re-enabling ufw.

sudo ufw disable

output

Firewall stopped and disabled on system startup
sudo ufw enable

output

Command may disrupt existing ssh connections. Proceed with operation (y|n)?

Enter y

output

Firewall is active and enabled on system startup

To Check ufw status

sudo ufw status

output

Status: active
 To                         Action      From
 --                         ------      ----
 20/tcp                     ALLOW       Anywhere                  
 21/tcp                     ALLOW       Anywhere                  
 40000:50000/tcp            ALLOW       Anywhere                  
 990/tcp                    ALLOW       Anywhere                  
 OpenSSH                    ALLOW       Anywhere                  
 20/tcp (v6)                ALLOW       Anywhere (v6)             
 21/tcp (v6)                ALLOW       Anywhere (v6)             
 40000:50000/tcp (v6)       ALLOW       Anywhere (v6)             
 990/tcp (v6)               ALLOW       Anywhere (v6)             
 OpenSSH (v6)               ALLOW       Anywhere (v6)             

Creating FTP User

We are going to create a new user that will use to log into FTP. Here I am creating a new user programbr.

Write the following command to create a new FTP user.

sudo adduser programbr

The system will ask you to create a password. Create the New password and Retype new password.

You may also be asked to enter some contact information ( Full Name, Room Number, Work Phone, Home Phone, Other). You can just press ENTER to each of these. At last system will ask, Is the information correct? [Y/n], Enter Y.

Configuring VSFTPD Access

By default, vsftpd server configuration is stored at the location /etc/vsftpd.conf. Read more at official VSFTPD.CONF page.

We are going to allow the user with a local shell account to connect with FTP. Start by opening the vsftpd configuration file.

To open the vsftpd configuration file, enter the following command.

sudo nano /etc/vsftpd.conf

In vsftpd.conf locate and uncomment the write_enable=YES by removing #. Doing this will allow users to allow filesystem changes, such as uploading files and removing files.

write_enable=YES

In vsftpd.conf locate and uncomment the chroot_local_user=YES by removing #. Doing this will limit users to their home directory and prevent the FTP-connected user from accessing any files or commands outside their home directory.

chroot_local_user=YES

Limit the range of ports that can be used for passive FTP to make sure enough connections are available. By default, vsftpd uses active mode. To use passive mode, we have to set the minimum and maximum range of ports. We can use any port for passive FTP connections. When the passive mode is enabled, the FTP client opens a connection to the server on a random port in the range we have chosen.

pasv_min_port=40000
pasv_max_port=50000

We can configure vstpd to allow certain user only (users have access only when they are explicitly added to a list). lets add the following line in vsftpd.conf to allow a certain user only.

userlist_enable=YES
userlist_file=/etc/vsftpd.userlist
userlist_deny=NO

save the file and exit the editor.

userlist_deny toggles the logic. When it is set to, YES, users on the list are denied FTP access. When it is set to, NO, only users on the list are allowed access.

We need to explicitly specify which users can log in by adding the user names to the /etc/vsftpd.userlist (one user per line).

Since, we have already created FTP user using sudo adduser programbr.

Now add user to /etc/vsftpd.userlist. Using the -a flag to append to the file.

echo "programbr" | sudo tee -a /etc/vsftpd.userlist

Now, Check FTP User using following command

cat /etc/vsftpd.userlist

output:

programbr

Restart the vsftpd service for changes to take effect.

sudo systemctl restart vsftpd

Securing FTP

FTP does not encrypt any data including user credentials. So, we will encrypt the FTP transmissions with TLS/SSL, we will need to have an SSL certificate and configure the FTP server to use it. We are going to create a self-signed certificate using openssl.

We will generate a 2048-bit RSA key and self-signed SSL certificate that will be valid for 365 days. By setting both the -keyout and -out flags to the same value, the private key and the certificate will be located in the same file.

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem

Provide address information for your certificate. Provide the required information when prompted or keep the default configuration by pressing Enter.

Generating a RSA private key
............+++++
.....+++++
writing new private key to '/etc/ssl/private/vsftpd.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]: 
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]: 
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []: 

Once the SSL certificate is created open the vsftpd configuration file again.

sudo nano /etc/vsftpd.conf

Find two lines that begin with rsa_. Remove them and also change ssl_enable=NO to ssl_enable=YES.

Before, Withought change.

rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
ssl_enable=NO

Add the following lines that point to the certificate and private key we created.

rsa_cert_file=/etc/ssl/private/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem
ssl_enable=YES

Restart the vsftpd service for changes to take effect.

sudo systemctl restart vsftpd

Disabling Shell Access (Optional)

Now we are going to create a custom shell. That will print a message telling the user that their account is limited to FTP access only. This will not provide any encryption, but it will limit the access of a compromised account to files accessible by FTP. We are doing this because, by default, when creating a user, user will have SSH access to the server.

Run the following commands to create the ftponly in the bin directory.

sudo nano /bin/ftponly

Add a message This account is limited to FTP access only.

#!/bin/sh
echo "This account is limited to FTP access only."

Save and Exit the editor.

Change the permission and make it executable.

sudo chmod a+x /bin/ftponly

Now, Open shells in etc directory.

sudo nano /etc/shells

Add the following line.

/bin/ftponly

Change the user shell to /bin/ftponly using the following command.

sudo usermod programbr -s /bin/ftponly

Now you can login into your ftp server using

 ssh username@your_server_ip

Disclosure: This website is supports by its reader. This means, if you buy any product / service through link on this website, we may earn a small commision withought costing you extra. Learn how you can support Us and why we need this?