Choose a different version or distribution
Introduction
Before we begin talking about how to Setup FTP Server with Vsftpd on Raspberry Pi, let's briefly understand – What is Raspberry Pi?
A Raspberry Pi is a small, affordable computer that can fit in your hand. It was created to help people learn about computing and programming in a fun and accessible way. With its low cost and versatility, it's widely used for various projects, from creating retro gaming consoles to building smart home systems.
One of the popular uses of Raspberry Pi is setting up an FTP server using software like VSftpd (Very Secure File Transfer Protocol Daemon). This allows you to create your own file server, enabling easy sharing and transfer of files over a network. Raspberry Pi's low power consumption makes it an efficient choice for hosting such servers, making it an excellent option for personal or small-scale file-sharing needs.
In this tutorial, you will Setup FTP Server with Vsftpd on Raspberry Pi. We will also address a few FAQs on how to Setup FTP Server with Vsftpd on Raspberry Pi
Installing vsftpd on Raspberry Pi
The vsftpd package is available in the Raspbian standard repositories. Run the following commands to install it:
sudo apt update
sudo apt install vsftpd
After the installation is complete, the ftp service will begin automatically. Print the service status to confirm:
sudo systemctl status vsftpd
The output will look like this, indicating that the vsftpd service is active and running:
Output
● vsftpd.service - vsftpd FTP server
Loaded: loaded (/lib/systemd/system/vsftpd.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2020-10-21 19:00:41 BST; 9s ago
...
Configuring vsftpd
You can configure the vsftpd server by editing the /etc/vsftpd.conf
file.
The configuration file contains detailed documentation for the majority of the settings. Visit the official vsftpd page to see all available options.
To begin, open the vsftpd configuration file:
sudo nano /etc/vsftpd.conf
1) FTP Access
To ensure that only local users can connect to the FTP server, look for the anonymous_enable
and local_enable
directives and make sure your settings match the lines below:
anonymous_enable=NO
local_enable=YES
2) Enabling uploads
Locate and uncomment the write enable directive to enable filesystem changes such as uploading and removing files.
write_enable=YES
3) Chroot Jail
Uncomment the chroot
directive to prevent FTP users from accessing files outside their home directories.
chroot_local_user=YES
When using the chroot feature, vsftpd will refuse to upload files if the directory in which the users are locked is writable.
To make the chroot environment writable, use one of the following solutions:
- Method 1 - Keeping chroot enabled and configuring FTP directories is the recommended option for allowing upload. In this example, we will create an
ftp
directory within the user home to serve as the chroot and a writable uploads directory for file uploads.
user_sub_token=$USER
local_root=/home/$USER/ftp
- Method 2 - Another option is to include the directive below in the vsftpd configuration file. If you need to give your user writable access to its home directory, use this option.
allow_writeable_chroot=YES
4) Passive FTP Connections
vsftpd operates in active mode by default. To use passive mode, configure the minimum and maximum port ranges:
pasv_min_port=30000
pasv_max_port=31000
For passive FTP connections, vsftpd can use any port. When you enable passive mode, the FTP client connects to the server on a random port in the range you specify.
5) Limiting User Login
You can instruct vsftpd to allow only certain users to log in. Add the following lines to the end of the file to accomplish this:
userlist_enable=YES
userlist_file=/etc/vsftpd.user_list
userlist_deny=NO
When you enable this feature, you must explicitly specify which users can log in by adding their names to the /etc/vsftpd.user_list
file (one user per line).
6) Securing Transmissions with SSL/TLS
You must have an SSL certificate and configure the FTP server to use it in order to encrypt FTP transmissions with SSL/TLS.
You can use an existing SSL certificate signed by a trusted Certificate Authority or create your own.
If you have a domain or subdomain that points to the IP address of the FTP server, you can easily generate a free Let's Encrypt SSL certificate.
In this tutorial, we'll use the openssl command to create a self-signed SSL certificate.
Run the following command to generate a 2048-bit private key and a 10-year self-signed certificate. The private key and certificate will both be saved in the same file:
sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem
Open the configuration file after the files have been created:
sudo nano /etc/vsftpd.conf
Set the ssl_enable
directive to YES
and locate the rsa_cert_file
and rsa_private_ key_file
directives, then modify their values to the pam
file path:
rsa_cert_file=/etc/ssl/private/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem
ssl_enable=YES
The FTP server will only establish secure connections using TLS if something different is provided.
Restart the vsftpd service
When you're finished configuring the server, the vsftpd configuration file (without comments) should look like this:
listen=NO
listen_ipv6=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
chroot_local_user=YES
allow_writeable_chroot=YES
pasv_min_port=30000
pasv_max_port=31000
userlist_enable=YES
userlist_file=/etc/vsftpd.user_list
userlist_deny=NO
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/private/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem
ssl_enable=YES
Save the file and restart the vsftpd service for changes to take effect:
sudo systemctl restart vsftpd
Opening the Firewall
You must allow FTP traffic if you are using a UFW firewall.
Run the following commands to open ports 21
(FTP command port), 20
(FTP data port), and 30000-31000
(Passive ports range):
sudo ufw allow 20:21/tcp
sudo ufw allow 30000:31000/tcp
Reload the UFW rules by disabling and re-enabling UFW:
sudo ufw disable
sudo ufw enable
Creating FTP User
We will create a new user to test the FTP server.
- Skip the 1st step, if you already have a user that you want to grant FTP access
- Skip the third step if you set
allow_writeable_chroot=YES
in your configuration file.
1) Create a new user named newftpuser
:
sudo adduser newftpuser
Set the user password when prompted.
2) Add the user to the list of permitted FTP users:
echo "newftpuser" | sudo tee -a /etc/vsftpd.user_list
3) Create the FTP directory tree and set the correct permissions:
sudo mkdir -p /home/newftpuser/ftp/upload
sudo chmod 550 /home/newftpuser/ftp
sudo chmod 750 /home/newftpuser/ftp/upload
sudo chown -R newftpuser: /home/newftpuser/ftp
The user will be able to upload files to the ftp/upload
directory, as discussed in the previous section.
Your FTP server is now fully operational, and you should be able to connect to it using any FTP client, such as FileZilla.
Disabling Shell Access
If SSH access is not explicitly specified when creating a user, the user will have SSH access to the device by default. To disable shell access, create a new shell that simply prints a message informing the user that their account only allows FTP access.
Make the /bin/ftponly
shell executable by doing the following:
echo -e '#!/bin/sh\necho "This account is limited to FTP access only."' | sudo tee -a /bin/ftponly
sudo chmod a+x /bin/ftponly
Add the new shell to the /etc/shells
file's list of authorised shells:
echo "/bin/ftponly" | sudo tee -a /etc/shells
Change the user shell to /bin/ftponly
:
sudo usermod newftpuser -s /bin/ftponly
Change each user's shell, who should only have FTP access with the same command.
FAQs to Setup FTP Server with Vsftpd on Raspberry Pi
How can I secure my Vsftpd server further?
Disable anonymous access (anonymous_enable=NO
), use strong passwords, and consider using SSL/TLS encryption for added security.
What is the difference between FTP and SFTP?
FTP (File Transfer Protocol) transfers data without encryption, while SFTP (SSH File Transfer Protocol) encrypts data for secure transfers. SFTP is recommended for sensitive data.
How can I access my Raspberry Pi FTP server from another computer?
Use an FTP client (e.g., FileZilla) to connect to your Raspberry Pi's IP address or hostname on port 21 (or the custom port you've configured), providing your FTP username and password.
What is the default configuration file for Vsftpd?
The default configuration file for Vsftpd on Raspberry Pi is located at /etc/vsftpd.conf
.
How can I restrict users to their home directories?
To restrict users to their home directories, set chroot_local_user=YES
in the vsftpd.conf
file.
What are the default FTP ports for Vsftpd?
By default, Vsftpd uses port 21 for FTP control connections and ports 20 and a range of high ports for data connections.
Conclusion
On your Raspberry Pi system, we've shown you how to install and configure a secure and fast FTP server.
If you have any queries, please leave a comment below and we’ll be happy to respond to them.