Sep 30, 2023 6 min read

How to Setup FTP Server with Vsftpd on Raspberry Pi

Setup FTP Server with Vsftpd on Raspberry Pi with our step-by-step tutorial. A Raspberry Pi is a small, hand-sized, affordable computer.

Setup FTP Server with Vsftpd on Raspberry Pi
Table of Contents

Choose a different version or distribution

Introduction

Before we begin talking about how to Setup FTP Server with Vsftpd on Raspberry Pi, let's briefly understand – What is Raspberry Pi?

A Raspberry Pi is a small, affordable computer that can fit in your hand. It was created to help people learn about computing and programming in a fun and accessible way. With its low cost and versatility, it's widely used for various projects, from creating retro gaming consoles to building smart home systems.

One of the popular uses of Raspberry Pi is setting up an FTP server using software like VSftpd (Very Secure File Transfer Protocol Daemon). This allows you to create your own file server, enabling easy sharing and transfer of files over a network. Raspberry Pi's low power consumption makes it an efficient choice for hosting such servers, making it an excellent option for personal or small-scale file-sharing needs.

In this tutorial, you will Setup FTP Server with Vsftpd on Raspberry Pi. We will also address a few FAQs on how to Setup FTP Server with Vsftpd on Raspberry Pi

Installing vsftpd on Raspberry Pi

The vsftpd package is available in the Raspbian standard repositories. Run the following commands to install it:

sudo apt update
sudo apt install vsftpd

After the installation is complete, the ftp service will begin automatically. Print the service status to confirm:

sudo systemctl status vsftpd

The output will look like this, indicating that the vsftpd service is active and running:

Output

● vsftpd.service - vsftpd FTP server
   Loaded: loaded (/lib/systemd/system/vsftpd.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2020-10-21 19:00:41 BST; 9s ago
...

Configuring vsftpd

You can configure the vsftpd server by editing the /etc/vsftpd.conf file.

The configuration file contains detailed documentation for the majority of the settings. Visit the official vsftpd page to see all available options.

To begin, open the vsftpd configuration file:

sudo nano /etc/vsftpd.conf

1) FTP Access

To ensure that only local users can connect to the FTP server, look for the anonymous_enable and local_enable directives and make sure your settings match the lines below:

anonymous_enable=NO
local_enable=YES

2) Enabling uploads

Locate and uncomment the write enable directive to enable filesystem changes such as uploading and removing files.

write_enable=YES

3) Chroot Jail

Uncomment the chroot directive to prevent FTP users from accessing files outside their home directories.

chroot_local_user=YES

When using the chroot feature, vsftpd will refuse to upload files if the directory in which the users are locked is writable.

To make the chroot environment writable, use one of the following solutions:

  • Method 1 - Keeping chroot enabled and configuring FTP directories is the recommended option for allowing upload. In this example, we will create an ftp directory within the user home to serve as the chroot and a writable uploads directory for file uploads.
user_sub_token=$USER
local_root=/home/$USER/ftp
  • Method 2 - Another option is to include the directive below in the vsftpd configuration file. If you need to give your user writable access to its home directory, use this option.
allow_writeable_chroot=YES

4) Passive FTP Connections

vsftpd operates in active mode by default. To use passive mode, configure the minimum and maximum port ranges:

pasv_min_port=30000
pasv_max_port=31000

For passive FTP connections, vsftpd can use any port. When you enable passive mode, the FTP client connects to the server on a random port in the range you specify.

5) Limiting User Login

You can instruct vsftpd to allow only certain users to log in. Add the following lines to the end of the file to accomplish this:

userlist_enable=YES
userlist_file=/etc/vsftpd.user_list
userlist_deny=NO

When you enable this feature, you must explicitly specify which users can log in by adding their names to the /etc/vsftpd.user_list file (one user per line).

6) Securing Transmissions with SSL/TLS

You must have an SSL certificate and configure the FTP server to use it in order to encrypt FTP transmissions with SSL/TLS.

You can use an existing SSL certificate signed by a trusted Certificate Authority or create your own.

If you have a domain or subdomain that points to the IP address of the FTP server, you can easily generate a free Let's Encrypt SSL certificate.

In this tutorial, we'll use the openssl command to create a self-signed SSL certificate.

Run the following command to generate a 2048-bit private key and a 10-year self-signed certificate. The private key and certificate will both be saved in the same file:

sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem

Open the configuration file after the files have been created:

sudo nano /etc/vsftpd.conf

Set the ssl_enable directive to YES and locate the rsa_cert_file and rsa_private_ key_file directives, then modify their values to the pam file path:

rsa_cert_file=/etc/ssl/private/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem
ssl_enable=YES

The FTP server will only establish secure connections using TLS if something different is provided.

Restart the vsftpd service

When you're finished configuring the server, the vsftpd configuration file (without comments) should look like this:

listen=NO
listen_ipv6=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
chroot_local_user=YES
allow_writeable_chroot=YES
pasv_min_port=30000
pasv_max_port=31000
userlist_enable=YES
userlist_file=/etc/vsftpd.user_list
userlist_deny=NO
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/private/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem
ssl_enable=YES

Save the file and restart the vsftpd service for changes to take effect:

sudo systemctl restart vsftpd

Opening the Firewall

You must allow FTP traffic if you are using a UFW firewall.

Run the following commands to open ports 21 (FTP command port), 20 (FTP data port), and 30000-31000 (Passive ports range):

sudo ufw allow 20:21/tcp
sudo ufw allow 30000:31000/tcp

Reload the UFW rules by disabling and re-enabling UFW:

sudo ufw disable
sudo ufw enable

Creating FTP User

We will create a new user to test the FTP server.

  • Skip the 1st step, if you already have a user that you want to grant FTP access
  • Skip the third step if you set allow_writeable_chroot=YES in your configuration file.

1) Create a new user named newftpuser:

sudo adduser newftpuser

Set the user password when prompted.

2) Add the user to the list of permitted FTP users:

echo "newftpuser" | sudo tee -a /etc/vsftpd.user_list

3) Create the FTP directory tree and set the correct permissions:

sudo mkdir -p /home/newftpuser/ftp/upload
sudo chmod 550 /home/newftpuser/ftp
sudo chmod 750 /home/newftpuser/ftp/upload
sudo chown -R newftpuser: /home/newftpuser/ftp

The user will be able to upload files to the ftp/upload directory, as discussed in the previous section.

Your FTP server is now fully operational, and you should be able to connect to it using any FTP client, such as FileZilla.

Disabling Shell Access

If SSH access is not explicitly specified when creating a user, the user will have SSH access to the device by default. To disable shell access, create a new shell that simply prints a message informing the user that their account only allows FTP access.

Make the /bin/ftponly shell executable by doing the following:

echo -e '#!/bin/sh\necho "This account is limited to FTP access only."' | sudo tee -a  /bin/ftponly
sudo chmod a+x /bin/ftponly

Add the new shell to the /etc/shells file's list of authorised shells:

echo "/bin/ftponly" | sudo tee -a /etc/shells

Change the user shell to /bin/ftponly:

sudo usermod newftpuser -s /bin/ftponly

Change each user's shell, who should only have FTP access with the same command.

FAQs to Setup FTP Server with Vsftpd on Raspberry Pi

How can I secure my Vsftpd server further?

Disable anonymous access (anonymous_enable=NO), use strong passwords, and consider using SSL/TLS encryption for added security.

What is the difference between FTP and SFTP?

FTP (File Transfer Protocol) transfers data without encryption, while SFTP (SSH File Transfer Protocol) encrypts data for secure transfers. SFTP is recommended for sensitive data.

How can I access my Raspberry Pi FTP server from another computer?

Use an FTP client (e.g., FileZilla) to connect to your Raspberry Pi's IP address or hostname on port 21 (or the custom port you've configured), providing your FTP username and password.

What is the default configuration file for Vsftpd?

The default configuration file for Vsftpd on Raspberry Pi is located at /etc/vsftpd.conf.

How can I restrict users to their home directories?

To restrict users to their home directories, set chroot_local_user=YES in the vsftpd.conf file.

What are the default FTP ports for Vsftpd?

By default, Vsftpd uses port 21 for FTP control connections and ports 20 and a range of high ports for data connections.

Conclusion

On your Raspberry Pi system, we've shown you how to install and configure a secure and fast FTP server.

If you have any queries, please leave a comment below and we’ll be happy to respond to them.

Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to DevOps Tutorials - VegaStack.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.