Jul 21, 2022 6 min read

How to Setup FTP Server with VSFTPD on Ubuntu 20.04

Setup FTP Server with VSFTPD on Ubuntu 20.04 with our step-by-step tutorial. It's a program that allows users to transfer files over a network.

Setup FTP Server with VSFTPD on Ubuntu 20.04
Table of Contents

Choose a different version or distribution

Introduction

Before we begin talking about how to set up FTP Server with VSFTPD on Ubuntu 20.04, let's briefly understand – What is FTP Server?

An FTP server, or File Transfer Protocol server, is a computer program that allows users to transfer files over a network. It acts as a central repository where files can be uploaded, downloaded, and shared. FTP servers are widely used for website management, software distribution, and file backup.

They provide a secure and efficient method for transferring large files between computers. Understanding how FTP servers work is crucial for businesses and individuals looking to manage their files effectively and streamline data transfer processes.

This tutorial explains how to install and configure an FTP server on Ubuntu 20.04 for file sharing between devices.

Advantages of FTP Server

  1. Efficient File Transfer: FTP servers allow fast and reliable transfer of large files between computers over a network.
  2. Centralized File Storage: They act as a centralized repository, enabling easy access and sharing of files among users.
  3. User Authentication: FTP servers provide secure user authentication, ensuring only authorized individuals can access files.
  4. File Management: They offer features like file organization, renaming, deletion, and permission control for effective file management.
  5. Remote Access: FTP servers enable users to access and manage files remotely, improving flexibility and productivity.

Installing vsftpd on Ubuntu 20.04

The vsftpd package can be found in the Ubuntu repositories. Execute the following commands to install it:

sudo apt update
sudo apt install vsftpd

Once the installation is complete, the ftp service will begin automatically. Print the service status to confirm:

sudo systemctl status vsftpd

The following output should indicate that the vsftpd service is active and running:

Output
● vsftpd.service - vsftpd FTP server
     Loaded: loaded (/lib/systemd/system/vsftpd.service; enabled; vendor preset: enabled)
     Active: active (running) since Tue 2021-03-02 15:17:22 UTC; 3s ago
...

Configuring vsftpd

The /etc/vsftpd.conf file contains the vsftpd server configuration.

The majority of the server configuration options are well documented within the file. Visit the vsftpd documentation page to see all available options.

In the sections that follow, we will go over some critical settings required to configure a secure vsftpd installation.

To begin, open the vsftpd configuration file:

sudo nano /etc/vsftpd.conf

1) FTP access

Only local users will have access to the FTP server. Find the anonymous enable and local enable directives and compare your configuration to the lines below:

anonymous_enable=NO
local_enable=YES

2) Enabling uploads

To allow filesystem changes such as uploading and removing files, locate and uncomment the write_enable directive:

write_enable=YES

3) Chroot jail

Uncomment the line beginning with chroot_local_user to prevent local FTP users from accessing files outside of their home directories.

chroot_local_user=YES

When chroot is enabled, vsftpd will refuse to upload files by default for security reasons if the directory in which the users are locked is writable.

To allow uploads when chroot is enabled, use one of the following solutions:

  • Method 1 - It is advised to keep the chroot feature enabled and to configure FTP directories. In this example, we will create an ftp directory inside the user home to serve as the chroot, as well as a writable uploads directory for file uploads:
user_sub_token=$USER
local_root=/home/$USER/ftp
  • Method 2 - Another option is to enable the allow_writeable_chroot directive:
allow_writeable_chroot=YES

Use this option only if you must grant writable access to your user to its home directory.

4) Passive FTP Connections

By default, vsftpd uses active mode. To use passive mode, set the minimum and maximum range of ports:

pasv_min_port=30000
pasv_max_port=31000

Passive FTP connections can be made on any port. When you enable passive mode, the FTP client connects to the server on a random port in the range you specify.

5) Limiting User Login

You can instruct vsftpd to allow only certain users to log in. Add the following lines to the end of the file to accomplish this:

userlist_enable=YES
userlist_file=/etc/vsftpd.user_list
userlist_deny=NO

When you enable this option, you must explicitly specify which users can log in by adding their names to the /etc/vsftpd.user list file (one user per line).

6) Securing Transmissions with SSL/TLS

You must have an SSL certificate and configure the FTP server to use it in order to encrypt FTP transmissions with SSL/TLS.

You can use an existing SSL certificate signed by a trusted Certificate Authority or create your own.

If you have a domain or subdomain that points to the IP address of the FTP server, you can quickly generate a free Let's Encrypt SSL certificate.

We will generate a 2048-bit private key and a self-signed SSL certificate with a ten-year validity period:

sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem

The certificate and the private key will be saved in the same file.

After you've created the SSL certificate, open the vsftpd configuration file:

sudo nano /etc/vsftpd.conf

Change the values of the rsa_cert_file and rsa_private_key file directives to the pam file path, and set the ssl_enable directive to YES:

rsa_cert_file=/etc/ssl/private/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem
ssl_enable=YES

If nothing else is specified, the FTP server will only use TLS to make secure connections.

Restart the vsftpd Service

After you've finished editing, the vsftpd configuration file (excluding comments) should look like this:

listen=NO
listen_ipv6=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
chroot_local_user=YES
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/private/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem
ssl_enable=YES
user_sub_token=$USER
local_root=/home/$USER/ftp
pasv_min_port=30000
pasv_max_port=31000
userlist_enable=YES
userlist_file=/etc/vsftpd.user_list
userlist_deny=NO

To make changes take effect, save the file and restart the vsftpd service:

sudo systemctl restart vsftpd

Opening the Firewall

You must allow FTP traffic if you are using a UFW firewall.

Run the following commands to open ports 21 (FTP command port), 20 (FTP data port), and 30000-31000 (Passive ports range):

sudo ufw allow 20:21/tcp
sudo ufw allow 30000:31000/tcp

To avoid being locked out, make sure port 22 is open:

sudo ufw allow OpenSSH

Reload the UFW rules by disabling and re-enabling UFW:

sudo ufw disable
sudo ufw enable

To verify the changes run:

sudo ufw status
Output
Status: active

To                         Action      From
--                         ------      ----
20:21/tcp                  ALLOW       Anywhere
30000:31000/tcp            ALLOW       Anywhere
OpenSSH                    ALLOW       Anywhere
20:21/tcp (v6)             ALLOW       Anywhere (v6)
30000:31000/tcp (v6)       ALLOW       Anywhere (v6)
OpenSSH (v6)               ALLOW       Anywhere (v6)

Creating FTP User

We will create a new user, to test the FTP user list:

  • Skip the first step if the user to whom you want to grant FTP access already exists.
  • Skip the third step if you set allow_writeable_chroot=YES in your configuration file.

1) Create a new user named newftpuser:

sudo adduser newftpuser

2) Add the user to the allowed FTP users list:

echo "newftpuser" | sudo tee -a /etc/vsftpd.user_list

3) Create the FTP directory tree and set the correct permissions:

sudo mkdir -p /home/newftpuser/ftp/upload
sudo chmod 550 /home/newftpuser/ftp
sudo chmod 750 /home/newftpuser/ftp/upload
sudo chown -R newftpuser: /home/newftpuser/ftp

As previously discussed, the user will be able to upload files to the ftp/upload directory.

Your FTP server is now fully operational. Any FTP client that can be configured to use TLS encryption, such as FileZilla, should be able to connect to the server.

Disabling Shell Access

If SSH access to the server is not explicitly specified when creating a user, the user will have it by default. To disable shell access, create a new shell that prints a message informing the user that their account is only allowed FTP access.

To make the /bin/ftponly file executable, run the following commands:

echo -e '#!/bin/sh\necho "This account is limited to FTP access only."' | sudo tee -a  /bin/ftponly
sudo chmod a+x /bin/ftponly

Add the new shell to the /etc/shells file's list of valid shells:

echo "/bin/ftponly" | sudo tee -a /etc/shells

Replace the user shell with /bin/ftponly:

sudo usermod newftpuser -s /bin/ftponly

You can use the same command to change the shell of any users who should only have FTP access.

FAQs to Set Up FTP Server with VSFTPD on Ubuntu 20.04

What is VSFTPD?

VSFTPD (Very Secure FTP Daemon) is a popular FTP server software for Unix-like systems, known for its security features and ease of configuration.

How do I enable anonymous FTP access?

Set anonymous_enable=YES in the VSFTPD configuration file to allow users to log in as anonymous and access specific directories.

How can I restrict user access to specific directories?

Use the chroot_local_user=YES option in the VSFTPD configuration file to restrict users to their home directories.

How can I enable SSL/TLS encryption for secure file transfer?

Generate an SSL/TLS certificate or obtain one from a trusted source, and then enable the ssl_enable=YES option in the VSFTPD configuration file.

How do I configure passive mode in VSFTPD?

Set the pasv_enable=YES option in the VSFTPD configuration file, specify the range of passive ports, and forward those ports in your firewall.

How do I restart the VSFTPD service after making changes to the configuration?

Restart the VSFTPD service by running the command sudo service vsftpd restart in the terminal to apply the new configuration settings.

Conclusion

On your Ubuntu 20.04 system, we demonstrated how to install and configure a secure and fast FTP server.

If you have any queries, please leave a comment below and we’ll be happy to respond to them.

Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to DevOps Blog - VegaStack.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.