Choose a different version or distribution
Introduction
Before we begin talking about how to set up FTP Server with VSFTPD on Ubuntu 20.04, let's briefly understand – What is FTP Server?
An FTP server, or File Transfer Protocol server, is a computer program that allows users to transfer files over a network. It acts as a central repository where files can be uploaded, downloaded, and shared. FTP servers are widely used for website management, software distribution, and file backup.
They provide a secure and efficient method for transferring large files between computers. Understanding how FTP servers work is crucial for businesses and individuals looking to manage their files effectively and streamline data transfer processes.
This tutorial explains how to install and configure an FTP server on Ubuntu 20.04 for file sharing between devices.
Advantages of FTP Server
- Efficient File Transfer: FTP servers allow fast and reliable transfer of large files between computers over a network.
- Centralized File Storage: They act as a centralized repository, enabling easy access and sharing of files among users.
- User Authentication: FTP servers provide secure user authentication, ensuring only authorized individuals can access files.
- File Management: They offer features like file organization, renaming, deletion, and permission control for effective file management.
- Remote Access: FTP servers enable users to access and manage files remotely, improving flexibility and productivity.
Installing vsftpd on Ubuntu 20.04
The vsftpd package can be found in the Ubuntu repositories. Execute the following commands to install it:
sudo apt update
sudo apt install vsftpd
Once the installation is complete, the ftp service will begin automatically. Print the service status to confirm:
sudo systemctl status vsftpd
The following output should indicate that the vsftpd service is active and running:
Output
● vsftpd.service - vsftpd FTP server
Loaded: loaded (/lib/systemd/system/vsftpd.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2021-03-02 15:17:22 UTC; 3s ago
...
Configuring vsftpd
The /etc/vsftpd.conf file contains the vsftpd server configuration.
The majority of the server configuration options are well documented within the file. Visit the vsftpd documentation page to see all available options.
In the sections that follow, we will go over some critical settings required to configure a secure vsftpd installation.
To begin, open the vsftpd configuration file:
sudo nano /etc/vsftpd.conf
1) FTP access
Only local users will have access to the FTP server. Find the anonymous enable and local enable directives and compare your configuration to the lines below:
anonymous_enable=NO
local_enable=YES
2) Enabling uploads
To allow filesystem changes such as uploading and removing files, locate and uncomment the write_enable directive:
write_enable=YES
3) Chroot jail
Uncomment the line beginning with chroot_local_user to prevent local FTP users from accessing files outside of their home directories.
chroot_local_user=YES
When chroot is enabled, vsftpd will refuse to upload files by default for security reasons if the directory in which the users are locked is writable.
To allow uploads when chroot is enabled, use one of the following solutions:
- Method 1 - It is advised to keep the chroot feature enabled and to configure FTP directories. In this example, we will create an ftp directory inside the user home to serve as the chroot, as well as a writable uploads directory for file uploads:
user_sub_token=$USER
local_root=/home/$USER/ftp
- Method 2 - Another option is to enable the
allow_writeable_chrootdirective:
allow_writeable_chroot=YES
Use this option only if you must grant writable access to your user to its home directory.
4) Passive FTP Connections
By default, vsftpd uses active mode. To use passive mode, set the minimum and maximum range of ports:
pasv_min_port=30000
pasv_max_port=31000
Passive FTP connections can be made on any port. When you enable passive mode, the FTP client connects to the server on a random port in the range you specify.
5) Limiting User Login
You can instruct vsftpd to allow only certain users to log in. Add the following lines to the end of the file to accomplish this:
userlist_enable=YES
userlist_file=/etc/vsftpd.user_list
userlist_deny=NO
When you enable this option, you must explicitly specify which users can log in by adding their names to the /etc/vsftpd.user list file (one user per line).
6) Securing Transmissions with SSL/TLS
You must have an SSL certificate and configure the FTP server to use it in order to encrypt FTP transmissions with SSL/TLS.
You can use an existing SSL certificate signed by a trusted Certificate Authority or create your own.
If you have a domain or subdomain that points to the IP address of the FTP server, you can quickly generate a free Let's Encrypt SSL certificate.
We will generate a 2048-bit private key and a self-signed SSL certificate with a ten-year validity period:
sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem
The certificate and the private key will be saved in the same file.
After you've created the SSL certificate, open the vsftpd configuration file:
sudo nano /etc/vsftpd.conf
Change the values of the rsa_cert_file and rsa_private_key file directives to the pam file path, and set the ssl_enable directive to YES:
rsa_cert_file=/etc/ssl/private/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem
ssl_enable=YES
If nothing else is specified, the FTP server will only use TLS to make secure connections.
Restart the vsftpd Service
After you've finished editing, the vsftpd configuration file (excluding comments) should look like this:
listen=NO
listen_ipv6=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
chroot_local_user=YES
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/private/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem
ssl_enable=YES
user_sub_token=$USER
local_root=/home/$USER/ftp
pasv_min_port=30000
pasv_max_port=31000
userlist_enable=YES
userlist_file=/etc/vsftpd.user_list
userlist_deny=NO
To make changes take effect, save the file and restart the vsftpd service:
sudo systemctl restart vsftpd
Opening the Firewall
You must allow FTP traffic if you are using a UFW firewall.
Run the following commands to open ports 21 (FTP command port), 20 (FTP data port), and 30000-31000 (Passive ports range):
sudo ufw allow 20:21/tcp
sudo ufw allow 30000:31000/tcp
To avoid being locked out, make sure port 22 is open:
sudo ufw allow OpenSSH
Reload the UFW rules by disabling and re-enabling UFW:
sudo ufw disable
sudo ufw enable
To verify the changes run:
sudo ufw status
Output
Status: active
To Action From
-- ------ ----
20:21/tcp ALLOW Anywhere
30000:31000/tcp ALLOW Anywhere
OpenSSH ALLOW Anywhere
20:21/tcp (v6) ALLOW Anywhere (v6)
30000:31000/tcp (v6) ALLOW Anywhere (v6)
OpenSSH (v6) ALLOW Anywhere (v6)
Creating FTP User
We will create a new user, to test the FTP user list:
- Skip the first step if the user to whom you want to grant FTP access already exists.
- Skip the third step if you set
allow_writeable_chroot=YESin your configuration file.
1) Create a new user named newftpuser:
sudo adduser newftpuser
2) Add the user to the allowed FTP users list:
echo "newftpuser" | sudo tee -a /etc/vsftpd.user_list
3) Create the FTP directory tree and set the correct permissions:
sudo mkdir -p /home/newftpuser/ftp/upload
sudo chmod 550 /home/newftpuser/ftp
sudo chmod 750 /home/newftpuser/ftp/upload
sudo chown -R newftpuser: /home/newftpuser/ftp
As previously discussed, the user will be able to upload files to the ftp/upload directory.
Your FTP server is now fully operational. Any FTP client that can be configured to use TLS encryption, such as FileZilla, should be able to connect to the server.
Disabling Shell Access
If SSH access to the server is not explicitly specified when creating a user, the user will have it by default. To disable shell access, create a new shell that prints a message informing the user that their account is only allowed FTP access.
To make the /bin/ftponly file executable, run the following commands:
echo -e '#!/bin/sh\necho "This account is limited to FTP access only."' | sudo tee -a /bin/ftponly
sudo chmod a+x /bin/ftponly
Add the new shell to the /etc/shells file's list of valid shells:
echo "/bin/ftponly" | sudo tee -a /etc/shells
Replace the user shell with /bin/ftponly:
sudo usermod newftpuser -s /bin/ftponly
You can use the same command to change the shell of any users who should only have FTP access.
FAQs to Set Up FTP Server with VSFTPD on Ubuntu 20.04
What is VSFTPD?
VSFTPD (Very Secure FTP Daemon) is a popular FTP server software for Unix-like systems, known for its security features and ease of configuration.
How do I enable anonymous FTP access?
Set anonymous_enable=YES in the VSFTPD configuration file to allow users to log in as anonymous and access specific directories.
How can I restrict user access to specific directories?
Use the chroot_local_user=YES option in the VSFTPD configuration file to restrict users to their home directories.
How can I enable SSL/TLS encryption for secure file transfer?
Generate an SSL/TLS certificate or obtain one from a trusted source, and then enable the ssl_enable=YES option in the VSFTPD configuration file.
How do I configure passive mode in VSFTPD?
Set the pasv_enable=YES option in the VSFTPD configuration file, specify the range of passive ports, and forward those ports in your firewall.
How do I restart the VSFTPD service after making changes to the configuration?
Restart the VSFTPD service by running the command sudo service vsftpd restart in the terminal to apply the new configuration settings.
Conclusion
On your Ubuntu 20.04 system, we demonstrated how to install and configure a secure and fast FTP server.
If you have any queries, please leave a comment below and we’ll be happy to respond to them.