How to Setup FTP Server with VSFTPD on Ubuntu 22.04

Choose a different version or distribution

Introduction

Before we begin talking about how to install VSFTPD on Ubuntu 22.04, let’s briefly understand – What is VSFTPD?

FTP stands for File Transfer Protocol, which is a common method of transferring files to and from a remote network.

One of the most popular and widely used open-source FTP servers is VSFTPD. VFSTPD stands for Very Secure File Transfer Protocol Daemon, which is the fast yet stable FTP server.

This tutorial will guide you through the steps involved in the installation and configuration of VFSTPD on Ubuntu 22.04. Follow the same instructions for Ubuntu 16.04 and any other Debian-based distributions.

Prerequisites

You need to be logged in as a user with sudo privileges.

Step 1 – Installing VSFTPD

1) You can run the VFSTPD package from the Ubuntu repositories with the help of the following commands:

sudo apt update
sudo apt install vsftpd

2) The service will automatically start on installation, you can verify it using:

sudo systemctl status vsftpd

3) You will receive the following output:

Output

* vsftpd.service - vsftpd FTP server
   Loaded: loaded (/lib/systemd/system/vsftpd.service; enabled; vendor preset: enabled)
   Active: active (running) since Fri 2021-10-1 03:38:52 PDT; 10min ago
 Main PID: 2616 (vsftpd)
    Tasks: 1 (limit: 2319)
   CGroup: /system.slice/vsftpd.service
           `-2616 /usr/sbin/vsftpd /etc/vsftpd.conf

Step 2 – Configuring VFSTPD

1) You can configure the server by editing the /etc/vsftpd.conf file. The majority of the settings are well documented inside the file. You can check the available options from here.

There are certain steps involved in configuring and setting up VFSTPD. Start by opening the configuration file:

sudo nano /etc/vsftpd.conf

2) FTP Access

After that, look for anonymous_enable and local_enable directives, then verify the configuration to match the lines below:

anonymous_enable=NO
local_enable=YES

3) Enabling Uploads

Now uncomment the write_enable setting to allow changes like uploading and deleting the files.

write_enable=YES

4) Chroot Jail

Next, uncomment the chroot setting so that the FTP users don't have access to any files outside their home directories.

chroot_local_user=YES

The default setting of VFSTPD refuses to upload files if the directory that the users are locked in is writable when chroot is enabled, in order to prevent a security vulnerability.

You can choose either of the two methods:

  • Method 1: This is the recommended method and involves allowing chroot to be enabled and configuring FTP directories. You can create a ftp directory inside the user home which will serve as the chroot and a writable uploads directory for uploading files.
user_sub_token=$USER
local_root=/home/$USER/ftp
  • Method 2: Alternatively, you can add the following directive in the VSFTPD configuration file. This should be preferred if you want to grant writable access to the user for its home directory.
pasv_min_port=30000
pasv_max_port=31000

5) Limiting User Login

You need to add the following lines at the end of the file to allow only certain users to the FTP server:

userlist_enable=YES
userlist_file=/etc/vsftpd.user_list
userlist_deny=NO

You then have to specify which users can log in by adding their names to the /etc/vsftpd.user_list file (one user per line).

6) Securing transmission with SSL/TSL

An SSL certificate is required to encrypt the FTP transmissions with SSL/TSL. The FTP server needs to be configured to use the same.

You may choose to use an existing SSL certificate signed by a trusted Certificate Authority or create a self-signed certificate.

Generating a free Let's Encrypt certificate is easy if you have a domain or subdomain pointing to the FTP server’s IP address.

You can also generate a self-signed certificate using the openssl command.

You can create a 2048-bit private key and self-signed certificate valid for 10 years with the following command. Both the private key and the certificate will be saved in the same file:

sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem

On successful creation, open the VSFTPD configuration file:

sudo nano /etc/vsftpd.conf

Look for the rsa_cert_file and rsa_private_key_file directives, then change values of the pam file-path and set the ssl_enable directive to YES:

rsa_cert_file=/etc/ssl/private/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem
ssl_enable=YES

The FTP server will use only TLS to make secure connections if not specified otherwise.

Step 3 – Restart VSFTPD Service

Once the editing is done, the VFSTPD file should resemble the below output (excluding comments):

Output

listen=NO
listen_ipv6=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
chroot_local_user=YES
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/private/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem
ssl_enable=YES
user_sub_token=$USER
local_root=/home/$USER/ftp
pasv_min_port=30000
pasv_max_port=31000
userlist_enable=YES
userlist_file=/etc/vsftpd.user_list
userlist_deny=NO

Save and restart for the changes to take effect:

sudo systemctl restart vsftpd

Step 4 - Opening the Firewall

1) In case you have a UFW firewall, you need to open 21 (FTP command port), port 20 (FTP data port) and 30000-31000 (Passive ports range) with the following commands:

sudo ufw allow 20:21/tcp
sudo ufw allow 30000:31000/tcp

2) Open port 22 to avoid being locked out:

sudo ufw allow OpenSSH

3) You then have to reload the UFW rules by disabling and re-enabling UFW:

sudo ufw disable
sudo ufw enable

4) You can verify the changes using:

sudo ufw status
Output

Status: active

To                         Action      From
--                         ------      ----
20:21/tcp                  ALLOW       Anywhere
30000:31000/tcp            ALLOW       Anywhere
OpenSSH                    ALLOW       Anywhere
20:21/tcp (v6)             ALLOW       Anywhere (v6)
30000:31000/tcp (v6)       ALLOW       Anywhere (v6)
OpenSSH (v6)               ALLOW       Anywhere (v6)

Step 5 – Creating FTP User

Create a new user to test the FTP server:

  • If there's already a user which you want to grant FTP access then skip the 1st step.
  • If  allow_writeable_chroot=YES is set in your configuration file then skip the 3rd step.

1) Create a new user newftpuser:

sudo adduser newftpuser

2) Add the user to the Allowed users list:

echo "newftpuser" | sudo tee -a /etc/vsftpd.user_list

3) Create an FTP Directory tree and set the appropriate permissions:

sudo mkdir -p /home/newftpuser/ftp/upload
sudo chmod 550 /home/newftpuser/ftp
sudo chmod 750 /home/newftpuser/ftp/upload
sudo chown -R newftpuser: /home/newftpuser/ftp

The user will be able to upload the files to the ftp/upload directory.

4) You can now connect your FTP server using any FTP client that can be configured to use the TLS encryption.

Step 6 – Disabling Shell Access

1) If you haven't specified, the user will have SSH access to the server by default.

2) You need to create a new shell that will simply print a message telling the user that their account is limited to FTP access only.

3) Next, make the /bin/ftponly shell executable after creating it.

echo -e '#!/bin/sh\necho "This account is limited to FTP access only."' | sudo tee -a  /bin/ftponly
sudo chmod a+x /bin/ftponly

4) Append this shell to the list of valid shells in the /etc/shells file:

\echo "/bin/ftponly" | sudo tee -a /etc/shells

5) Then change the user shell to /bin/ftponly:

sudo usermod newftpuser -s /bin/ftponly

6) Similarly, you can change the shell of other users (who you want to grant FTP access to) with the same command.

FAQs to Setup FTP Server with VSFTPD on Ubuntu 22.04

How to decide if VSFTPD is the right server for you?

If your main requirement from an FTP server is one of the following things then yes, VSFTPD will be most suitable for your requirement.

  • Security
  • Performance
  • Stability

Can we limit the number of connected users in VSFTPD?

Run VSFTPD in a "standalone" mode with the setting listen=YES, then you can set (e.g.): max_clients=10

What are the system requirements for installing VSFTPD on Ubuntu 22.04?

To install VSFTPD on Ubuntu 22.04, you will need a 64-bit operating system with at least 512 MB of RAM, and a minimum of 1 CPU core.

How do I configure VSFTPD to allow anonymous FTP access on Ubuntu 22.04?

To allow anonymous FTP access on Ubuntu 22.04, edit the /etc/vsftpd.conf file and set the anonymous_enable parameter to YES. Then, restart the VSFTPD service.

Conclusion

We hope this detailed tutorial helped you understand how to install VSFTPD on Ubuntu 22.04 server. To learn more about VSFTPD installation on Ubuntu 22.04 server, check out the official VSFTPD installation document.

If you have any queries, please leave a comment below, and we’ll be happy to respond to them for sure.