Site : https://adamtheautomator.

com/vsftpd/

How to Setup FTP Server with VSFTPD

Published:8 March 2022 - 10 min. read

 Command Line
 Linux

Nicholas Xuan Nguyen

Table of Contents

 Prerequisites
 Installing VSFTPD on Ubuntu
 Opening Ports for FTP Client Connections
 Configuring the VSFTDP Server
 Creating a Dedicated User to Use the FTP Service
 Connecting to the FTP Server
 Disabling Shell Access
 Conclusion

Ever forget an important document on your home computer, and you’re working at the office?
Or do you simply want to share a file with someone who’s sitting next to you? An FTP server
like Very Secure FTP Daemon (VSFTPD) is the perfect solution.

In this tutorial, you’ll learn how to install and configure an FPT server using VSFTPD on
your Linux server so you can securely share files between computers.

Read on and never let your files be captive on your home computer again!

My Latest Videos

Prerequisites
This tutorial will be a hands-on demonstration. If you’d like to follow along, be sure you have
the following.
  A Linux machine – This tutorial uses Ubuntu 20.04 LTS, but any Linux distributions
will work.

Related:How to Install Ubuntu 20.04 LTS

 A non-root user with sudo privileges.

Installing VSFTPD on Ubuntu

VSFTPD is an FTP server for Unix-like systems but isn’t installed by default. Installing
VSFTPD on Ubuntu is similar to how you install other packages. Kick-off this tutorial by
updating your APT package manager before installing VSFTPD.

1. Run the apt update command to update APT. This command retrieves package lists from
your configured repositories and updates the local package cache.

sudo apt update -y

Updating APT package manager

2. Next, run the apt install command below to install VSFTPD on your machine. This
command will also pull in all of the required dependencies for the FTP service.

By default, the VSFTPD package is available on most modern Debian-based distributions. So

you can install it without any additional package repositories and let APT take care of the
rest.

Installing VSFTPD on Ubuntu

3. Finally, run the systemctl command below to verify that the VSFTPD service is running
and configured correctly.

sudo systemctl status vsftpd

Related:Controlling Systemd services with Ubuntu systemctl

You will see an output similar to the one below, which shows the vsftpd.service is active
(running) and listening to requests.

Verifying the vsftpd.service Status

Opening Ports for FTP Client Connections

Now that you have the latest version of VSFTPD installed, you can now configure your
firewall. You’ll use UFW, the default firewall configuration tool for Ubuntu, to add firewall
rules to open ports for secure FTP client connections.

Related:How To Set Up the UFW Firewall on Linux

1. Run the ufw status command to see which firewall rules are currently active.

sudo ufw status

Below, you can see that the firewall is active but doesn’t have any rules to allow any
connections by default.

Checking firewall rules

2. Next, run the ufw allow command below to allow all three ports through the firewall.
VSFTPD requires FTP connections on ports 20, 21, and 990.

sudo ufw allow 20,21,990/tcp

Adding a Firewall Rule to Open Ports 20, 21, and 990

3. Run the ufw command below to open the 40000:50000 port range.

VSFTPD requires the 40000:50000 port range to be opened so that FTP clients can make data
connections to the server in passive mode.

sudo ufw allow 40000:50000/tcp

Adding a Firewall Rule to Open 40000:50000 Port Range

4. Finally, run the ufw status verbose command below to verify that your firewall rules are
active and check for errors.

sudo ufw status verbose

Checking Active Firewall Rules

Configuring the VSFTDP Server

You have successfully allowed traffic through the firewall, but you must configure your
VSFTPD server before using it.

The /etc/vsftpd.conf file is the main configuration file for VSFTPD. But you can also
configure your FTP server through other commands if you prefer to do things dynamically. Or
if you prefer to specify rules that aren’t available in the config file.

Throughout editing the /etc/vsftpd.conf file, uncomment each directive to enable them by
removing the # symbol in front of them.
1. Run the sudo cp command below to back up the original configuration file
(/etc/vsftpd.conf /etc/vsftpd.conf.bak).

You should always back up any critical config file before you go mucking around.

sudo cp /etc/vsftpd.conf /etc/vsftpd.conf.bak

2. Next, open the /etc/vsftpd.conf file in your favorite text editor. This demo uses nano to
edit the configuration file.

sudo nano /etc/vsftpd.conf

3. Look for and change the anonymous_enable directive value to NO. Anonymous users are
commonly used for public file sharing. You don’t want that anonymous user on your server.
Instead, you’ll want your FPT server to be secure.

Set the local_enable directive value to YES to allow people with accounts on your server to
transfer files via FTP. With this configuration, only authorized users can log into your FTP
server.

Restricting Access to your FTP Server to Authorized Users Only

4. Now, change the write_enable directive to YES so that your users can upload and save
files to your FTP server. This directive is the most important one, as it controls access to the
upload functionality.

Allowing Users to Upload and Save Files to FTP Server

5. Change the chroot_local_user directive to YES since your FPT user should not run as
root. Creating a new, possibly privileged user for the FTP service to use is much safer (you
will learn how to create a dedicated user later).

If this directive isn’t enabled, the FPT user will have access to everything on the server, even
the root directory. This behavior can be a HUGE security problem.

With this configuration, your user can only access the folders that you specify (the user’s
home directory in most cases).
Restricting User to Run as Root when Accessing the FTP Server

But when the chroot_local_user directive value is set to YES, the write_enable directive (step
four) will not work because the chroot() syscall denies writing access (when enabled).

As a solution, add the directive below to your vsftpd.conf file, so the write_enable directive
will work regardless of the chroot_local_user directive’s value.

allowed_writeable_chroot=YES

Allowing Writing Access

6. Next, add the directives below to your vsftpd.conf file to enable passive FTP connections.

VSFTPD can use any port above 1024 not occupied by another service for the passive FTP
connection. This demo uses the port range you set in the “Opening Ports for FTP Client
Connections” section (step three).

pasv_min_port=35000
pasv_max_port=40000

Enabling Passive FTP

7. Add the following lines at the bottom of the vsftpd.conf file to allow only authorized users
to log in to the FTP server.

userlist_enable=YES
# Add the user to the vsftpd.userlist to allow a specific user
# to use the system login account to access your FTP service.
userlist_file=/etc/vsftpd.userlist
# NO - anyone can log in with an anonymous account.
# YES - the user will be denied to login when their name exists in this
file.
userlist_deny=NO

Allowing only Authorized Users to Log in to the FTP Server

8. Finally, save and close the vsftpd.conf file, and run the below command to restart your
vsftpd server to apply the changes.

sudo service vsftpd restart

Creating a Dedicated User to Use the FTP Service

You’ve now configured your VSFTPD server, but you’ll need a dedicated user to use the FTP
service instead of a root user. You’ll create a directory within the user’s home directory so
that the directory is easily accessible.

1. Run the adduser command below to create a new user. You can choose any username you
prefer, but this demo creates a user called ata. But remember not to duplicate the user
elsewhere on your server.

sudo adduser ata

Provide a secure password and take note of it. You’ll use this password to connect to your
FTP server.

You must also provide some details for the new user or keep the default details by pressing
ENTER. Type Y and press ENTER to confirm the user information.
Creating a new user named ata

2. Next, run the below command to add the ata user to the vsftpd.userlist file.

As you recall, this file specifies which users are allowed to login via FTP when the
userlist_deny directive value is set to NO. At this point, only the ata user can log in to your
FTP server, and all other anonymous users will be denied access.

echo "ata" | sudo tee -a /etc/vsftpd.userlist

Adding the ata user to the vsftpd.userlist file

3. Run the following commands to set the proper permissions for the new /home/ata/ftp
directory.

The below commands ensure that only your dedicated FTP user has access to the
/home/ata/ftp directory, and allow the user to transfer files to/from it.

# Sets the owner of the /home/ata/ftp directory to be nobody.

sudo chown nobody:nogroup /home/ata/ftp
# Ensures that only the owner (your FTP user)
# has write(w) access(a) to the /home/ata/ftp directory.
sudo chmod a-w /home/ata/ftp

4. Now, run the chown command to set the owner and group of the /home/ata/ftp/upload
directory to your FTP user (ata). The command also sets the correct permissions for the
/home/ata/ftp/upload directory.

sudo chown ata:ata /home/ata/ftp/upload

5. Execute the echo command below to create a basic test file named ata.txt.
The below command creates a new file named ata.txt in your FTP directory and includes
some text (vsftpd test file) in the text file.

echo "vsftpd test file" | sudo tee /home/ata/ftp/upload/ata.txt

At this point, you’ve fully configured your FPT server, and your users can connect to it.

Creating a basic test file named ata.txt

Connecting to the FTP Server

After configuring a dedicated FTP user, it’s finally time to connect to your FTP server. But
you’ll first try connecting to your FTP server using an anonymous user to test if your FTP
server is secure.

1. Run the ftp -p command below to connect to your FTP server. Replace your-server-ip
with your actual server IP address.

ftp -p your-server-ip

Try to log in as an anonymous user, and you will see the following error message. This output
confirms that your FTP server is secure since only your dedicated FTP user can access your
server.

Logging in as an
anonymous user

2. Execute the bye command to exit the FTP client.

bye

exiting the FTP client

3. Rerun the ftp command below as you did in step one. But this time, log in as your
dedicated FTP user (ata).

ftp -p your-server-ip

You will get a 230 Login successful message as shown below, which confirms that your FTP
server works as intended.
Connecting to FTP Server using the Dedicated User (ata) for FTP connection

4. Now, run each command below to confirm the ata.txt file exists in the ftp/upload directory.

The ata.txt file is what you created earlier in the “Creating a Dedicated User to Use the FTP
Service” section (step five).

# Change to the ftp/upload directory as the working directory.

cd ftp/upload
# List all files in the working directory.
ls

Li
sting file in the ftp/upload directory

5. Run the get command below to download the file (ata.txt) from your FTP server and
save it to your local machine.

get ata.txt

Below, you can see a confirmation message that says Transfer complete.

Downloading the ata.txt file from the FTP server to a local machine

6. Next, run the put command below to upload the ata.txt file from your local machine as a
new file named ata2.txt to your FTP server.

put ata.txt ata2.txt

Uploading the ata.txt file as ata2.txt from Local Machine to FTP server

7. Finally, rerun the ls command to list all files in the current directory and verify that
ata2.txt has been uploaded successfully by your user.

ls

If the previous file transfers (steps seven to eight) succeeded, you’ll see two text files: one
named ata.txt and another named ata2.txt, as shown below.

Listing the files in the FPT server

Disabling Shell Access

When you create a new FTP user, your FTP server automatically allows that user to log in and
run the shell. As a result, besides uploading and downloading files, your users can also
execute potentially dangerous system commands on your FTP server.

When you’re not using the FTP server, you can disable shell access to prevent users from
logging in using SSH. Doing so is especially important if you have password-less login
enabled for your dedicated FTP user.

1. Open another terminal on your server, and run the below command to ssh into the FPT
server using the dedicated FTP user (ata).

ssh ata@fpt-server-ip

As shown below, you can successfully log in using the ata username with the password you
created earlier in the “Creating a Dedicated User to Use the FTP Service” section.

This behavior indicates that the ata user can run any commands on your server, including
changing the server configurations. A compromised FTP user can do much more damage than
an anonymous one.
Logging the ata user in to the FTP server

2. Next, run the command below to create a new shell script named ftponly.sh in the /bin
directory of your FPT server. This script disables any FTP login from your dedicated FTP
user for your FTP server. The script then prints (echo) a warning message to the screen that
says This account is limited to FTP access only.

echo -e '#!/bin/sh\necho "This account is limited to FTP access only."' |

sudo tee -a /bin/ftponly .sh

Running ftponly.sh Script to Disable FTP Login from a Dedicated FTP User

3. Run the below chmod command to set the correct permissions on this new shell script
(/bin/ftponly). This command makes the script executable and allows your FTP user (ata)
to run it.

sudo chmod a+x /bin/ftponly

4. Now, execute the command below to add the path of the new shell script (ftponly ) in
your /etc/shells file. This action ensures that any login you try with your ata user is
rejected since the /bin/ftponly script will get executed instead.

echo "/bin/ftponly" | sudo tee -a /etc/shells

Adding Schell Script’s (ftponly.sh) Path to the /etc/shells File

5. Run the usermod command below to change the current shell of your FTP user (ata) to the
/bin/ftponly shell.

sudo usermod ata -s /bin/ftponly

6. Finally, run the below command to SSH to your FPT server using your FTP user (ata).

ssh ata@fpt-server-ip

As shown below, your dedicated FTP user cannot SSH to your FTP server. This behavior is
expected since the /bin/ftponly shell script prints a warning message and closes the SSH
connection (closed).

Testing SSH Connection to the FTP Server

Conclusion
In this tutorial, you have learned how to install and configure an FTP server in Ubuntu Linux
using VSFTPD. You have also learned how to configure an FTP user with limited access and
restrict the FTP user shell access.

At this point, you should have a functional FTP server with restricted access.

With this newfound knowledge, you can now configure your FTP server on AWS EC2, or
you can start setting up an FTP Server on your Raspberry Pi. Which one would you choose to
start working on?