How to Configure VSFTPD SFTP with SSL/TLS on Ubuntu 18.04

FTP, the acronym of File Transfer Protocol, is used to transfer files between computer and server in a given computer network. FTP protocol uses insecure way of data transfer and should be limited to the network where you trust. Instead, we should have SFTP (SSH File Transfer Protocol) which use SSL secure connection between the two ends.

This article provides detailed steps on how to configure secured vsftpd server with SSL/TLS on Ubuntu 18.04 and connect to the server using a terminal and GUI tools.

Install VSFTPD server

There are several FTP servers available on Linux. We are going to install vsftp. To do that on Ubuntu 18.04 we type the following command in the terminal:

sudo apt install vsftpd

Once the vsftpd is installed, it's default configuration file is located in /etc/vsftpd.conf. To make changes with that file and test custom configurations, we create a backup of this file at first. To do so you can run:

sudo mv /etc/vsftpd.conf /etc/vsftpd.conf.bak

Then we create vsftpd.conf file with the following command:

sudo vim /etc/vsftpd.conf

and add the following lines to the file:vsftpsft

 listen=NO
 listen_ipv6=YES
 anonymous_enable=NO
 local_enable=YES
 write_enable=YES
 local_umask=022
 dirmessage_enable=YES
 use_localtime=YES
 xferlog_enable=YES
 connect_from_port_20=YES
 chroot_local_user=YES
 secure_chroot_dir=/var/run/vsftpd/empty
 pam_service_name=vsftpd
 pasv_enable=Yes
 pasv_min_port=10000
 pasv_max_port=11000
 user_sub_token=$USER
 local_root=/home/$USER/ftp
 userlist_enable=YES
 userlist_file=/etc/vsftpd.userlist
 userlist_deny=NO

Note that these are most common used configurations and you are free to change them according to your needs.

Ubuntu 18.04 is coming with ufw(Uncomplicated firewall) preinstalled and enabled. You can check if ufw is running on your machine with this command:

sudo service ufw status

If it's running and you are going to leave it running, you must allow incoming traffic for to FTP ports (20,21 for active connections and 10000-10100 for passive ones). To do so you can run:

sudo ufw allow from any to any port 20,21,10000:11000 proto tcp

If successful, the output will be like the one below:

Rules updated
Rules updated (v6)

After all this steps are done, we need to restart the vsftpd server withe the following command:

sudo service vsftpd restart

Creating user to connect to FTP server

Once vsftp server is installed and configured according to our needs, we need no create a user (e.g. ftpsuer) to connect to ftp server. To do so you can run:

sudo useradd -m ftpuser

Create password for newly created user with the command below:

sudo passwd ftpuser

After you'll be prompted to enter new UNIX password and retype it for changes to be applied. Successful output looks like this one:

passwd: password updated successfully

Prepare FTP user directory

One of the most important actions that need to be done to secure FTP connection is to restrict users to their home directory so that they have no access to other directories at all. To do so in vsftpd we need to enable chroot in configuration file, which we already did in configurations part of the article (chroot_local_user=YES). The way of vsftpd's directory security assumes user doesn't have write access to it. But if we are giving FTP access to existing users and they are using shell to use server, they may need to have write access to their home folder. To avoid security lack and also have proper FTP access for user we create an ftp folder in user's home directory and add it to vsftpd configuration as local root when connecting via FTP. Also we need to change ownership of the directory and remove write access. To do so you can run:

sudo mkdir /home/ftpuser/ftp
sudo chown nobody:nogroup /home/ftpuser/ftp
sudo chmod a-w /home/ftpuser/ftp

then add/change the following lines in vsftpd configuration file /etc/vsftpd.conf

user_sub_token=$USER 
local_root=/home/$USER/ftp

After these steps are done we need to create another folder in /home/ftpuser/ftp and assign its ownership to the user

sudo mkdir /home/ftpuser/ftp/files
sudo chown ftpuser:ftpuser/home/ftpuser/ftp/files

To test that we are able to view files in user's home directory after connecting to FTP server, we are going to create test file in that directory and add some text in it. To do so you can run:

echo "test file for vsftpd" | sudo tee /home/ftpuser/ftp/files/test.txt

To allow or deny specific users' access to vsftpd we can use userlist file and add appropriate record in vsftpd configuration file. To do so you can run the following:

userlist_enable=YES
userlist_file=/etc/vsftpd.userlist
userlist_deny=NO

If userlist_deny is set to NO, only users added to the file can access FTP server and if it is set to YES, users listed in the file will have no access to FTP server and others will have access. Add usernames to the mentioned above file with the command below:

echo "ftpuser" | sudo tee -a /etc/vsftpd.userlist

Configure SSL for VSFTPD

Since data (even credentials) transferred via FTP isn't encrypted, we can enable TLS/SSL to provide another level of security to our FTP server. To create a certificate using openssl, run the following:

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem

where -days 365 is for adding certificate for one year and adding same value for -out, -keyout flags to locate the private key and the certificate in the same file. You'll be prompted to add all necessary information to create certificate, like it's shown below

Generating a 2048 bit RSA private key
.................+++
..............................................................................................+++
writing new private key to '/etc/ssl/private/vsftpd.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:AU
State or Province Name (full name) [Some-State]:SY
Locality Name (eg, city) []:Sydney
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Linoxide
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:ubuntu
Email Address []:[email protected]

After certificate is created we need to add it to vsftpd config file and enable SSL. To do so, add the following line to the mentioned file:

 rsa_cert_file=/etc/ssl/private/vsftpd.pem
 rsa_private_key_file=/etc/ssl/private/vsftpd.pem
 ssl_enable=YES

After we need to deny anonymous connections over SSL and to require SSL for data transfer and login. To do so add the following lines to /etc/vsftpd.conf file:

 allow_anon_ssl=NO
 force_local_data_ssl=YES
 force_local_logins_ssl=YES

Once the lines above are added, we'll configure the server to use TLS, which is the preferred successor to SSL. To do so, add the following lines in the same file:

ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO

After all the steps our vsftpd configuration file will look like this:

listen=NO
listen_ipv6=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
chroot_local_user=YES
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
pasv_enable=Yes
pasv_min_port=10000
pasv_max_port=11000
user_sub_token=$USER
local_root=/home/$USER/ftp
userlist_enable=YES
userlist_file=/etc/vsftpd.userlist
userlist_deny=NO
rsa_cert_file=/etc/ssl/private/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO

After any change in the vsftpd's configuration file we need to restart the service by the following command:

sudo service vsftpd restart

You could also configure vsftpd to use letsencrypt certificate for sftp but make sure you have a domain to validate. You could add path variable in the vsftpd configuration where ssl cert and private is key stored.

rsa_cert_file=/ssl/letsencrypt/ftpdomain.com/chain-bundle.pem
rsa_private_key_file=/ssl/letsencrypt/ftpdomain.com/private-key.pem

Connecting to FTP server

There are two methods to connect to ftp server:

    • using terminal
    • using FTP client with GUI

 

Connect using terminal

To connect to ftp server via command line type the following command in the terminal:

ftp ubuntu

Where ubuntu is the hostname of the machine where ftp server is installed. Make sure that ftp server machine is accessible via it's hostname from the machine you are trying to connect.

After connecting you'll be prompted to enter username and password for connecting to ftp server:

Connected to ubuntu.
220 (vsFTPd 3.0.3)
Name (ubuntu:ubuntu): ftpuser
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

Type ls to check if the created before test file is there:

ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 1001 1001 4096 May 21 13:39 files
226 Directory send OK.

Connect using FTP client with GUI

We are going to use Filezilla to connect to our FTP server installed on Linux. To do so open the Filezilla client on your machine and enter the FTP server IP address, ftpuser credentials to connect and press connect button like it's shown in the screenshot below. You will be prompted to add the certificate to trusted, after which you'll be able to connect to FTP server.

vsftpd certificate

vsftpd filezilla

After connecting we can see that the test.txt that we created before is there.

Read Also :

 

As you can learn from the article, installing vsftpd server and connecting to it is very easy and can be done in few steps. The main point here is to secure ftp server via it's configuration file like chrooting the user to its home directory, disabling anonymous login and adding local umask and user read and write permissions.

Hayk Gevorgyan 1:09 am

About Hayk Gevorgyan

Technical Support Engineer experienced in Linux servers administration of production environments. Exploring DevOps culture and tools. Interested in containerization and open source monitoring tools.

Author Archive Page

Have anything to say?

Your email address will not be published. Required fields are marked *

All comments are subject to moderation.

2 Comments