FTP, the acronym of File Transfer Protocol, is used to transfer files between computer and server in a given computer network. FTP protocol uses insecure way of data transfer and should be limited to the network where you trust. Instead, we should have FTPS (File Transfer Protocol with SSL) which use SSL secure connection between the two ends or use SFTP (SSH File Transfer Protocol/Secure File Transfer Protocol).
This article provides detailed steps on how to configure secured vsftpd server with SSL/TLS on Ubuntu 18.04 and connect to the server using a terminal and GUI tools.
Install VSFTPD server
There are several FTP servers available on Linux. We are going to install vsftp. To do that on Ubuntu 18.04 we type the following command in the terminal:
sudo apt install vsftpd
Once the vsftpd is installed, it's default configuration file is located in /etc/vsftpd.conf. To make changes with that file and test custom configurations, we create a backup of this file at first. To do so you can run:
sudo mv /etc/vsftpd.conf /etc/vsftpd.conf.bak
Then we create vsftpd.conf file with the following command:
sudo vim /etc/vsftpd.conf
and add the following lines to the file:vsftpsft
listen=NO listen_ipv6=YES anonymous_enable=NO local_enable=YES write_enable=YES local_umask=022 dirmessage_enable=YES use_localtime=YES xferlog_enable=YES connect_from_port_20=YES chroot_local_user=YES secure_chroot_dir=/var/run/vsftpd/empty pam_service_name=vsftpd pasv_enable=Yes pasv_min_port=10000 pasv_max_port=11000 user_sub_token=$USER local_root=/home/$USER/ftp userlist_enable=YES userlist_file=/etc/vsftpd.userlist userlist_deny=NO
Note that these are most common used configurations and you are free to change them according to your needs.
Ubuntu 18.04 is coming with ufw(Uncomplicated firewall) preinstalled and enabled. You can check if ufw is running on your machine with this command:
sudo service ufw status
If it's running and you are going to leave it running, you must allow incoming traffic for to FTP ports (20,21 for active connections and 10000-10100 for passive ones). To do so you can run:
sudo ufw allow from any to any port 20,21,10000:11000 proto tcp
If successful, the output will be like the one below:
Rules updated Rules updated (v6)
After all this steps are done, we need to restart the vsftpd server withe the following command:
sudo service vsftpd restart
Creating user to connect to FTP server
Once vsftp server is installed and configured according to our needs, we need no create a user (e.g. ftpsuer) to connect to ftp server. To do so you can run:
sudo useradd -m ftpuser
Create password for newly created user with the command below:
sudo passwd ftpuser
After you'll be prompted to enter new UNIX password and retype it for changes to be applied. Successful output looks like this one:
passwd: password updated successfully
Prepare FTP user directory
One of the most important actions that need to be done to secure FTP connection is to restrict users to their home directory so that they have no access to other directories at all. To do so in vsftpd we need to enable chroot in configuration file, which we already did in configurations part of the article (chroot_local_user=YES
). The way of vsftpd's directory security assumes user doesn't have write access to it. But if we are giving FTP access to existing users and they are using shell to use server, they may need to have write access to their home folder. To avoid security lack and also have proper FTP access for user we create an ftp folder in user's home directory and add it to vsftpd configuration as local root when connecting via FTP. Also we need to change ownership of the directory and remove write access. To do so you can run:
sudo mkdir /home/ftpuser/ftp
sudo chown nobody:nogroup /home/ftpuser/ftp
sudo chmod a-w /home/ftpuser/ftp
then add/change the following lines in vsftpd configuration file /etc/vsftpd.conf
user_sub_token=$USER local_root=/home/$USER/ftp
After these steps are done we need to create another folder in /home/ftpuser/ftp
and assign its ownership to the user
sudo mkdir /home/ftpuser/ftp/files
sudo chown ftpuser:ftpuser/home/ftpuser/ftp/files
To test that we are able to view files in user's home directory after connecting to FTP server, we are going to create test file in that directory and add some text in it. To do so you can run:
echo "test file for vsftpd" | sudo tee /home/ftpuser/ftp/files/test.txt
To allow or deny specific users' access to vsftpd we can use userlist file and add appropriate record in vsftpd configuration file. To do so you can run the following:
userlist_enable=YES userlist_file=/etc/vsftpd.userlist userlist_deny=NO
If userlist_deny is set to NO, only users added to the file can access FTP server and if it is set to YES, users listed in the file will have no access to FTP server and others will have access. Add usernames to the mentioned above file with the command below:
echo "ftpuser" | sudo tee -a /etc/vsftpd.userlist
Configure SSL for VSFTPD![]()
Since data (even credentials) transferred via FTP isn't encrypted, we can enable TLS/SSL to provide another level of security to our FTP server. To create a certificate using openssl, run the following:
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem
where -days 365 is for adding certificate for one year and adding same value for -out, -keyout flags to locate the private key and the certificate in the same file. You'll be prompted to add all necessary information to create certificate, like it's shown below
Generating a 2048 bit RSA private key .................+++ ..............................................................................................+++ writing new private key to '/etc/ssl/private/vsftpd.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:AU State or Province Name (full name) [Some-State]:SY Locality Name (eg, city) []:Sydney Organization Name (eg, company) [Internet Widgits Pty Ltd]:Linoxide Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:ubuntu Email Address []:[email protected]
After the certificate is created we need to add it to vsftpd config file and enable SSL. To do so, add the following line to the mentioned file:
rsa_cert_file=/etc/ssl/private/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem
ssl_enable=YES
After we need to deny anonymous connections over SSL and to require SSL for data transfer and login. To do so add the following lines to /etc/vsftpd.conf
file:
allow_anon_ssl=NO force_local_data_ssl=YES force_local_logins_ssl=YES
Once the lines above are added, we'll configure the server to use TLS, which is the preferred successor to SSL. To do so, add the following lines in the same file:
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
After all the steps our vsftpd configuration file will look like this:
listen=NO listen_ipv6=YES anonymous_enable=NO local_enable=YES write_enable=YES local_umask=022 dirmessage_enable=YES use_localtime=YES xferlog_enable=YES connect_from_port_20=YES chroot_local_user=YES secure_chroot_dir=/var/run/vsftpd/empty pam_service_name=vsftpd pasv_enable=Yes pasv_min_port=10000 pasv_max_port=11000 user_sub_token=$USER local_root=/home/$USER/ftp userlist_enable=YES userlist_file=/etc/vsftpd.userlist userlist_deny=NO rsa_cert_file=/etc/ssl/private/vsftpd.pem rsa_private_key_file=/etc/ssl/private/vsftpd.pem ssl_enable=YES allow_anon_ssl=NO force_local_data_ssl=YES force_local_logins_ssl=YES ssl_tlsv1=YES ssl_sslv2=NO ssl_sslv3=NO
After any change in the vsftpd's configuration file we need to restart the service by the following command:
sudo service vsftpd restart
You could also configure vsftpd to use letsencrypt certificate for sftp but make sure you have a domain to validate. You could add path variable in the vsftpd configuration where ssl cert and private is key stored.
rsa_cert_file=/ssl/letsencrypt/ftpdomain.com/chain-bundle.pem
rsa_private_key_file=/ssl/letsencrypt/ftpdomain.com/private-key.pem
Connecting to FTP server
There are two methods to connect to ftp server:
-
- using terminal
-
- using FTP client with GUI
Connect using terminal
To connect to ftp server via command line type the following command in the terminal:
ftp ubuntu
Where ubuntu
is the hostname of the machine where ftp server is installed. Make sure that ftp server machine is accessible via it's hostname from the machine you are trying to connect.
After connecting you'll be prompted to enter username and password for connecting to ftp server:
Connected to ubuntu. 220 (vsFTPd 3.0.3) Name (ubuntu:ubuntu): ftpuser 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp>
Type ls
to check if the created before test file is there:
ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. drwxr-xr-x 2 1001 1001 4096 May 21 13:39 files 226 Directory send OK.
Connect using FTP client with GUI
We are going to use Filezilla to connect to our FTP server installed on Linux. To do so open the Filezilla client on your machine and enter the FTP server IP address, ftpuser credentials to connect and press connect button like it's shown in the screenshot below. You will be prompted to add the certificate to trusted, after which you'll be able to connect to FTP server.
After connecting we can see that the test.txt
that we created before is there.
Read Also :
- How to Setup MySecureShell SFTP Server on Ubuntu 18.04
- 5 Steps to Install and Setup ProFTPD on Debian 9 Stretch
- 12 lftp Commands to Manage Files with Examples
As you can learn from the article, installing vsftpd server and connecting to it is very easy and can be done in a few steps. The main point here is to secure ftp server via it's configuration file like chrooting the user to its home directory, disabling anonymous login and adding local umask and user read and write permissions.
This is not SFTP this is FTPS there is a VERY large difference between them.
Thanks Spike. Totally agree. We will make the required changes to look title more meaningful.