Read in 6 minutes

last updated 

How to Setup FTP Server with VSFTPD on Ubuntu 18.04

FTP (File Transfer Protocol) is a standard network protocol used to transfer files to and from a remote network. For more secure and faster data transfers, use SCP.

There are many open source FTP servers available for Linux. The most popular and widely used are PureFTPd, ProFTPD and vsftpd. In this tutorial we’ll be installing vsftpd. It is a stable, secure and fast FTP server. We will also show you how configure vsftpd to restrict users to their home directory and encrypt the entire transmission with SSL/TLS.

Although this tutorial is written for Ubuntu 18.04 the same instructions apply for Ubuntu 16.04 and any Debian based distribution, including Debian, Linux Mint and Elementary OS.

Prerequisites

Before continuing with this tutorial, make sure you are logged in as a user with sudo privileges.

Installing vsftpd on Ubuntu 18.04

The vsftpd package is available in the Ubuntu repositories. To install it, simply run the following commands:

sudo apt update
sudo apt install vsftpd

vsftpd service will automatically start after the installation process is complete. Verify it by printing the service status:

sudo systemctl status vsftpd

The output will look something like below, showing that the vsftpd service is active and running:

* vsftpd.service - vsftpd FTP server
   Loaded: loaded (/lib/systemd/system/vsftpd.service; enabled; vendor preset: enabled)
   Active: active (running) since Mon 2018-10-15 03:38:52 PDT; 10min ago
 Main PID: 2616 (vsftpd)
    Tasks: 1 (limit: 2319)
   CGroup: /system.slice/vsftpd.service
           `-2616 /usr/sbin/vsftpd /etc/vsftpd.conf

Configuring vsftpd

The vsftpd server can be configured by editing the /etc/vsftpd.conf file. Most of the settings are documented inside the configuration file. For all available options visit the official vsftpd page.

In the following sections we will go over some important settings needed to configure a secure vsftpd installation.

Start by opening the vsftpd config file:

sudo nano /etc/vsftpd.conf

1. FTP Access

We’ll allow access to the FTP server only the local users, find the anonymous_enable and local_enable directives and verify your configuration match to lines below:

/etc/vsftpd.conf
anonymous_enable=NO
local_enable=YES

2. Enabling uploads

Uncomment the write_enable setting to allow changes to the filesystem such as uploading and deleting files.

/etc/vsftpd.conf
write_enable=YES

3. Chroot Jail

To prevent the FTP users to access any files outside of their home directories uncomment the chroot setting.

/etc/vsftpd.conf
chroot_local_user=YES

By default to prevent a security vulnerability, when chroot is enabled vsftp will refuse to upload files if the directory that users are locked in is writable.

  • Method 1. - The recommended method to allow upload is to keep chroot enabled, and configure FTP directories. In this tutorial we will create an ftp directory inside the user home which will serve as the chroot and a writable uploads directory for uploading files.

    /etc/vsftpd.conf
    user_sub_token=$USER
    local_root=/home/$USER/ftp
  • Method 2. - Another option is to add the following directive in the vsftpd configuration file. Use this option if you must to grant writable access to your user to its home directory.

    /etc/vsftpd.conf
    allow_writeable_chroot=YES

4. Passive FTP Connections

vsftpd can use any port for passive FTP connections. We’ll specify the minimum and maximum range of ports and later open the range in our firewall.

Add the following lines to the configuration file:

/etc/vsftpd.conf
pasv_min_port=30000
pasv_max_port=31000

5. Limiting User Login

To allow only certain users to login to the FTP server add the following lines at the end of the file:

/etc/vsftpd.conf
userlist_enable=YES
userlist_file=/etc/vsftpd.user_list
userlist_deny=NO

When this option is enabled you need to explicitly specify which users are able to login by adding the user names to the /etc/vsftpd.user_list file (one user per line).

6. Securing Transmissions with SSL/TLS

In order to encrypt the FTP transmissions with SSL/TLS, you’ll need to have an SSL certificate and configure the FTP server to use it.

You can use an existing SSL certificate signed by a trusted Certificate Authority or create a self signed certificate.

If you have a domain or subdomain pointing to the FTP server’s IP address you can easily generate a free Let’s Encrypt SSL certificate.

In this tutorial we will generate a self signed SSL certificate using the openssl command.

The following command will create a 2048-bit private key and self signed certificate valid for 10 years. Both the private key and the certificate will be saved in a same file:

sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem

Now that the SSL certificate is created open the vsftpd configuration file:

sudo nano /etc/vsftpd.conf

Find the rsa_cert_file and rsa_private_key_file directives, change their values to the pam file path and set the ssl_enable directive to YES:

/etc/vsftpd.conf
rsa_cert_file=/etc/ssl/private/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem
ssl_enable=YES

If not specified otherwise, the FTP server will use only TLS to make secure connections.

Restart the vsftpd Service

Once you are done editing, the vsftpd configuration file (excluding comments) should look something like this:

/etc/vsftpd.conf
listen=NO
listen_ipv6=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
chroot_local_user=YES
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/private/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem
ssl_enable=YES
user_sub_token=$USER
local_root=/home/$USER/ftp
pasv_min_port=30000
pasv_max_port=31000
userlist_enable=YES
userlist_file=/etc/vsftpd.user_list
userlist_deny=NO

Save the file and restart the vsftpd service for changes to take effect:

sudo systemctl restart vsftpd

Opening the Firewall

If you are running an UFW firewall you’ll need to allow FTP traffic.

To open port 21 (FTP command port), port 20 (FTP data port) and 30000-31000 (Passive ports range), run the following commands:

sudo ufw allow 20:21/tcp
sudo ufw allow 30000:31000/tcp

To avoid being locked out we will aso open the port 22:

sudo ufw allow OpenSSH

Reload the UFW rules by disabling and re-enabling UFW:

sudo ufw disable
sudo ufw enable

To verify the changes run:

sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
20:21/tcp                  ALLOW       Anywhere
30000:31000/tcp            ALLOW       Anywhere
OpenSSH                    ALLOW       Anywhere
20:21/tcp (v6)             ALLOW       Anywhere (v6)
30000:31000/tcp (v6)       ALLOW       Anywhere (v6)
OpenSSH (v6)               ALLOW       Anywhere (v6)

Creating FTP User

To test our FTP server we will create a new user.

  • If you already have a user which you want to grant FTP access skip the 1st step.
  • If you set allow_writeable_chroot=YES in your configuration file skip the 3rd step.
  1. Create a new user named newftpuser:

    sudo adduser newftpuser
  2. Add the user to the allowed FTP users list:

    echo "newftpuser" | sudo tee -a /etc/vsftpd.user_list
  3. Create the FTP directory tree and set the correct permissions:

    sudo mkdir -p /home/newftpuser/ftp/upload
    sudo chmod 550 /home/newftpuser/ftp
    sudo chmod 750 /home/newftpuser/ftp/upload
    sudo chown -R newftpuser: /home/newftpuser/ftp

    As discussed in the previous section the user will be able to upload its files to the ftp/upload directory.

At this point your FTP server is fully functional and you should be able to connect to your server with any FTP client that can be configured to use TLS encryption such as FileZilla.

Disabling Shell Access

By default, when creating a user, if not explicitly specified the user will have SSH access to the server.

To disable shell access, we will create a new shell which will simply print a message telling the user that their account is limited to FTP access only.

Create the /bin/ftponly shell and make it executable:

echo -e '#!/bin/sh\necho "This account account is limited to FTP access only."' | sudo tee -a  /bin/ftponly
sudo chmod a+x /bin/ftponly

Append the new shell to the list of valid shells in the /etc/shells file

echo "/bin/ftponly" | sudo tee -a /etc/shells

Change the user shell to /bin/ftponly:

sudo usermod newftpuser -s /bin/ftponly

Conclusion

In this tutorial, you learned how to install and configure a secure and fast FTP server on your Ubuntu 18.04 system.