By Sajid Qureshi, Alibaba Cloud Community Blog author.
FTP is a network protocol which is widely used for moving files between client and server. For the most part, it has been replaced by faster, more secure, and more convenient ways of delivering files. However, it is still used for some specific requirements. If you do need FTP, vsftpd is a great option, as it is very secure compared with other FTP servers. In fact, vsftpd is the default for many Linux distributions.
In this guide, you will learn how to configure vsftpd to allow a user to upload files to his home directory using FTP.
- You must have Alibaba Cloud Elastic Compute Service (ECS) activated and verified your valid payment method. If you are a new user, you can get a free account in your Alibaba Cloud account. If you don’t know about how to set up your ECS instance, you can refer to this quick-start guide. Your ECS instance must have at least 1GB RAM and 1 Core processor.
- A non-root user with sudo privileges
Before installing any new packages to the server, we recommend you to update all the available packages. Run the following command to update the system.
sudo apt-get update
Once the system is updated, you can proceed further and install vsftpd using the following command.
sudo apt-get install vsftpd
Next, copy the content of configuration file so you can use it as backup.
sudo cp /etc/vsftpd.conf /etc/vsftpd.conf.orig
Next, you can check the status of your firewall services using the following command. If it’s not active then you will have to make sure that it’s active.
sudo ufw status
You will have to modify the firewall rules and open some ports such as 20,21,990, etc.
Execute the following command and they will do the job for you.
sudo ufw allow 20/tcpsudo ufw allow 21/tcpsudo ufw allow 990/tcpsudo ufw allow 40000:50000/tcp
Setting Up the User Directory
Once the vsftpd is installed and all the required port are opened now. Next, you will need to create a new user to test the configuration. Execute the following command to create a new user called
david, you can use any name of the user in place of 'david'.
sudo adduser david
Next, you will be asked to assign a password for the user so enter a password and hit ENTER button.
When a user is restricted to a specific directory, vsftpd is more secure in this scenario. ‘vsftpd’ accomplishes this with
chroot jails. When
chroot is enabled for local users, they are limited to their home directory by default and the directory does not have writing privileges. A new user may not want to write to their directory, but an existing user may want to write to their home folder.
Next, you will need to create a new folder
ftp and change the ownership rules. Execute the following commands one by one and they will do the job for you.
sudo mkdir /home/david/ftpsudo chown nobody:nogroup /home/david/ftpsudo chmod a-w /home/david/ftp
Next, you will need to create a new directory so that files can be uploaded and change the ownership permissions to the user.
sudo mkdir /home/david/ftp/filessudo chown david:david /home/david/ftp/files
Finally, you will need to add a test file
test.txt file to use when we test later.
echo "vsftpd test file" | sudo tee /home/david/ftp/files/test.txt
Your FTP user directory is prepared and fully secured now, you can proceed further to the configuration.
Configuring FTP Access
You will need to configure some settings to connect with FTP and get access to uploading your files. First of all, open the config file using any text editor.
sudo nano /etc/vsftpd.conf
Make sure to match your configuration settings with this below-given configuration:
#Allow anonymous FTP? (Disabled by default).
#Uncomment this to allow local users to log in.
To allow the user to upload his files, you will need to uncomment the line write_enable like this:
Next, you will need to uncomment the line ‘chroot_local_user’ to make sure that user can not access any files outside of the directory tree.
Next, you will need to add a user_sub_token and a local_root directory path so this configuration will work for this user and any future users that might be added as shown below:
Next, you will need to limit the range of ports that can be used for passive FTP as shown below:
Finally, you’ll have to set up the configuration so that access is given to a user only when they are explicitly added to a list like below:
Save and exit from the text editor.
Finally, we’ll create and add our user to the file using the following command.
echo "david" | sudo tee -a /etc/vsftpd.userlist
Next, you will need to restart the daemon to apply the configuration changes using the following command.
sudo systemctl restart vsftpd
We have successfully installed and configured vsftpd on your server. We disabled the anonymous user access. We can verify this because If we’ve done it properly, anonymous users should be denied permission. Execute the following command and it will do the job for you.
ftp -p 203.0.113.0
You should see Permission denied or Login failed as the result. Close the connection by typing bye.
Next, we will try it for our user david and he should be able to read as well as and write files.
ftp -p 203.0.113.0
You will be asked to enter your password and result should look like this:
Connected to 203.0.113.0.
220 (vsFTPd 3.0.3)
Name (203.0.113.0:default): david
331 Please specify the password.
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
Next, we will go to the files directory and then transfer the test file we created earlier using the get command.
ftp> cd filesftp> get test.txt
If nothing goes wrong then you will see Transfer complete in the final output.
Now, let’s try to upload the test file with a different name to check to write permissions:
ftp> put test.txt upload.txt
You should see the following result in your terminal.
227 Entering Passive Mode (203,0,113,0,164,71).
150 Ok to send data.
226 Transfer complete.
16 bytes sent in 0.000894 seconds (17897 bytes/s)
Close the connection by typing bye in the console.
FTP does not provide encryption for data, We will need to enable SSL certificates to provide that encryption. You can simply buy SSL certificates from Alibaba Cloud SSL Certificates or you can use
openssl to create a new certificate.
Execute the following command to create a new certificate with one year validity.
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem
You’ll be asked to provide your details such as country, locality, company name, your IP address, and email address.
Next, you will need to edit the ‘vsftpd’ configuration file again so, open the file using the following command.
sudo nano /etc/vsftpd.conf
At the bottom of the file, you’ll find these two lines that begin with
rsa_, uncomment these lines.
Next, add these two lines below them in the file.
Next, find the ssl_enable line and change it’s value to
yes like below:
Next, add the following content to deny anonymous connection.
Next, add the following lines to configure the server to use TLS.
Finally, add the following lines to make sure that it use high encryption cipher suites.
Save the file and exit from the text editor.
Finally, you will need to restart the server to apply changes that we just configured.
sudo systemctl restart vsftpd
Your vsftpd is successfully installed and configured now and it is fully secure to use.
You can test this configuration and connect using a client that uses TLS such as FileZilla.
You can connect using FileZila and use your username and password (here david) to establish a secure connection, you can now transfer files with SSL/TLS enabled.
In this guide, you learned how to install and configure the vsftpd server on Ubuntu. You also learned to secure the transaction using SSL certificates. We hope now you have enough knowledge to work with vsftpd and you can transfer files using it.