How To Set Up vsftpd for a User’s Directory on Ubuntu 16.04

Image for post
Image for post

By Sajid Qureshi, Alibaba Cloud Community Blog author.

FTP is a network protocol which is widely used for moving files between client and server. For the most part, it has been replaced by faster, more secure, and more convenient ways of delivering files. However, it is still used for some specific requirements. If you do need FTP, vsftpd is a great option, as it is very secure compared with other FTP servers. In fact, vsftpd is the default for many Linux distributions.

In this guide, you will learn how to configure vsftpd to allow a user to upload files to his home directory using FTP.

Prerequisites

  1. You must have Alibaba Cloud Elastic Compute Service (ECS) activated and verified your valid payment method. If you are a new user, you can get a free account in your Alibaba Cloud account. If you don’t know about how to set up your ECS instance, you can refer to this quick-start guide. Your ECS instance must have at least 1GB RAM and 1 Core processor.

Installing vsftpd

Before installing any new packages to the server, we recommend you to update all the available packages. Run the following command to update the system.

sudo apt-get update

Once the system is updated, you can proceed further and install vsftpd using the following command.

sudo apt-get install vsftpd

Next, copy the content of configuration file so you can use it as backup.

sudo cp /etc/vsftpd.conf /etc/vsftpd.conf.orig

Next, you can check the status of your firewall services using the following command. If it’s not active then you will have to make sure that it’s active.

sudo ufw status

You will have to modify the firewall rules and open some ports such as 20,21,990, etc.

Execute the following command and they will do the job for you.

sudo ufw allow 20/tcpsudo ufw allow 21/tcpsudo ufw allow 990/tcpsudo ufw allow 40000:50000/tcp

Setting Up the User Directory

Once the vsftpd is installed and all the required port are opened now. Next, you will need to create a new user to test the configuration. Execute the following command to create a new user called david, you can use any name of the user in place of 'david'.

sudo adduser david

Next, you will be asked to assign a password for the user so enter a password and hit ENTER button.

When a user is restricted to a specific directory, vsftpd is more secure in this scenario. ‘vsftpd’ accomplishes this with chroot jails. When chroot is enabled for local users, they are limited to their home directory by default and the directory does not have writing privileges. A new user may not want to write to their directory, but an existing user may want to write to their home folder.

Next, you will need to create a new folder ftp and change the ownership rules. Execute the following commands one by one and they will do the job for you.

sudo mkdir /home/david/ftpsudo chown nobody:nogroup /home/david/ftpsudo chmod a-w /home/david/ftp

Next, you will need to create a new directory so that files can be uploaded and change the ownership permissions to the user.

sudo mkdir /home/david/ftp/filessudo chown david:david /home/david/ftp/files

Finally, you will need to add a test file test.txt file to use when we test later.

echo "vsftpd test file" | sudo tee /home/david/ftp/files/test.txt

Your FTP user directory is prepared and fully secured now, you can proceed further to the configuration.

Configuring FTP Access

You will need to configure some settings to connect with FTP and get access to uploading your files. First of all, open the config file using any text editor.

sudo nano /etc/vsftpd.conf

Make sure to match your configuration settings with this below-given configuration:

#Allow anonymous FTP? (Disabled by default).
anonymous_enable=NO
#
#Uncomment this to allow local users to log in.
local_enable=YES

To allow the user to upload his files, you will need to uncomment the line write_enable like this:

write_enable=YES

Next, you will need to uncomment the line ‘chroot_local_user’ to make sure that user can not access any files outside of the directory tree.

chroot_local_user=YES

Next, you will need to add a user_sub_token and a local_root directory path so this configuration will work for this user and any future users that might be added as shown below:

user_sub_token=$USER
local_root=/home/$USER/ftp

Next, you will need to limit the range of ports that can be used for passive FTP as shown below:

pasv_min_port=40000
pasv_max_port=50000

Finally, you’ll have to set up the configuration so that access is given to a user only when they are explicitly added to a list like below:

userlist_enable=YES
userlist_file=/etc/vsftpd.userlist
userlist_deny=NO

Save and exit from the text editor.

Finally, we’ll create and add our user to the file using the following command.

echo "david" | sudo tee -a /etc/vsftpd.userlist

Next, you will need to restart the daemon to apply the configuration changes using the following command.

sudo systemctl restart vsftpd

Testing

We have successfully installed and configured vsftpd on your server. We disabled the anonymous user access. We can verify this because If we’ve done it properly, anonymous users should be denied permission. Execute the following command and it will do the job for you.

ftp -p 203.0.113.0

You should see Permission denied or Login failed as the result. Close the connection by typing bye.

Next, we will try it for our user david and he should be able to read as well as and write files.

ftp -p 203.0.113.0

You will be asked to enter your password and result should look like this:

Connected to 203.0.113.0.
220 (vsFTPd 3.0.3)
Name (203.0.113.0:default): david
331 Please specify the password.
Password: your_user's_password
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

Next, we will go to the files directory and then transfer the test file we created earlier using the get command.

ftp> cd filesftp> get test.txt

If nothing goes wrong then you will see Transfer complete in the final output.

Now, let’s try to upload the test file with a different name to check to write permissions:

ftp> put test.txt upload.txt

You should see the following result in your terminal.

227 Entering Passive Mode (203,0,113,0,164,71).
150 Ok to send data.
226 Transfer complete.
16 bytes sent in 0.000894 seconds (17897 bytes/s)

Close the connection by typing bye in the console.

Securing Transactions

FTP does not provide encryption for data, We will need to enable SSL certificates to provide that encryption. You can simply buy SSL certificates from Alibaba Cloud SSL Certificates or you can use openssl to create a new certificate.

Execute the following command to create a new certificate with one year validity.

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem

You’ll be asked to provide your details such as country, locality, company name, your IP address, and email address.

Next, you will need to edit the ‘vsftpd’ configuration file again so, open the file using the following command.

sudo nano /etc/vsftpd.conf

At the bottom of the file, you’ll find these two lines that begin with rsa_, uncomment these lines.

# rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
# rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key

Next, add these two lines below them in the file.

rsa_cert_file=/etc/ssl/private/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem

Next, find the ssl_enable line and change it’s value to yes like below:

ssl_enable=YES

Next, add the following content to deny anonymous connection.

allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES

Next, add the following lines to configure the server to use TLS.

ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO

Finally, add the following lines to make sure that it use high encryption cipher suites.

require_ssl_reuse=NO
ssl_ciphers=HIGH

Save the file and exit from the text editor.

Finally, you will need to restart the server to apply changes that we just configured.

sudo systemctl restart vsftpd

Your vsftpd is successfully installed and configured now and it is fully secure to use.

You can test this configuration and connect using a client that uses TLS such as FileZilla.

You can connect using FileZila and use your username and password (here david) to establish a secure connection, you can now transfer files with SSL/TLS enabled.

Conclusion

In this guide, you learned how to install and configure the vsftpd server on Ubuntu. You also learned to secure the transaction using SSL certificates. We hope now you have enough knowledge to work with vsftpd and you can transfer files using it.

Original Source

Written by

Follow me to keep abreast with the latest technology news, industry insights, and developer trends.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store