How to Setup FTP Server with VSFTPD

Published:8 March 2022 - 10 min. read

Nicholas Xuan Nguyen Image

Nicholas Xuan Nguyen

Read more tutorials by Nicholas Xuan Nguyen!

Azure Cloud Labs: these FREE, on‑demand Azure Cloud Labs will get you into a real‑world environment and account, walking you through step‑by‑step how to best protect, secure, and recover Azure data.

Ever forget an important document on your home computer, and you’re working at the office? Or do you simply want to share a file with someone who’s sitting next to you? An FTP server like Very Secure FTP Daemon (VSFTPD) is the perfect solution.

In this tutorial, you’ll learn how to install and configure an FPT server using VSFTPD on your Linux server so you can securely share files between computers.

Read on and never let your files be captive on your home computer again!

Prerequisites

This tutorial will be a hands-on demonstration. If you’d like to follow along, be sure you have the following.

  • A Linux machine – This tutorial uses Ubuntu 20.04 LTS, but any Linux distributions will work.

Installing VSFTPD on Ubuntu

VSFTPD is an FTP server for Unix-like systems but isn’t installed by default. Installing VSFTPD on Ubuntu is similar to how you install other packages. Kick-off this tutorial by updating your APT package manager before installing VSFTPD.

1. Run the apt update command to update APT. This command retrieves package lists from your configured repositories and updates the local package cache.

sudo apt update -y
Updating APT package manager
Updating APT package manager

2. Next, run the apt install command below to install VSFTPD on your machine. This command will also pull in all of the required dependencies for the FTP service.

By default, the VSFTPD package is available on most modern Debian-based distributions. So you can install it without any additional package repositories and let APT take care of the rest.

Installing VSFTPD on Ubuntu
Installing VSFTPD on Ubuntu

3. Finally, run the systemctl command below to verify that the VSFTPD service is running and configured correctly.

sudo systemctl status vsftpd 

You will see an output similar to the one below, which shows the vsftpd.service is active (running) and listening to requests.

Verifying the vsftpd.service Status
Verifying the vsftpd.service Status

Opening Ports for FTP Client Connections

Now that you have the latest version of VSFTPD installed, you can now configure your firewall. You’ll use UFW, the default firewall configuration tool for Ubuntu, to add firewall rules to open ports for secure FTP client connections.

1. Run the ufw status command to see which firewall rules are currently active.

sudo ufw status

Below, you can see that the firewall is active but doesn’t have any rules to allow any connections by default.

Checking firewall rules
Checking firewall rules

2. Next, run the ufw allow command below to allow all three ports through the firewall. VSFTPD requires FTP connections on ports 20, 21, and 990.

sudo ufw allow 20,21,990/tcp
Adding a Firewall Rule to Open Ports 20, 21, and 990
Adding a Firewall Rule to Open Ports 20, 21, and 990

3. Run the ufw command below to open the 40000:50000 port range.

VSFTPD requires the 40000:50000 port range to be opened so that FTP clients can make data connections to the server in passive mode.

sudo ufw allow 40000:50000/tcp
Adding a Firewall Rule to Open 40000:50000 Port Range
Adding a Firewall Rule to Open 40000:50000 Port Range

4. Finally, run the ufw status verbose command below to verify that your firewall rules are active and check for errors.

sudo ufw status verbose
Checking Active Firewall Rules
Checking Active Firewall Rules

Configuring the VSFTDP Server

You have successfully allowed traffic through the firewall, but you must configure your VSFTPD server before using it.

The /etc/vsftpd.conf file is the main configuration file for VSFTPD. But you can also configure your FTP server through other commands if you prefer to do things dynamically. Or if you prefer to specify rules that aren’t available in the config file.

Throughout editing the /etc/vsftpd.conf file, uncomment each directive to enable them by removing the # symbol in front of them.

1. Run the sudo cp command below to back up the original configuration file (/etc/vsftpd.conf /etc/vsftpd.conf.bak).

You should always back up any critical config file before you go mucking around.

sudo cp /etc/vsftpd.conf /etc/vsftpd.conf.bak

2. Next, open the /etc/vsftpd.conf file in your favorite text editor. This demo uses nano to edit the configuration file.

sudo nano /etc/vsftpd.conf

3. Look for and change the anonymous_enable directive value to NO. Anonymous users are commonly used for public file sharing. You don’t want that anonymous user on your server. Instead, you’ll want your FPT server to be secure.

Set the local_enable directive value to YES to allow people with accounts on your server to transfer files via FTP. With this configuration, only authorized users can log into your FTP server.

Restricting Access to your FTP Server to Authorized Users Only
Restricting Access to your FTP Server to Authorized Users Only

4. Now, change the write_enable directive to YES so that your users can upload and save files to your FTP server. This directive is the most important one, as it controls access to the upload functionality.

Allowing Users to Upload and Save Files to FTP Server
Allowing Users to Upload and Save Files to FTP Server

5. Change the chroot_local_user directive to YES since your FPT user should not run as root. Creating a new, possibly privileged user for the FTP service to use is much safer (you will learn how to create a dedicated user later).

If this directive isn’t enabled, the FPT user will have access to everything on the server, even the root directory. This behavior can be a HUGE security problem.

With this configuration, your user can only access the folders that you specify (the user’s home directory in most cases).

Restricting User to Run as Root when Accessing the FTP Server
Restricting User to Run as Root when Accessing the FTP Server

But when the chroot_local_user directive value is set to YES, the write_enable directive (step four) will not work because the chroot() syscall denies writing access (when enabled).

As a solution, add the directive below to your vsftpd.conf file, so the write_enable directive will work regardless of the chroot_local_user directive’s value.

allowed_writeable_chroot=YES
Allowing Writing Access
Allowing Writing Access

6. Next, add the directives below to your vsftpd.conf file to enable passive FTP connections.

VSFTPD can use any port above 1024 not occupied by another service for the passive FTP connection. This demo uses the port range you set in the “Opening Ports for FTP Client Connections” section (step three).

pasv_min_port=35000
pasv_max_port=40000
Enabling Passive FTP
Enabling Passive FTP

7. Add the following lines at the bottom of the vsftpd.conf file to allow only authorized users to log in to the FTP server.

userlist_enable=YES
# Add the user to the vsftpd.userlist to allow a specific user 
# to use the system login account to access your FTP service.
userlist_file=/etc/vsftpd.userlist
# NO - anyone can log in with an anonymous account.
# YES - the user will be denied to login when their name exists in this file. 
userlist_deny=NO
Allowing only Authorized Users to Log in to the FTP Server
Allowing only Authorized Users to Log in to the FTP Server

8. Finally, save and close the vsftpd.conf file, and run the below command to restart your vsftpd server to apply the changes.

sudo service vsftpd restart

Creating a Dedicated User to Use the FTP Service

You’ve now configured your VSFTPD server, but you’ll need a dedicated user to use the FTP service instead of a root user. You’ll create a directory within the user’s home directory so that the directory is easily accessible.

1. Run the adduser command below to create a new user. You can choose any username you prefer, but this demo creates a user called ata. But remember not to duplicate the user elsewhere on your server.

sudo adduser ata

Provide a secure password and take note of it. You’ll use this password to connect to your FTP server.

You must also provide some details for the new user or keep the default details by pressing ENTER. Type Y and press ENTER to confirm the user information.

Creating a new user named ata
Creating a new user named ata

2. Next, run the below command to add the ata user to the vsftpd.userlist file.

As you recall, this file specifies which users are allowed to login via FTP when the userlist_deny directive value is set to NO. At this point, only the ata user can log in to your FTP server, and all other anonymous users will be denied access.

echo "ata" | sudo tee -a /etc/vsftpd.userlist
Adding the ata user to the vsftpd.userlist file
Adding the ata user to the vsftpd.userlist file

3. Run the following commands to set the proper permissions for the new /home/ata/ftp directory.

The below commands ensure that only your dedicated FTP user has access to the /home/ata/ftp directory, and allow the user to transfer files to/from it.

# Sets the owner of the /home/ata/ftp directory to be nobody.
sudo chown nobody:nogroup /home/ata/ftp
# Ensures that only the owner (your FTP user) 
# has write(w) access(a) to the /home/ata/ftp directory.
sudo chmod a-w /home/ata/ftp

4. Now, run the chown command to set the owner and group of the /home/ata/ftp/upload directory to your FTP user (ata). The command also sets the correct permissions for the /home/ata/ftp/upload directory.

sudo chown ata:ata /home/ata/ftp/upload

5. Execute the echo command below to create a basic test file named ata.txt.

The below command creates a new file named ata.txt in your FTP directory and includes some text (vsftpd test file) in the text file.

echo "vsftpd test file" | sudo tee /home/ata/ftp/upload/ata.txt

At this point, you’ve fully configured your FPT server, and your users can connect to it.

Creating a basic test file named ata.txt
Creating a basic test file named ata.txt

Connecting to the FTP Server

After configuring a dedicated FTP user, it’s finally time to connect to your FTP server. But you’ll first try connecting to your FTP server using an anonymous user to test if your FTP server is secure.

1. Run the ftp -p command below to connect to your FTP server. Replace your-server-ip with your actual server IP address.

ftp -p your-server-ip

Try to log in as an anonymous user, and you will see the following error message. This output confirms that your FTP server is secure since only your dedicated FTP user can access your server.

Logging in as an anonymous user
Logging in as an anonymous user

2. Execute the bye command to exit the FTP client.

bye
exiting the FTP client
exiting the FTP client

3. Rerun the ftp command below as you did in step one. But this time, log in as your dedicated FTP user (ata).

ftp -p your-server-ip

You will get a 230 Login successful message as shown below, which confirms that your FTP server works as intended.

Connecting to FTP Server using the Dedicated User (ata) for FTP connection
Connecting to FTP Server using the Dedicated User (ata) for FTP connection

4. Now, run each command below to confirm the ata.txt file exists in the ftp/upload directory.

The ata.txt file is what you created earlier in the “Creating a Dedicated User to Use the FTP Service” section (step five).

# Change to the ftp/upload directory as the working directory.
cd ftp/upload
# List all files in the working directory.
ls
Listing file in the ftp/upload directory
Listing file in the ftp/upload directory

5. Run the get command below to download the file (ata.txt) from your FTP server and save it to your local machine.

 get ata.txt

Below, you can see a confirmation message that says Transfer complete.

Downloading the ata.txt file from the FTP server to a local machine
Downloading the ata.txt file from the FTP server to a local machine

6. Next, run the put command below to upload the ata.txt file from your local machine as a new file named ata2.txt to your FTP server.

put ata.txt ata2.txt
Uploading the ata.txt file as ata2.txt from Local Machine to FTP server
Uploading the ata.txt file as ata2.txt from Local Machine to FTP server

7. Finally, rerun the ls command to list all files in the current directory and verify that ata2.txt has been uploaded successfully by your user.

ls

If the previous file transfers (steps seven to eight) succeeded, you’ll see two text files: one named ata.txt and another named ata2.txt, as shown below.

Listing the files in the FPT server
Listing the files in the FPT server

Disabling Shell Access

When you create a new FTP user, your FTP server automatically allows that user to log in and run the shell. As a result, besides uploading and downloading files, your users can also execute potentially dangerous system commands on your FTP server.

When you’re not using the FTP server, you can disable shell access to prevent users from logging in using SSH. Doing so is especially important if you have password-less login enabled for your dedicated FTP user.

1. Open another terminal on your server, and run the below command to ssh into the FPT server using the dedicated FTP user (ata).

ssh ata@fpt-server-ip

As shown below, you can successfully log in using the ata username with the password you created earlier in the “Creating a Dedicated User to Use the FTP Service” section.

This behavior indicates that the ata user can run any commands on your server, including changing the server configurations. A compromised FTP user can do much more damage than an anonymous one.

Logging the ata user in to the FTP server
Logging the ata user in to the FTP server

2. Next, run the command below to create a new shell script named ftponly.sh in the /bin directory of your FPT server. This script disables any FTP login from your dedicated FTP user for your FTP server. The script then prints (echo) a warning message to the screen that says This account is limited to FTP access only.

 echo -e '#!/bin/sh\necho "This account is limited to FTP access only."' | sudo tee -a  /bin/ftponly .sh 
Running ftponly.sh Script to Disable FTP Login from a Dedicated FTP User
Running ftponly.sh Script to Disable FTP Login from a Dedicated FTP User

3. Run the below chmod command to set the correct permissions on this new shell script (/bin/ftponly). This command makes the script executable and allows your FTP user (ata) to run it.

sudo chmod a+x /bin/ftponly

4. Now, execute the command below to add the path of the new shell script (ftponly ) in your /etc/shells file. This action ensures that any login you try with your ata user is rejected since the /bin/ftponly script will get executed instead.

echo "/bin/ftponly" | sudo tee -a /etc/shells 
Adding Schell Script’s (ftponly.sh) Path to the /etc/shells File
Adding Schell Script’s (ftponly.sh) Path to the /etc/shells File

5. Run the usermod command below to change the current shell of your FTP user (ata) to the /bin/ftponly shell.

sudo usermod ata -s /bin/ftponly 

6. Finally, run the below command to SSH to your FPT server using your FTP user (ata).

ssh ata@fpt-server-ip

As shown below, your dedicated FTP user cannot SSH to your FTP server. This behavior is expected since the /bin/ftponly shell script prints a warning message and closes the SSH connection (closed).

Testing SSH Connection to the FTP Server
Testing SSH Connection to the FTP Server

Conclusion

In this tutorial, you have learned how to install and configure an FTP server in Ubuntu Linux using VSFTPD. You have also learned how to configure an FTP user with limited access and restrict the FTP user shell access.

At this point, you should have a functional FTP server with restricted access.

With this newfound knowledge, you can now configure your FTP server on AWS EC2, or you can start setting up an FTP Server on your Raspberry Pi. Which one would you choose to start working on?

Hate ads? Want to support the writer? Get many of our tutorials packaged as an ATA Guidebook.

Explore ATA Guidebooks

Looks like you're offline!