How to setup FTP server on Ubuntu 18.04 with VSFTPD

The aim is to set up the FTP server with VSFTPD daemon on Ubuntu 18.04 Bionic Beaver.

Operating System and Application Versions Operating System:-Ubuntu 18.04 Bionic Beaver

Software:-vsftpd: version 3.0.3 or higher Requirements Privileged root or sudo access to your Ubuntu System is required.

Instructions

VSFTPD installation First, step is to install VSFTPD daemon.

Open up terminal and enter:

$sudo apt-get install vsftpd

Configure FSFTPD server Before we do anything, let’ make a backup of a current VSFTPD server configuration file:

$sudo mv /etc/vsftpd.conf /etc/vsftpd.conf orig

Create a new configuration file for VSFTPD /etc / vsftpd.conf using your favorite text editor e.g.:

$sudo nano / etc / vsftpd.conf

I suggest you start with the basic FTP server configuration below, confirm that it works and then fine-tune it to your specific environment needs:

listen=NO
listen_ipv6=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
chroot_local_user=YES
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
ssl_enable=NO
pasv_enable=Yes
pasv_min_port=10000
pasv_max_port=10100
allow_writeable_chroot=YES

Place the lines above in the /etc / vsftpd.conf format.

If UFW firewall is activated, execute the bellow command to allow incoming traffic to FTP ports:

$sudo ufw allows from any to any port 20,21,4242:4343 proto tcp

Check the following page for more options on how to allow incoming FTP traffic via UFW firewall.

Everything was completed. Restart VSFTPD server for new modifications:

$sudo vsftpd service restart FTP user creation

At this stage we are ready to create a FTP user. The following lines will create a new system account ftpuser:

$ sudo useradd -m ftpuser
$ sudo passwd ftpuser
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully

Create some arbitrary file in the home directory of ftpuser for testing purposes. Once we have logged in, we should be able to see and edit this file:

$sudo bash-c “echo FTP TESTING >/home / ftpuser / FTP-TEST”

The configuration of your FTP server is done. If you want to use FTP other than your local network, it is recommended that you configure the SFTP server to add additional protection to your FTP connections.

Connect to FTP server The user ftpuser should be ready to connect to our new FTP server and log in now. Since the host name ubuntu-ftpy can be used to address your new FTP server, you can either use the ftp command to login:

$ ftp ubuntu-ftp
Connected to ubuntu-ftp.
220 (vsFTPd 3.0.3)
Name (ubuntu-ftp:lubos): ftpuser
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 12 Feb 15 08:34 FTP-TEST
-rw-r--r-- 1 1001 1001 8980 Apr 20 2016 examples.desktop
226 Directory send OK.

While FTP does not encrypt any transit data, including user credentials, we must require TLS / SSL to provide this encryption. The first step is to build the vsftpd SSL certificates.

Let’s use openssl to create a new certificate and make it valid for one year using the -days flag. We’re going to add a private 2048-bit RSA key to the same command. By setting the -keyout and -outflags to the same value, the private key and the certificate will be in the same file: sudo openssl req-x509-nodes -days 365-newkey rsa:2048-keyout /etc / ssl / private / vsftpd.pem-out /etc / sssl / private / vsftpd.pem You will be prompted to provide your certificate’s address information. Substitute your own information for the highlighted values below:

Output
Generating a 2048 bit RSA private key
............................................................................+++
...........+++
writing new private key to '/etc/ssl/private/vsftpd.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:NY
Locality Name (eg, city) []:New York City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:DigitalOcean
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []: your_server_ip
Email Address []:

Once you’ve created the certificates, open the vsftpd configuration file again:

sudo nano /etc/vsftpd.conf

Toward the bottom of the file, you will see two lines that begin with rsa_. Comment them out so they look like this:

/etc/vsftpd.conf
. . .
# rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
# rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key

. . .

Below them, add the following lines that point to the certificate and private key we just created:

/etc/vsftpd.conf
. . .
rsa_cert_file=/etc/ssl/private/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem
. . .

After that, we will force the use of SSL, which will prevent clients that can’t deal with TLS from connecting. This is necessary to ensure that all traffic is encrypted, but it may force your FTP user to change clients. Change ssl_enable to YES:

/etc/vsftpd.conf
. . .
ssl_enable=YES
. . .

After that, add the following lines to explicitly deny anonymous connections over SSL and to require SSL for both data transfer and logins:

/etc/vsftpd.conf
. . .
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
. . .

After this, configure the server to use TLS, the preferred successor to SSL, by adding the following lines:

/etc/vsftpd.conf
. . .
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
. . .

Finally, we will add two more options. First, we will not require SSL reuse because it can break many FTP clients. We will require “high” encryption cipher suites, which currently means key lengths equal to or greater than 128 bits:

/etc/vsftpd.conf
. . .
require_ssl_reuse=NO
ssl_ciphers=HIGH
. . .

The finished file section should look like this:

/etc/vsftpd.conf
# This option specifies the location of the RSA certificate to use for SSL
# encrypted connections.
#rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
#rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
rsa_cert_file=/etc/ssl/private/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=NO
ssl_ciphers=HIGH

When you’re done, save and close the file.

Restart the server for the changes to take effect:


sudo systemctl restart vsftpd

Ashok kuikel

Hi, I am Ashok Kuikel, WordPress Developer for WordPress Community. While Cloud Computing Associate and Alibaba MVP and ACA for Cloud Professional. You can follow me on Social Media, GitHub, and via my Blog Channels.

Leave a Reply

Your email address will not be published. Required fields are marked *