How to install and configure FTP with VSFTPD on Ubuntu 18.04 – FTP (File Transfer Protocol) is a standard network protocol used to transfer files to and from remote networks. For safer and faster data transfer, use SCP or SFTP.
There are many free and open source FTP servers available for Linux. Best FTP and the most popular and widely used are PureFTPd, ProFTPD, and vsftpd. In this tutorial, I will install vsftpd (Very Secure Ftp Daemon). It is a stable, secure and fast FTP server. I will also show you how to configure the vsftpd FTP server to restrict users to their home directory and encrypt all transmissions with SSL / TLS.
Although this tutorial is written for Ubuntu 18.04, the same instructions apply for Ubuntu 16.04 and linux distro Debian-based, including Debian, Linux Mint and Elementary OS.
Before continuing with this tutorial on how to install and configure FTP server on Ubuntu 18.04, make sure you are logged in as a user with sudo privileges. Read → How to Create a Sudo User and a Sudo Group on Ubuntu.
How to install FTP vsftpd on Ubuntu 18.04
VSFTPD packages are available at Ubuntu repositories. For how to install this FTP, just run the following command:
$ sudo apt update
$ sudo apt install vsftpd
The vsftpd service will automatically start after the installation process is complete. Verify by printing the service status with the following command:
$ sudo systemctl status vsftpd
The output will look something like below, showing that the vsftpd service is up and running:
Output * vsftpd.service - vsftpd FTP server Loaded: loaded (/lib/systemd/system/vsftpd.service; enabled; vendor preset: enabled) Active: active (running) since Mon 2018-10-15 03:38:52 PDT; 10min ago Main PID: 2616 (vsftpd) Tasks: 1 (limit: 2319) CGroup: /system.slice/vsftpd.service `-2616 /usr/sbin/vsftpd /etc/vsftpd.conf
How to configure vsftpd
The vsftpd server can be configured by editing files
/etc/vsftpd.conf. Most of the settings are well documented in the configuration file. For all available options, visit vsftpd page official.
In the following sections, we will cover some important settings required for a secure vsftpd installation configuration.
Start by opening the vsftpd configuration file:
$ sudo nano /etc/vsftpd.conf
1. FTP access
I will allow access to the FTP server only local users, find directives
local_enable and verify your configuration matches to the line below:
2. Enable Upload
Cancel comments on settings
write_enable to allow changes to the file system such as uploading and deleting files.
3. Chroot Jail
To prevent FTP users from accessing files outside of their home directory uncomment the settings
By default to prevent security vulnerabilities, when
chroot enabled vsftpd will refuse to upload files if the user locked directory is writable.
Use one of the methods below to allow current uploads
Method 1: The recommended method of allowing uploads is to keep it enabled
chroot, and configure the FTP directory. In this tutorial, we will create a directory
ftp inside the user’s home which will function as
chroot and directory
uploads which can be written to upload files.
Method 2 : Another option is to add the following directives in the vsftpd configuration file. Use this option if you need to give your user writable access to their home directory.
4. Passive FTP Connection
vsftpd can use any port for passive FTP connections. I will define the minimum and maximum port ranges and then open the ranges in my firewall.
Add the following line to the configuration file:
5. Limiting User Login
To allow only certain users to log in to the FTP server, add the following line at the end of the file:
userlist_enable=YES userlist_file=/etc/vsftpd.user_list userlist_deny=NO
When this option is enabled, you must explicitly specify which users can log in by adding their username to the file
/etc/vsftpd.user_list (one user per line).
6. Securing Transmissions with SSL / TLS
To encrypt FTP transmissions with SSL / TLS, you must have an SSL certificate and configure your FTP server to use it.
You can use an existing SSL certificate that is signed by a trusted Certificate Authority or create a self-signed certificate.
If you have a domain or subdomain pointing to the IP address of the FTP server, you can easily generate certificates SSL Let’s Encrypt.
I’ll generate a self-signed SSL certificate using the command
The following command will generate a 2048-bit private key and a self-signed certificate valid for 10 years. The private key and certificate will be saved in the same file:
$ sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem
After the SSL certificate has been generated, open the vsftpd configuration file:
$ sudo nano /etc/vsftpd.conf
rsa_private_key_file, change the value to the file path
pam and set directions
rsa_cert_file=/etc/ssl/private/vsftpd.pem rsa_private_key_file=/etc/ssl/private/vsftpd.pem ssl_enable=YES
Unless otherwise specified, the FTP server will only use TLS to establish secure connections.
Restart the vsftpd service
When finished editing, the vsftpd configuration file (excluding comments) should look like this:
listen=NO listen_ipv6=YES anonymous_enable=NO local_enable=YES write_enable=YES dirmessage_enable=YES use_localtime=YES xferlog_enable=YES connect_from_port_20=YES chroot_local_user=YES secure_chroot_dir=/var/run/vsftpd/empty pam_service_name=vsftpd rsa_cert_file=/etc/ssl/private/vsftpd.pem rsa_private_key_file=/etc/ssl/private/vsftpd.pem ssl_enable=YES user_sub_token=$USER local_root=/home/$USER/ftp pasv_min_port=30000 pasv_max_port=31000 userlist_enable=YES userlist_file=/etc/vsftpd.user_list userlist_deny=NO
Save the file and restart the vsftpd service for the changes to take effect:
$ sudo systemctl restart vsftpd
Opens the Firewall
If you run UFW firewall, You must allow FTP traffic.
To open ports
21 (FTP command port), port
20 (FTP data port) and
30000-31000 (Passive port range), run the following command:
$ sudo ufw allow 20:21/tcp
$ sudo ufw allow 30000:31000/tcp
To avoid getting locked out, open the port
$ sudo ufw allow OpenSSH
Restart the UFW rules by disabling and re-enabling UFW:
$ sudo ufw disable
$ sudo ufw enable
To verify, run the changes:
$ sudo ufw status
Output Status: active To Action From -- ------ ---- 20:21/tcp ALLOW Anywhere 30000:31000/tcp ALLOW Anywhere OpenSSH ALLOW Anywhere 20:21/tcp (v6) ALLOW Anywhere (v6) 30000:31000/tcp (v6) ALLOW Anywhere (v6) OpenSSH (v6) ALLOW Anywhere (v6)
Creating an FTP User
To test my FTP server I will create a new user.
If you already have a user you want to grant FTP access to, skip step 1.
If you manage
allow_writeable_chroot = YES in your config file skip step 3.
Create a new user named
$ sudo adduser newftpuser
Add users to the FTP whitelist:
$ echo "newftpuser" | sudo tee -a /etc/vsftpd.user_list
Create an FTP directory tree and set the correct permissions:
$ sudo mkdir -p /home/newftpuser/ftp/upload
$ sudo chmod 550 /home/newftpuser/ftp
$ sudo chmod 750 /home/newftpuser/ftp/upload
$ sudo chown -R newftpuser: /home/newftpuser/ftp
As discussed in the previous section, users can upload their files to the directory
At this point your FTP server is fully functional and you should be able to connect to your server using any FTP client that can be configured to use TLS encryption such as FileZilla.
Disabling Shell Access
By default, when creating a user, if not specified the user will have SSH access to the server.
To disable shell access, I’m going to create a new shell that will only print a message telling the user that their account is limited to FTP access only.
Create a shell
/bin/ftponly and make it executable:
$ echo -e '#!/bin/shnecho "This account is limited to FTP access only."' | sudo tee -a /bin/ftponly $ sudo chmod a+x /bin/ftponly
Add new shells to the list of valid shells in the file
$ echo "/bin/ftponly" | sudo tee -a /etc/shells
Change the user’s shell to
$ sudo usermod newftpuser -s /bin/ftponly
Use the same command to change the shell of all users you want to give only FTP access.
In this tutorial, you learned how to install and configure a secure and fast FTP server on your Ubuntu 18.04 system. Hopefully this article is useful and good luck. 🙂