Based on this Digital Ocean tutorial.
A great article on Ubuntu Community.
Install vsftpd (very secure FTP daemon)
Using package manager apt-get
.
sudo apt-get update
sudo apt-get install vsftpd
The default configuration file is at /etc/vsftpd.conf
.
Before editing the file, let's make a backup.
sudo cp /etc/vsftpd.conf /etc/vsftpd.conf.bak
sudo nano /etc/vsftpd.conf
Disable the ability for users to log in anonymously.
anonymous_enable=NO
Enable user logins that use the local authentication files.
local_enable=YES
Enable users to make modifications to the filesystem.
write_enable=YES
Restrict users to their own home directories.
chroot_local_user=YES
Only some users are not in chroot jailed. The file of free user is /etc/vsftpd.chroot_list
(default).
chroot_list_enable=YES
Allow just some users to login. The file of allowed user is /etc/vsftpd.user_list
(default).
userlist_deny=NO
userlist_enable=YES
Specify range for the TCP port (help to limit open port in firewall).
pasv_min_port=12000
pasv_max_port=12009
Hide hidden file or directories.
hide_file={.message,.bash_logout,.bashrc,.profile}
Save and close the file.
We need to create some SSL certificates to use with vsftpd. We can do this with the following command:
sudo openssl req -x509 -nodes -days 730 -newkey rsa:1024 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem
This will create a certificate that will last two years. It will be placed in the /etc/ssl/private/ directory, which we can reference in our configuration file.
sudo nano /etc/vsftpd.conf
Towards the bottom of the file, you should find a line that matches the SSL certificate we just created.
rsa_cert_file=/etc/ssl/private/vsftpd.pem
We will add the additional SSL info below this.
When we created the certificate, we included both the key file and the certificate in one file, so we can also point our private key line to that.
rsa_private_key_file=/etc/ssl/private/vsftpd.pem
After that, we will add the following lines to force SSL. This will restrict clients that can't deal with TLS, but that is what we want.
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
After this we configure the server to use TLS, which is actually a successor to SSL, and preferred.
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
Finally, we will require add some additional options to flesh out our configuration file.
require_ssl_reuse=NO
ssl_ciphers=HIGH
Debuging. The default log file is /var/log/vsftpd.log
.
debug_ssl=YES
Save and close the file.
Because of the way vsftpd secures its chroot jails, the chroot must not be owned by the user and must not be writeable. Because of this, it is best to implement a user specifically for use with FTP.
Add a user.
sudo adduser ftpuser
Add the user in the allowed user file on a new line.
sudo nano /etc/vsftpd.user_list
If you want the user to NOT BE in chroot jail. Add the user on a new line.
sudo nano /etc/vsftpd.chroot_list
Add the name of the user on a new line. Save and close the file.
Now, give root ownership of the ftpuser's home directory.
sudo chown root:root /home/ftpuser
We need to create a separate directory within this home directory where files can be uploaded. Then, we need to give this directory over to our FTP user:
sudo mkdir /home/ftpuser/files
sudo chown ftpuser:ftpuser /home/ftpuser/files
Now, we need to restart our server for our changes to take effect:
sudo service vsftpd restart
On the server you can see the log in live mode with the command:
sudo tail -F /var/log/vsftpd.log
You can test that everything works using the lftp
program.
lftp 127.0.0.1 -p 21
# then in the prompt
set ftp:ssl-force on
set ssl:verify-certificate off
set ftp:passive-mode on
debug # if you want to debug
login ftpuser # then enter the password
Available lftp
commands:
?
display the help message![command]
execute a command on the client computer (out of thelftp
prompt)ls
to list the filespwd
print current working dircd [path]
change current dirget [file]
download file from serverput [file]
upload file to server