This tutorial will show how to setup an FTP server on Ubuntu VPS. A vsftpd server will be used which is widely regarded as the quickest and most secure FTP server for UNIX-like systems out there.
FTP or File Transfer Protocol is a means to send and receive files over a network connection. Making use of a client/server framework and SSL/TLS security, FTP allows users to share files to (and receive from) remote computers via secure, efficient and reliable data transfer (using the TCP/IP protocols).
FTP functions in the same way HTTP or SMTP do; the only difference obviously is that it is responsible for the secure transport of files from a sender to a receiver instead of web pages from a server to a user or electronic mail throughout the internet. This tutorial will focus on guiding the users regarding FTP server setup on Ubuntu 16.04.
Note: The following tutorial is based on Ubuntu 16.04. But you can apply the same steps when creating an FTP server on Ubuntu 14.04
Step 1 – Installing Vsftpd
First things first, let’s get our package updates before we proceed with the vsftpd daemon installation. To begin, run the following command:
sudo apt-get update
Wait for all the processes to complete and you will see a confirmation as soon as the update finishes.
Once that is out of the way, install the vsftpd daemon using the following command:
sudo apt-get install vsftpd
You will be prompted with a confirmation message, which will require you to type Y and hit Enter to continue with the installation.
After the installation completes, make a backup of the original file so that we can start our work with a blank configuration file:
sudo cp /etc/vsftpd.conf /etc/vsftpd.conf.original
Now we are ready to go to the next step and configure the firewall.
Step 2 – Allowing FTP traffic from the firewall
To allow the Ubuntu FTP server to communicate with the outside world, it needs to make its way through the firewall. Let’s first see whether the firewall is enabled on the machine or not. Run the following command to verify the status:
sudo ufw status
If you see the following message:
ufw: command not found
It means that the firewall is not installed and you may proceed to the next step.
However, if the output shows some defined rules or a message that firewall status is active, you will have to verify whether FTP traffic will work. Let’s go ahead and open ports 20 and 21 for the FTP traffic; ports 40000-50000 will be the reserved for the range of passive ports that will eventually be set in the configuration file and port 990 will be used when TLS will be enabled. Execute the following commands to do so:
sudo ufw allow 20/tcp sudo ufw allow 21/tcp sudo ufw allow 990/tcp sudo ufw allow 40000:50000/tcp
Now let’s look at the status again:
sudo ufw status
The output should now look something like:
Output Status: active To Action From -- ------ ---- 990/tcp ALLOW Anywhere 20/tcp ALLOW Anywhere 21/tcp ALLOW Anywhere 40000:50000/tcp ALLOW Anywhere 20/tcp (v6) ALLOW Anywhere (v6) 21/tcp (v6) ALLOW Anywhere (v6) 990/tcp (v6) ALLOW Anywhere (v6) 40000:50000/tcp (v6) ALLOW Anywhere (v6)
Now that we have all the necessary ports open and available to us, we can proceed to the next step.
Step 3 – Creating the user directory
As a 3rd step to creating an Ubuntu FTP server, we will need to select the user that is going to be making use of FTP access. For the sake of showing how it’s done, we will be adding a new user. To create it, use the following command:
sudo adduser alex
When asked, enter a password for the user and fill in all other details. Ideally, FTP should be restricted to one a specific directory for security purposes. Vsftpd uses chroot jails to accomplish this. With chroot enabled, a local user is restricted to their home directory (by default). It is, however, possible that because of vsftpd security, a user might not be able to write to the directory. We will not remove write privileges from the home folder, instead, we will make an ftp directory which will act as the chroot along with a writable files directory that will be responsible for holding the pertinent files. Use the following command to create the FTP folder:
sudo mkdir /home/alex/ftp
Set the ownership using:
sudo chown nobody:nogroup /home/alex/ftp
Finally, remove the write permissions:
sudo chmod a-w /home/alex/ftp
Now, use the following command to verify the permissions:
sudo ls -la /home/alex/ftp
The output should look something like:
total 8 dr-xr-xr-x 2 nobody nogroup 4096 Jun 29 11:32 . drwxr-xr-x 3 alex alex 4096 Jun 29 11:32 ..
As a next step, we will create the file holding directory and assign the ownership:
sudo mkdir /home/alex/ftp/files sudo chown alex:alex /home/alex/ftp/files
Finally, add a test file to the directory which will be used when we test everything later on:
echo "vsftpd sample file" | sudo tee /home/alex/ftp/files/sample.txt
Step 4 – Configuring vsftpd
As the next step in our bid to set up an FTP server on Ubuntu VPS, we will be configuring vsftpd and our FTP access. In this tutorial, we will allow a single user to connect with FTP using a local shell account. The two key configurations required for this are already set in the configuration (vsftpd.conf) file. Firstly verify that the configuration file actually has settings matching to those mentioned below using the nano command:
sudo nano /etc/vsftpd.conf
. . . # Allow anonymous FTP? (Disabled by default). anonymous_enable=NO # # Uncomment this to allow local users to log in. local_enable=YES . . .
In the same file, we will proceed by removing # and enabling the write_enable:
. . . write_enable=YES . . ..
Chroot will also be uncommented to ensure that the user connected via FTP only accesses files within the allowed directory:
. . . chroot_local_user=YES . . .
A few new values will also need to be added by hand. You may simply paste them at the bottom of the file. Firstly, a user_sub_token will be added into the local_root directory path. This will allow the configuration to work with the current user and any other users that are subsequently added:
To ensure that substantial amount of connections are available, we will limit the number of ports used in the configuration file:
In this tutorial, we plan to allow access on a case by case basis so let’s set the configuration up in a way that access only gets granted to users that have explicitly been added to a list:
userlist_enable=YES userlist_file=/etc/vsftpd.userlist userlist_deny=NO
The userlist_deny flag is responsible for toggling the logic; when set to “NO”, only those users specified on the list will be allowed access. Once done, click CTRL+X and confirm the file changes.
Lastly, we will proceed with the creation and addition of our user to the file:
echo "alex" | sudo tee -a /etc/vsftpd.userlist
Verify that the user is indeed active by running the following command:
The output should be “alex” as shown in this screenshot:
Restart the daemon using the following command to load the configuration changes:
sudo systemctl restart vsftpd
Step 5 – Making FTP secure
By default, FTP doesn’t do any data encryption, so we will be using TTL/SSL to make things safer. As a first step, we need to create the SSL certificate and use it to secure the Ubuntu FTP server. To start, use the following command:
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem
The –days flag makes the certificate valid for a year and we have included a 2048-bit private RSA key in the same command. Once prompted, enter the pertinent personal details in the field provided.
After you finish creating the certificate, open the configuration file again:
sudo nano /etc/vsftpd.conf
The end of the file should contain two lines that start with “_rsa”. Comment both of these lines like:
# rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem # rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
Instead we will point the configuration file to the certificate that we just created. Add the following lines:
Now we will enable SSL and ensure that only clients that have SSL enabled get to contact us. Change the value of ssl_enable to YES:
Now add the following lines to further secure things: (This will not allow any anonymous connections over SSL)
allow_anon_ssl=NO force_local_data_ssl=YES force_local_logins_ssl=YES
Configure the server to use TLS using:
ssl_tlsv1=YES ssl_sslv2=NO ssl_sslv3=NO
Here we will add 2 more options. Firstly, SSL reuse will not be necessary because it can lead to many FTP clients breaking down. Secondly, we will use high encryption cipher suites, which will mean that key lengths are either equal to (or greater than) 128 bits.
Let’s restart once again to apply the new configurations:
sudo systemctl restart vsftpd
Great work! You have now configured the FTP server on your Ubuntu VPS to work with SSL/TLS protocol.
Step 6 – Testing connections with FileZilla
Nowadays, most FTP clients support TLS encryption configurations, so it’s a great way to test whether your Ubuntu FTP server is working as intended. To test out the connection, we will be using a FileZilla FTP Client. To begin, launch FileZilla, click on the Site Manager icon.
Click the New Site button in the prompted window to begin entering the Ubuntu FTP server details.
Fill in all the required details with your newly created Ubuntu FTP server information. Since we configured it to use TLS, we may also mark the encryption to be explicit FTP over TLS. The final configuration should look like this:
Once ready, click Connect and a screen asking to enter the FTP user’s password will appear.
Finally, you will need to verify the SSL certificate of your FTP server on Ubuntu VPS.
After confirming, the root directory with the test file should now appear on your screen.
That’s all! Now, you can perform various files transfers from your computer to the Ubuntu FTP server and vice versa.
In this tutorial, we have gone through a step-by-step journey to create a way for a local user to securely transfer files via FTP with SSL/TLS on Ubuntu FTP server. We have also tested the connection using FileZilla to make sure everything is functional.