The Complete Guide To Install And Secure FTP Server On Ubuntu 20.04 LTS Using VSFTPD
It provides the steps required to install and secure FTP Server on Ubuntu 20.04 LTS using the VSFTPD FTP server.
FTP (File Transfer Protocol) is used to transfer files to and from the servers using the FTP client applications. The server must have an FTP server installed on it and the standard FTP ports are opened for the communication over the FTP protocol. VSFTPD (Very Secure FTP Daemon) is among the popular FTP servers and it's free and licensed under the GNU General Public License. It's considered as the default FTP server and widely used by the Ubuntu admins due to its security features.
This tutorial provides the steps required to install VSFTPD on Ubuntu 20.04 LTS. It also provides the steps to configure and secure VSFTPD to securely communicate using the TLS/SSL encryption.
Prerequisites
This tutorial assumes that you have already installed Ubuntu 20.04 LTS desktop or server version either for local or production usage. You can follow Install Ubuntu 20.04 LTS Desktop, Install Ubuntu 20.04 LTS On Windows Using VMware, and Spin Up Ubuntu 20.04 LTS Server On Amazon EC2 to install Ubuntu 20.04 LTS. It also assumes that you have either root privileges or a regular user with sudo privileges.
It also assumes that ports 20 and 21 are publicly open. Apart from port 20 and 21, also open the ports range 50000-50100 as passive ports.
Install VSFTPD
This section provides the steps to install VSFTPD on Ubuntu. The below-mentioned commands can be used to install VSFTPD on Ubuntu.
# Refresh packages index
sudo apt-get update
# Install VSFTPD
sudo apt-get install vsftpd
Now verify the installation by checking the version and status of VSFTPD as shown below.
# VSFTPD Version
sudo vsftpd -version
# Output
vsftpd: version 3.0.3
# VSFTPD Status
sudo systemctl status vsftpd
# Output ● vsftpd.service - vsftpd FTP server Loaded: loaded (/lib/systemd/system/vsftpd.service; enabled; vendor preset: enabled) Active: active (running) since Sun 2020-06-21 04:12:50 UTC; 24s ago Main PID: 56437 (vsftpd) Tasks: 1 (limit: 1119) Memory: 664.0K CGroup: /system.slice/vsftpd.service └─56437 /usr/sbin/vsftpd /etc/vsftpd.conf Jun 21 04:12:50 ip-172-31-8-2 systemd[1]: Starting vsftpd FTP server... Jun 21 04:12:50 ip-172-31-8-2 systemd[1]: Started vsftpd FTP server.
This confirms that VSFTPD is successfully installed and running. In case it's not running or not enabled, use the below-mentioned commands to enable and start it.
# Enable VSFTPD
sudo systemctl enable vsftpd
# Start VSFTPD
sudo systemctl start vsftpd
Configure VSFTPD
This section provides the steps to configure VSFTPD. We can configure VSFTPD by updating the main configuration file located at /etc/vsftpd.conf. Now copy the file to make a backup for reference purposes as shown below.
# Backup VSFTPD configuration
sudo cp /etc/vsftpd.conf /etc/vsftpd.conf.orig
We can configure VSFTPD by updating the configuration file /etc/vsftpd.conf as shown below. I have used the nano editor to update the configurations. You may use any editor of your choice.
# Open the configuration using nano editor
sudo nano /etc/vsftpd.conf
# Update the configurations
----
# Run standalone? vsftpd can run either from an inetd or as a standalone
# daemon started from an initscript.
listen=NO
#
# This directive enables listening on IPv6 sockets. By default, listening
# on the IPv6 "any" address (::) will accept connections from both IPv6
# and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6
# sockets. If you want that (perhaps because you want to listen on specific
# addresses) then you must run two copies of vsftpd with two configuration
# files.
listen_ipv6=YES
----
# Allow anonymous FTP? (Disabled by default).
anonymous_enable=NO
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
----
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
----
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
----
# If you want, you can have your log file in standard ftpd xferlog format.
# Note that the default log file location is /var/log/xferlog in this case.
xferlog_std_format=YES
----
# You may restrict local users to their home directories. See the FAQ for
# the possible risks in this before using chroot_local_user or
# chroot_list_enable below.
chroot_local_user=YES
----
# This string is the name of the PAM service vsftpd will use.
pam_service_name=vsftpd
----
# Additional configs
vsftpd_log_file=/var/log/vsftpd.log
tcp_wrappers=YES
pasv_enable=Yes
pasv_min_port=50000
pasv_max_port=50100
allow_writeable_chroot=NO
user_sub_token=$USER
local_root=/home/$USER/ftp
userlist_enable=YES
userlist_file=/etc/vsftpd.userlist
userlist_deny=NO
The default behavior of VSFTPD is to deny the users listed in the file /etc/vsftpd.userlist since the configurations userlist_enable and userlist_deny are set to YES by default. We can update the configuration userlist_deny to NO and enable the userlist to direct VSFTPD to load the active users from the file specified by the configuration userlist_file which is set to /etc/vsftpd.userlist. Also, restrict the users to access the files from their root directory with read and write permissions by updating the configurations chroot_local_user and allow_writeable_chroot to YES.
Now restart VSFTPD after updating the configuration file.
# Restart VSFTPD
sudo systemctl restart vsftpd
# VSFTPD Status
sudo systemctl status vsftpd
# Output
● vsftpd.service - vsftpd FTP server Loaded: loaded (/lib/systemd/system/vsftpd.service; enabled; vendor preset: enabled) Active: active (running) since Sun 2020-06-21 05:28:34 UTC; 4s ago Process: 57149 ExecStartPre=/bin/mkdir -p /var/run/vsftpd/empty (code=exited, status=0/SUCCESS) Main PID: 57160 (vsftpd) Tasks: 1 (limit: 1119) Memory: 640.0K CGroup: /system.slice/vsftpd.service └─57160 /usr/sbin/vsftpd /etc/vsftpd.conf Jun 21 05:28:34 ip-172-31-8-2 systemd[1]: Starting vsftpd FTP server... Jun 21 05:28:34 ip-172-31-8-2 systemd[1]: Started vsftpd FTP server.
It must show the status as shown above. In case you have made a mistake or misconfigure VSFTPD, it might show the error with message code=exited, status=2 as shown below.
# VSFTPD Status
sudo systemctl status vsftpd
# Output ● vsftpd.service - vsftpd FTP server Loaded: loaded (/lib/systemd/system/vsftpd.service; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since Sun 2020-06-21 04:59:09 UTC; 3s ago Process: 56813 ExecStartPre=/bin/mkdir -p /var/run/vsftpd/empty (code=exited, status=0/SUCCESS) Process: 56815 ExecStart=/usr/sbin/vsftpd /etc/vsftpd.conf (code=exited, status=2) Main PID: 56815 (code=exited, status=2) Jun 21 04:59:09 ip-172-31-8-2 systemd[1]: Starting vsftpd FTP server... Jun 21 04:59:09 ip-172-31-8-2 systemd[1]: Started vsftpd FTP server. Jun 21 04:59:09 ip-172-31-8-2 systemd[1]: vsftpd.service: Main process exited, code=exited, status=2/INVALIDARGUMENT Jun 21 04:59:09 ip-172-31-8-2 systemd[1]: vsftpd.service: Failed with result 'exit-code'.
On getting the error - code=exited, status=2, we can further check the configuration file by executing the command as shown below.
# Test Configurations
sudo /usr/sbin/vsftpd /etc/vsftpd.conf
# Example Output on Error if additional space is left after YES or NO ...
500 OOPS: bad bool value in config file for: userlist_deny
Local FTP Users
This section provides the steps to manage the local FTP users. These users can be used to connect the FTP server using the FTP clients running on the remote systems. You can also refer to How To Install FileZilla FTP Client On Ubuntu 20.04 LTS, How To Install FileZilla FTP Client On Windows 10, and How To Install FileZilla FTP Client On Mac to install the FileZilla FTP client on remote systems.
Now add a new local user and set the password as shown below.
# Add User
sudo useradd -m -c "FTP User 1" -s /bin/bash ftpuser1
# Set Password
sudo passwd ftpuser1
# Output
New password: <strong password>
Retype new password: <strong password>
passwd: password updated successfully
Now add the directory with required permissions to store the FTP files as shown below.
sudo mkdir /home/ftpuser1/ftp
sudo chown nobody:nogroup /home/ftpuser1/ftp
sudo chmod a-w /home/ftpuser1/ftp
sudo mkdir /home/ftpuser1/ftp/files
sudo chown -R ftpuser1:ftpuser1 /home/ftpuser1/ftp/files
sudo chmod -R 0770 /home/ftpuser1/ftp/files/
Also, update the VSFTPD allowed users list by updating the file /etc/vsftpd.userlist as shown below.
# Add User - Update Users List
sudo nano /etc/vsftpd.userlist
# Update list without opening the file
echo "ftpuser1" | sudo tee -a /etc/vsftpd.userlist
# Output
ftpuser1
Now we can connect to the VSFTPD FTP server installed by us using the FTP client applications as shown at How To Install FileZilla FTP Client On Ubuntu 20.04 LTS, How To Install FileZilla FTP Client On Windows 10, and How To Install FileZilla FTP Client On Mac.
Secure VSFTPD Server
We can secure the VSFTPD FTP server by configuring the server to allow FTP over TLS communication. We need an valid SSL certificate to complete this step. The free SSL certificate can be obtained using Let's Encrypt for Apache or Nginx. You can follow How To Install Let's Encrypt For Apache On Ubuntu or How To Install Let's Encrypt For Nginx On Ubuntu. We can also generate the self-signed certificate as explained at Install Self-Signed SSL Certificate Using OpenSSL On Ubuntu 20.04 LTS. The only issue with the self-signed certificate is that the FTP clients show a security warning to trust the certificate.
Now configure the VSFTPD after obtaining an SSL certificate.
# Open the configuration using nano editor
sudo nano /etc/vsftpd.conf
# Update the configurations
----
rsa_cert_file=<SSL Certificate File>
rsa_private_key_file=<Key File>
ssl_enable=YES
----
# Additional configs
debug_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
require_ssl_reuse=NO
ssl_ciphers=HIGH
The above configurations allow only TLS protocol and prevent anonymous users from using the SSL. We have also forced all non-anonymous users to explicitly use the TLS protocol for all the communication with the FTP server. Now restart VSFTPD and check it's status.
# Restart VSFTPD
sudo systemctl restart vsftpd
# VSFTPD Status
sudo systemctl status vsftpd
# Output
● vsftpd.service - vsftpd FTP server Loaded: loaded (/lib/systemd/system/vsftpd.service; enabled; vendor preset: enabled) Active: active (running) since Sun 2020-06-21 12:17:34 UTC; 4s ago Process: 59378 ExecStartPre=/bin/mkdir -p /var/run/vsftpd/empty (code=exited, status=0/SUCCESS) Main PID: 59379 (vsftpd) Tasks: 1 (limit: 1119) Memory: 824.0K CGroup: /system.slice/vsftpd.service └─59379 /usr/sbin/vsftpd /etc/vsftpd.conf Jun 21 12:17:34 ip-172-31-8-2 systemd[1]: Starting vsftpd FTP server... Jun 21 12:17:34 ip-172-31-8-2 systemd[1]: Started vsftpd FTP server.
We have successfully secured the VSFTP by enabling the TLS protocol for all the communication between the FTP server and FTP clients.
Summary
This tutorial provided the steps required to install VSFTPD on Ubuntu 20.04 LTS. It also provided the configurations required to secure VSFTPD.
