The File Transfer Protocol (FTP) is a TCP protocol for transferring files between computers. In the past, it was also used to upload [files on the Internet], but since this method does not use encryption, user data as well as the contents of files are transferred in the open and are easily intercepted. So if you're here looking for a way to securely upload and download files, you'd better take a look at the OpenSSH article in the Remote Administration section.
FTP operates on a client/server model. The server component is called the FTP service. It constantly listens for FTP requests from remote clients. When a request is received, it manages entry and connection establishment. During the session, it executes any commands sent by the FTP client.
vsftpd is an FTP service available in Ubuntu. It is easy to install, configure and maintain. To install vsftpd you can run the following command:
sudo apt install vsftpd
To start the service, you need to add it to startup. Since Ubuntu 15.04, Systemd is used, so to add vsftpd to autostart, enter the following commands:
sudo systemctl start vsftpd sudo systemctl enable vsftpd
IN Ubuntu Server ufw firewall can be used. Then you will need to allow ports 20 and 21
sudo ufw allow 20/tcp sudo ufw allow 21/tcp
The configuration file contains many settings. Information on each parameter is available in the same file. Alternatively, you can look at the system command manual
Man 5 vsftpd.conf
for details on each parameter.
Access to the FTP server can be organized in two ways:
IN anonymous mode a remote client can access the FTP server using the default user account named "anonymous" or "ftp" and passing in an email address as a password. IN authorized mode The user must have an account name and password. This last option is highly insecure and should not be used except in special circumstances. If you want to transfer files securely, see SFTP in the OpenSSH server section. User access to directories and FTP files server depends on the access rights of the user specified at login. As a rule, the FTP service hides the root directory FTP servers, replacing it with the FTP home directory. This hides the root filesystem from remote sessions.
The default vsftpd configuration does not allow anonymous downloads. If you want to enable anonymous download, change the following in /etc/vsftpd.conf:
Anonymous_enable=YES
A user is created during the installation process. ftp with the /srv/ftp home directory. This is the default directory for FTP.
If you wish to change its location to, for example, /srv/files/ftp, simply create a new directory and change the home directory of the ftp user:
sudo mkdir /srv/files/ftp sudo usermod -d /srv/files/ftp ftp
Restart vsftpd after changes:
Finally, copy all the files and directories that you want to make anonymous FTP available to /srv/files/ftp (or /srv/ftp if you want to leave the default settings).
By default, an anonymous user is not allowed to upload files to the FTP server. To change this setting, uncomment the following line and restart vsftpd:
Anon_upload_enable=YES
Allowing an anonymous user to upload files can be a serious security risk. It is better not to allow anonymous file uploads to servers with direct access from the Internet.
Before making any changes to the configuration file, it is recommended to copy the sample so that you can roll back the changes without reinstalling the package sudo cp /etc/vsftpd.conf /etc/vsftpd.conf.orig
To authenticate local users, uncomment the line
Local_enable=YES
By default, vsftpd is configured to authenticate system users with the ability to receive files. If you want to allow users to upload files, change /etc/vsftpd.conf to:
Write_enable=YES
then reload vsftpd:
sudo service vsftpd restart
Now, when system users log in via FTP, they will go to their home directories, where they can download, upload [files], create directories, and so on.
There are options in /etc/vsftpd.conf to help make vsftpd more secure. For example, this option allows you to put a local user in chroot () "imprisonment", above which (along the directory tree) he will not be able to climb.
chroot_local_user=YES
You can also define a list of users with access only to the home directory:
chroot_list_enable=YES chroot_list_file=/etc/vsftpd.chroot_list
After uncommenting these options, create /etc/vsftpd.chroot_list containing a list of users, one per line. Then restart vsftpd:
sudo service vsftpd restart
If you have uncommented all three lines, then users in the list will not be restricted to their home directories, unlike users not in the list.
Similarly, the /etc/ftpusers file contains a list of users who are denied FTP access. By default it includes root, daemon, nobody, etc. To disable FTP access for additional users, simply add them to this list.
If you see an error when trying to connect:
Response: 500 OOPS: vsftpd: refusing to run with writable root inside chroot()
it means that the local user has write access to the home directory, which should not be the case. There are several ways to solve this error:
Deny writing to the home directory for the local user (not suitable for everyone and not always)
Set /home as the directory where local users will go after logging into the FTP server. Then each of them will only be able to write to their own home directory.
FTP can be encrypted when using FTPS. Unlike SFTP, FTPS is FTP over SSL. SFTP is an FTP-like session over an encrypted SSH connection. The main difference is that SFTP users must have an account with their own environment (shell account) instead of the nologin shell. Giving all users access to the shell might not work. best solution for some systems like web server public access. However, it is possible to restrict such accounts to SFTP only and to prevent shell interaction. See the section on OpenSSH for additional information.
To configure FTPS, add the following to the end of the /etc/vsftpd.conf file:
SSL_enable=Yes
Also note the certificate and key options:
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
By default, these options are set to the values provided by the package. ssl-cert. For a production environment, they should be replaced with a certificate and key generated for a specific computer. See the Certificates section for more information.
Now reload vsftpd and non-anonymous users will use FTPS:
sudo service restart vsftpd
To allow users with the /usr/sbin/nologin shell to access FTP but not grant shell access, edit /etc/shells to add nologin to the shell:
# /etc/shells: valid login shells /bin/csh /bin/sh /usr/bin/es /usr/bin/ksh /bin/ksh /usr/bin/rc /usr/bin/tcsh /bin/tcsh / usr/bin/esh /bin/dash /bin/bash /bin/rbash /usr/bin/screen /usr/sbin/nologin
This is required because by default vsftpd uses PAM authorization and the configuration file /etc/pam.d/vsftpd contains:
Auth required pam_shells.so
PAM module shells restricts access to shells listed in /etc/shells.
Most popular FTP clients can be configured to use FTPS. FTP client command line lftp also has the ability to use FTPS.
It's time to organize file storage, both inside the network and outside. This article is a continuation of the first part, dedicated to setting up a WiFi router on your home server. All hard drives from your home computer(except for the system one) can be transferred to the server, since this transfer rate fluctuates around 10-20 megabytes per second [this parameter also very much depends on the model of your hard drive], and by the way, it is high time for system disk buy SSD drives.
ftp server.
There are many ftp servers for linux, many good ones, many bad ones, but there is a better one [of course this is a subjective opinion, and the best one for me] and this vsftpd. We will consider it.
You can download it from the standard repositories OpenSUSE by running the command in the terminal:
zipper in vsftpd
Now let's move on to the description. This is a console ftp server, it does not have a GUI [ graphical shell], so all configuration takes place in one single config, at /etc/vsftpd.conf.
Here is an example of a working config:
#enable any form of writing to the FTP server write_enable=YES #enable the ability to display messages about transitions from folder to folder. dirmessage_enable=YES #select a user WITHOUT any privileges (read-only) nopriv_user=ftpsecure #allow local users (local users are those #who are registered in the system, that is, they have accounts) local_enable=YES #push the local user into root. chroot_local_user=YES #deny anonymous login on the server anonymous_enable = no #Turn on the logging syslog_enable = yes #allow you to join the 20th port Connect_from_port_20 = Yes #allow the applause of the ASCIII_UPLOOAD_ENABLEARA NAMENTIONS INSTAL PKI with Kirrilitsa in the name ascii_download_enable = yes #name PAM Service in the PAM_Service_NAME system = vsftpd #allow to work offline listen=YES #disable SSL authentication ssl_enable=NO #port range for PASV mode. pasv_min_port=30000 pasv_max_port=30100 #welcome when entering ftp-server ftpd_banner=Welcome to my ftp-server #time after which user will be kicked from the server when idle idle_session_timeout=900 #maximum number of users max_clients=10 #maximum number of sessions from one ip address max_per_ip=3 #enable PASV mode (passive mode) pasv_enable=YES #mask allowing privileges for local users. local_umask=0002
In the above config, there are no troubles for distributing access rights to individual users, individual folders. Everything is quite simple and concise, set up once and use [use]. Vsftpd was chosen because it has best system access rights settings, which is divided into two types: internal, system authentication and external, with a separate configuration file for distributing access rights, but at the same time, users are still taken from the system.
IN this example both users and the distribution of access rights for these same users are taken from the system, an additional config file is not used.
Figure 1. Setting permissions
That's about it.
samba.
Do you want to always have at hand the file storage of all collections and everything else from a laptop, from a home computer, from a phone, from a tablet? Go.
Initially, with a standard installation of the OpenSUSE system, everything you need to install and configure samba on the server is already preinstalled. Therefore, let's go directly to the settings. Since access from under Windows OS as a “Network Drive Connection” will be available only within your local network [there is an ftp server for the Internet, and besides, posting samba on the Internet is extremely unsafe, but we, “FOR SECURITY! !! Hurray!”], so the settings will be extremely commonplace and easy to understand. There are two [known to me and adequate in my opinion] samba settings, this is through the same configuration file and using the utility - webmin. This is a wildly cool thing, especially for those who do not like to pick configs [but there are some nuances here too]. In this article, we will not dwell on the means " for the lazy", so we continue. We will consider the working config file. It is located at: /etc/samba/smb.conf. Here he is:
# Specify the name of the guest user. guest account = nobody # Specify the netbios name name = homeserver # Enable "write" rights writeable = yes # Additional option, removing the delay. socket options = TCP_NODELAY IPTOS_LOWDELAY # If necessary, specify working group, where the computers will be located #(absolutely optional parameter) workgroup = HOMENET # Select the interfaces on which samba will "listen". # (also, optional, by default, will listen on all interfaces) interfaces = eth1 wlan0 # Security is not really needed at home. security = share public = yes # Allow guest guest ok = yes # Only guest? Yes. guest only = yes # Path to the public folder path = /cifs/pub # Do not disable writing. read only = no # Also, if you are interested in the ability to access the CD-ROM, then insert # the following options into the samba config: fake oplocks = yes guest ok = yes guest only = yes path = /mnt/cdrom read only = yes
Also, additional configuration can be done through the samba GUI built into YaST.
The user that we specified at the very beginning of the config, in this example, this is the user nobody, must be created directly in the system. ask him necessary rights(at home, it makes sense to set full rights to create, delete, edit all files and folders (i.e. rights 777). Also, if you encounter a situation where for some reason it becomes impossible to delete / create files in which -either from folders on the server, then run the command:
chmod 777 -R /path
Let's break it down, just in case:
chmod- command to set permissions.
777
- in fact, the right letter designation means rwx, rwx, rwx - read, write, execute rights for the owner, group (where the owner is), everyone.
-R- recursion key, so that the command is executed not only for the folder (and files located in it) that you specified in /path, but also for all sub-folders and files in them too.
/path- the path to the folder on which you want to set the rights. A similar command corresponds to the FTP server if similar problems occur. Yes, and it must be noted that if there are similar problems, then most likely the problem lies in the users created in the system, or rather, in the rights granted to use their home directories.
rTorrent.
Semi-automated torrent client.
In fact, this is an ordinary torrent client, but the settings of which are very rich in variety. Now we will analyze one very useful function of this client. Imagine that you have already set up samba on your home server, the file storage located on the server is connected to your computer as a Network Drive, you open your network drive, open the torrents folder, open the music folder there and move all the torrent files with music that you want to download there and ... that's it, go to bed. In the morning, the hashes of all the torrents that you put there will already be downloaded and checked (here, of course, everything depends on how many torrents you want to download, what their weight is and what is the width of your Internet channel). Like? So I've been bastard for half a year now, from this function.
Let's figure it out.
You need to install rtorrent, run the following command in the terminal:
zipper in rtorrent
After you have downloaded and installed the rtorrent torrent client, you need to configure the client. The program is configured using the configuration file .rtorrent.rc, located in the user's home directory. (There is no .rtorrent.rc file by default. You need to create it yourself. I give an example with detailed comments on the working config:
#peer exchange? Yes! peer_exchange = yes #minimum number of peers per torrent min_peers = 1 #maximum number of peers per torrent max_peers = 1000 #max download speed download_rate = 0 #max upload speed. 1 - unlimited upload_rate = 0 #directory where downloads will be saved or where torrents will be seeded from. directory = /files/torrents #directory where the state of torrents will be saved. #Here, in this example, they are saved to the session folder session = /files/torrents/session/ #rtorrent checks this directory every 5 seconds for new *.torrent #files #and if they exist, puts them on download #schedule = watch_directory ,5,5,load_start=/home/user/torrent_auto_load/ #checks directories for new *.torrent files and saves downloads to the #corresponding folders schedule = watch_directory,5,5,"load_start=/files/torrents/music/*. torrent,d.set_directory=/files/music" schedule = watch_directory_2,5,5,"load_start=/files/torrents/video/*.torrent,d.set_directory=/files/video" schedule = watch_directory_3,5,5, "load_start=/files/torrents/video/serial/*.torrent,d.set_directory=/files/video/serial" schedule = watch_directory_4,5,5,"load_start=/files/torrents/progs/*.torrent,d .set_directory=/files/progs" schedule = watch_directory_5,5,5,"load_start=/files/torrents/games/*.torrent,d.set_directory=/files/games" schedule = watch_directory_6,5,5,"load_start= /files/torrents/unsorted/*.torrent,d.set_directory=/files/unsorted" schedule = watch_directory_7,5,5,"load_start=/files/torrents/doc/*.torrent,d.set_directory=/files/doc " schedule = watch_directory_8,5,5,"load_start=/files/torrents/doc/books/*.torrent,d.set_directory=/files/doc/books" # Deleting torrent files from the music directory (because this # example, the folder music goes as "directory"(#1) which is already downloaded. schedule = untied_directory,7,5,remove_untied= #number of the port (or several ports) that the client opens for #data exchange port_range = 40890-40890 #random choice of port for data exchange. IN this case it is #disabled port_random = no #verify torrent hash after download check_hash = yes #save session session_save = yes #accept encrypted incoming connections, establish #unencrypted outgoing connections, #if returns an error, retry with encryption, prefer #plaintext after establishing #encrypted connections encryption = allow_incoming,enable_retry,prefer_plaintext #use udp use_udp_trackers = yes
Figure 2. The main window of the rTorrent program
Actually, that's all. Next, a tricky trick - open the console and write (you can also go to the server via ssh):
screen rtorrent
Next, the torrent client will open in the terminal, where you can configure and debug it additionally. Now we press the magic key combinations Ctrl + A then Ctrl + D and the console will happily notify you that:
Figure 3. Screenshot of the rTorrent process.
This indicates that the process of your torrent client is "zakrinin", that is, it is being executed, but it is not visible at the same time. For those adherents who are always interested in everything, they can read about this utility I do not want to burden my head with such things (although they are very interesting and informative, and are often used).
If you need to open the client again, write:
screen-r
IMPORTANT: If you want to run the torrent client as root (root, i.e. through sudo command) then you need to create a config file in the root directory of the root user, and also, screen -r must also be performed under the same user under which you "screened" it.
Thus, you will always have a torrent client hanging in the background, which will download and distribute exactly as much as your server will work.
On this "important" note, I want to end this article. Thank you for your attention, and yes, use the search engine Google, he's great!
If I made a mistake with the topic, tell me where to transfer it.
F TP (File Transfer Protocol) is a standard network protocol Used to transfer files to and from a remote network. For a safer and faster data transfer, use SCP.
There are many open source FTP servers available for Linux. source code. The most popular and widely used are PureFTPd, ProFTPD and vsftpd. In this article, we will be installing vsftpd. It is a stable, secure and fast FTP server. We'll also show you how to configure vsftpd to restrict users' access to their home directory and encrypt all transmission using SSL/TLS.
Although this article is written for Ubuntu 18.04, the same instructions apply to Ubuntu 16.04 and any Debian-based distribution, including Debian, Linux Mint and elementary OS.
The vsftpd package is available in the . To install it, just run the following commands:
sudo apt update sudo apt install vsftpd
The vsftpd service will automatically start after the installation process is complete. Check it out by printing the status of the service:
sudo systemctl status vsftpd
The result will look something like this, showing that the vsftpd service is up and running:
* vsftpd.service - vsftpd FTP server Loaded: loaded (/lib/systemd/system/vsftpd.service; enabled; vendor preset: enabled) Active: active (running) since Mon 2018-10-15 03:38:52 PDT; 10min ago Main PID: 2616 (vsftpd) Tasks: 1 (limit: 2319) CGroup: /system.slice/vsftpd.service `-2616 /usr/sbin/vsftpd /etc/vsftpd.conf
The vsftpd server can be configured by editing the /etc/vsftpd.conf file. Most of the settings are documented inside the configuration file. For all available options, visit the official vsftpd page.
In the following sections, we will look at some important settings needed to set up a secure vsftpd installation.
Start by opening the vsftpd configuration file:
sudo nano /etc/vsftpd.conf
We allow only local users to access the FTP server, find the anonymous_enable and local_enable directives, and check that your configuration matches the following lines:
/etc/vsftpd.conf
Anonymous_enable=NO local_enable=YES
Uncomment the write_enable setting to allow changes to file system such as downloading and deleting files.
/etc/vsftpd.conf
Write_enable=YES
To prevent FTP users from accessing any files outside their home directories, uncomment the chroot setting.
/etc/vsftpd.conf
chroot_local_user=YES
By default, to prevent a security vulnerability, when chroot is enabled, vsftp will refuse to upload files if the directory where users are locked out is writable.
/etc/vsftpd.conf
User_sub_token=$USER local_root=/home/$USER/ftp
/etc/vsftpd.conf
allow_writeable_chroot=YES
vsftpd can use any port for passive FTP connections. We will specify the minimum and maximum port range and then open the range in our firewall.
Add the following lines to the configuration file:
/etc/vsftpd.conf
pasv_min_port=30000 pasv_max_port=31000
To allow only certain users to log into the FTP server, add the following lines to the end of the file:
/etc/vsftpd.conf
userlist_enable=YES userlist_file=/etc/vsftpd.user_list userlist_deny=NO
When this option is enabled, you must explicitly specify which users can log in by adding usernames to the /etc/vsftpd.user_list file (one user per line).
To encrypt FTP transfers with SSL/TLS, you need to have an SSL certificate and configure your FTP server to use it.
You can use a , signed by a trusted CA, or you can create a self-signed certificate.
If you have a domain or subdomain pointing to the IP address of the FTP server, you can easily generate a free SSL certificate for encryption.
In this article, we will generate a self-signed SSL certificate using the openssl command.
The following command will generate a 2048-bit private key and a self-signed certificate valid for 10 years. Both the private key and the certificate will be stored in the same file:
sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem
Now that the SSL certificate has been created, open the vsftpd configuration file:
sudo nano /etc/vsftpd.conf
Find the rsa_cert_file and rsa_private_key_file directives, change their pam value in the file path and set the ssl_enable directive to YES:
/etc/vsftpd.conf
rsa_cert_file=/etc/ssl/private/vsftpd.pem rsa_private_key_file=/etc/ssl/private/vsftpd.pem ssl_enable=YES
Unless otherwise specified, the FTP server will only use TLS for secure connections.
Once you're done editing, the vsftpd configuration file (excluding comments) should look something like this:
/etc/vsftpd.conf
Listen=NO listen_ipv6=YES anonymous_enable=NO local_enable=YES write_enable=YES dirmessage_enable=YES use_localtime=YES xferlog_enable=YES connect_from_port_20=YES chroot_local_user=YES secure_chroot_dir=/var/run/vsftpd/empty pam_service_name=vsftpd rsa_cert_file =/etc/ssl/ private/vsftpd.pem rsa_private_key_file=/etc/ssl/private/vsftpd.pem ssl_enable=YES user_sub_token=$USER local_root=/home/$USER/ftp pasv_min_port=30000 pasv_max_port=31000 userlist_enable=YES userlist_file=/etc/vsftpd.user_ list userlist_deny=NO
Save the file and restart the vsftpd service for the changes to take effect:
sudo systemctl restart vsftpd
If you are using a UFW firewall, you will need to allow FTP traffic.
To open port 21 (FTP command port), port 20 (FTP data port), and 30000-31000 (passive port range), run the following commands:
sudo ufw allow 20:21/tcp sudo ufw allow 30000:31000/tcp
To avoid blocking, we will open port 22:
Sudo ufw allow OpenSSH
Reload the UFW rules by disabling and re-enabling UFW:
sudo ufw disablesudo ufw enable
To check if the changes have been made:
Sudo ufw status Status: active To Action From -- ------ ---- 20:21/tcp ALLOW Anywhere 30000:31000/tcp ALLOW Anywhere OpenSSH ALLOW Anywhere 20:21/tcp (v6) ALLOW Anywhere (v6 ) 30000:31000/tcp (v6) ALLOW Anywhere (v6) OpenSSH (v6) ALLOW Anywhere (v6)
To test our FTP server, we will create a new user.
As discussed in the previous section, the user will be able to upload their files to the ftp/upload directory.
On this moment your FTP server is fully operational and you should be able to connect to your server with any that can be configured to use TLS encryption, such as FileZilla.
By default, when a user is created, unless explicitly specified, the user will have access to the SSH server.
To disable shell access, we will create new shell, which will simply print a message telling the user that their Account limited to FTP access only.
Create a shell /bin/ftponly and make it executable:
Echo -e "#!/bin/sh\necho "This account account is limited to FTP access only."" | sudo tee -a /bin/ftponlysudo chmod a+x /bin/ftponly
Add the new shell to the list of allowed shells in the /etc/shells file
echo "/bin/ftponly" | sudo tee -a /etc/shells
Change the user shell to /bin/ftponly:
sudo usermod newftpuser -s /bin/ftponly
In this article, you learned how to install and set up a secure and fast FTP server in your Ubuntu system 18.04.
File Transfer Protocol (FTP) is a TCP protocol for downloading files between computers. In the past, it has also been used for uploading but, as that method does not use encryption, user credentials as well as data transferred in the clear and are easily intercepted. So if you are here looking for a way to upload and download files securely, see the section on OpenSSH in Remote Administration instead.
FTP works on a client/server model. The server component is called an FTP daemon . It continuously listens for FTP requests from remote clients. When a request is received, it manages the login and sets up the connection. For the duration of the session, it executes any of the commands sent by the FTP client.
Access to an FTP server can be managed in two ways:
In the Anonymous mode, remote clients can access the FTP server by using the default user account called "anonymous" or "ftp" and sending an email address as the password. In the Authenticated mode a user must have an account and a password. This latter choice is very secure and should not be used except in special circumstances. If you are looking to transfer files securely see SFTP in the section on OpenSSH-Server. User access to the FTP server directories and files is dependent on the permissions defined for the account used at login. As a general rule, the FTP daemon will hide the root directory of the FTP server and change it to the FTP Home directory. This hides the rest of the file system from remote sessions.
vsftpd is an FTP daemon available in Ubuntu. It is easy to install, set up, and maintain. To install vsftpd you can run the following command:
sudo apt install vsftpd
By default vsftpd is not configured to allow anonymous download. If you wish to enable anonymous download edit /etc/vsftpd.conf by changing:
anonymous_enable=Yes
During installation a ftp user is created with a home directory of /srv/ftp . This is the default FTP directory.
If you wish to change this location, to /srv/files/ftp for example, simply create a directory in another location and change the ftp user"s home directory:
sudo mkdir /srv/files/ftp sudo usermod -d /srv/files/ftp ftp
After making the change restart vsftpd :
Finally, copy any files and directories you would like to make available through anonymous FTP to /srv/files/ftp , or /srv/ftp if you wish to use the default.
By default vsftpd is configured to authenticate system users and allow them to download files. If you want users to be able to upload files, edit /etc/vsftpd.conf :
write_enable=YES
Now restart vsftpd :
sudo systemctl restart vsftpd.service
Now when system users login to FTP they will start in their home directories where they can download, upload, create directories, etc.
Similarly, by default, anonymous users are not allowed to upload files to FTP server. To change this setting, you should uncomment the following line, and restart vsftpd :
anon_upload_enable=YES
Enabling anonymous FTP upload can be an extreme security risk. It is best to not enable anonymous upload on servers accessed directly from the Internet.
The configuration file consists of many configuration parameters. The information about each parameter is available in the configuration file. Alternatively, you can refer to the man page, man 5 vsftpd.conf for details of each parameter.
There are options in /etc/vsftpd.conf to help make vsftpd more secure. For example users can be limited to their home directories by uncommenting:
chroot_local_user=YES
You can also limit a specific list of users to just their home directories:
chroot_list_enable=YES chroot_list_file=/etc/vsftpd.chroot_list
After uncommenting the above options, create a /etc/vsftpd.chroot_list containing a list of users one per line. Then restart vsftpd :
sudo systemctl restart vsftpd.service
Also, the /etc/ftpusers file is a list of users that are disallowed FTP access. The default list includes root, daemon, nobody, etc. To disable FTP access for additional users simply add them to the list.
FTP can also be encrypted using FTPS . Different from SFTP , FTPS is FTP over Secure Socket Layer (SSL). SFTP is a FTP like session over an encrypted SSH connection. A major difference is that users of SFTP need to have a shell account on the system, instead of a nologin shell. Providing all users with a shell may not be ideal for some environments, such as a shared web host. However, it is possible to restrict such accounts to only SFTP and disable shell interaction. See the section on OpenSSH-Server for more.
To configure FTPS , edit /etc/vsftpd.conf and at the bottom add:
Also, notice the certificate and key related options:
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
By default these options are set to the certificate and key provided by the ssl-cert package. In a production environment these should be replaced with a certificate and key generated for the specific host. For more information on certificates, see Certificates .
Now restart vsftpd , and non-anonymous users will be forced to use FTPS :
sudo systemctl restart vsftpd.service
To allow users with a shell of /usr/sbin/nologin access to FTP, but have no shell access, edit /etc/shells adding the nologin shell:
# /etc/shells: valid login shells /bin/csh /bin/sh /usr/bin/es /usr/bin/ksh /bin/ksh /usr/bin/rc /usr/bin/tcsh /bin/tcsh / usr/bin/esh /bin/dash /bin/bash /bin/rbash /usr/bin/screen /usr/sbin/nologin
This is necessary because, by default vsftpd uses PAM for authentication, and the /etc/pam.d/vsftpd configuration file contains:
auth required pam_shells.so
The shells PAM module restricts access to shells listed in the /etc/shells file.
Most popular FTP clients can be configured to connect using FTPS. The lftp command line FTP client has the ability to use FTPS as well.
In this guide, we will show you how to install an FTP server on a VPS running Ubuntu. We will use the vsftpd server, which is considered the fastest and most secure FTP server for UNIX systems.
FTP or F ile T ransfer P rotocol is a protocol for receiving and transmitting files on the network. Using a client/server model and SSL/TLS security, FTP allows users to exchange files with remote computers safely, efficiently and securely by transferring data over the TCP/IP protocol.
FTP works like HTTP or SMTP, with the only difference being that it is responsible for the secure transmission of data from a sender to a recipient, rather than a web page from a server to a user or an email over the Internet. This guide covers the creation of an FTP server on the OS Ubuntu versions 16.04.
Note: This guide is based on Ubuntu 16.04. But you can apply the same steps to create an FTP server on Ubuntu 14.04.
First of all, let's update all the packages before starting the installation of the vsftpd daemon. To do this, run the command:
sudo apt-get update
Wait for all processes to complete and you will see a confirmation message:
Then install the vsftpd daemon with the following command:
sudo apt-get install vsftpd
You will receive a confirmation message, click Y And Enter to continue installation.
Once the installation is complete, make a backup of the original config file to start with a clean config file:
sudo cp /etc/vsftpd.conf /etc/vsftpd.conf.original
Now we can move on to the next step and configure the firewall.
To allow the FTP server deployed on Ubuntu OS to communicate with the outside world, you need to set up a path through the firewall. First, let's see if the firewall is enabled. Run the following command to determine the status:
Sudo ufw status
If you see a message like this:
Ufw: command not found
This means that the firewall is not installed and you can proceed to the next step.
If the output shows rules or a message that the firewall is active, you need to determine how it will process FTP traffic. Let's do the following, open ports 20 and 21 for FTP traffic; ports 40000-50000 will be reserved as a range of passive ports, which will eventually be set in the configuration file; port 990 will be used when TLS is enabled. Let's execute the following commands:
sudo ufw allow 20/tcp sudo ufw allow 21/tcp sudo ufw allow 990/tcp sudo ufw allow 40000:50000/tcp
Now let's look at the status:
The result will look something like this:
Output Status : active To Action From -- -- -- -- -- -- 990 / tcp ALLOW Anywhere 20 / tcp ALLOW Anywhere 21 / tcp ALLOW Anywhere 40000 : 50000 / tcp ALLOW Anywhere 20 / tcp (v6 ) ALLOW Anywhere ( v6 ) 21 / tcp (v6 ) ALLOW Anywhere (v6 ) 990 / tcp (v6 ) ALLOW Anywhere (v6 ) 40000 : 50000 / tcp (v6 ) ALLOW Anywhere (v6 )Now, all the necessary ports are open and available to us and we can move on to the next step.
On the third step creating Ubuntu FTP server, you need to select a user who will connect via FTP. To do this, create a new user by running the following command:
sudo adduser alexFill in the password and other details when prompted. Ideally, from a security point of view, FTP should be limited to one special directory. Vsftpd uses chroot to create this protection. With chroot enabled, the local user is restricted to his home directory (by default). However, it may be that due to vsftpd's security, the user will not be able to create anything in the directory. We're not removing write permissions on the home directory, instead we'll make an ftp directory that behaves like a chroot along with retaining writability, allowing files to be stored. Use the following command to create an FTP directory:
sudo mkdir /home/alex/ftpSet ownership:
sudo chown nobody : nogroup /home/alex/ftpFinally, remove write permissions:
sudo chmod a -w /home/alex/ftpNow, using the following command, check the permissions:
sudo ls -la /home/alex/ftpAt the output, we will see something like this:
total 8 dr - xr - xr - x 2 nobody nogroup 4096 Jun 29 11:32 . drwxr - xr - x 3 alex alex 4096 Jun 29 11:32 . .In the next step, we will create a file containing the directories and their permissions:
sudo mkdir /home/alex/ftp/files sudo chown alex : alex/home/alex/ftp/filesAnd finally, add a test file to the directory that we will use while testing something:
echo "vsftpd sample file" | sudo tee /home/alex/ftp/files/sample. txtTo proceed with installing an FTP server on an Ubuntu VPS, we need to set up vsftpd and our FTP access. In this tutorial, we will allow a single user to connect via FTP using the local console. The two-step configuration required for this is already set in the configuration file ( vsftpd.conf). First check that the settings in the file match the following:
sudo nano /etc/vsftpd . conf. . . # Allow anonymous FTP? (Disabled by default). anonymous_enable=NO# # Uncomment this to allow local users to log in. local_enable = YES . . .In the same file, continue deleting # turn on write_enable:
. . . write_enable = YES . . .Chroot will also be uncommented to make sure that the user connected via FTP has access to files inside the allowed directory:
. . . chroot_local_user = YES . . .A few new values will also need to be added manually. You can just paste them at the end of the file. At first, user_sub_token add local_root to the directory path. This will allow the configuration to work with the current user and any other user that will be added later:
user_sub_token=$USER local_root=/home/$USER/ftpTo make sure that enough connections are available, we will limit the number of ports used in the config file:
pasv_min_port = 40000 pasv_max_port = 50000In this guide, we plan to give access on an individual basis, so let's set the settings to give access only to users who are directly added to the list:
userlist_enable = YES userlist_file = /etc/vsftpd . userlist userlist_deny = NOFlag userlist_deny is responsible for switching the logic, when it is set to “NO”, only those users that are on the list have access. Click when finished CTRL+X and confirm saving changes to the file.
Finally, let's continue creating and adding our user to the file:
echo "alex" | sudo tee - a / etc / vsftpd . userlistCheck that the user is actually active by running the command:
cat /etc/vsftpd. userlistThe output should be " Alex”, as shown in the screenshot:
Restart the daemon using the following command to start the configuration changes:
sudo systemctl restart vsftpdBy default, FTP does not do any data encryption, so we will use TLS/SSL to take care of security. As a first step, we need to create an SSL certificate and use it to ubuntu protection FTP server. To get started, run the following command:
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem
Flag - days makes the certificate valid for a year and we include the 2048-bit RSA private key in the same command. When prompted for the required data, enter it in the provided field.
After creating the certificate, open the configuration file again:
sudo nano /etc/vsftpd.conf
At the end of the file there is a line with " _rsa". Comment out these two lines:
# rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem # rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
Instead, we will direct the config file to the certificate we created. Add these lines:
rsa_cert_file=/etc/ssl/private/vsftpd.pem rsa_private_key_file=/etc/ssl/private/vsftpd.pem
Now we will enable SSL and make sure that only users with SSL enabled can communicate with us. Change the value ssl_enable on YES:
ssl_enable = YESNow add the following lines to continue creating the protection (this will prevent any anonymous connections using SSL):
allow_anon_ssl=NO force_local_data_ssl=YES force_local_logins_ssl=YES
Set up TLS using:
ssl_tlsv1=YES ssl_sslv2=NO ssl_sslv3=NO
Here we will add 2 more options. First, reusing SSL won't be necessary because it could break the a large number clients. Secondly, we will use a highly secure encryption code, which will mean that the key length is equal to (or greater than) 128 bits.
Require_ssl_reuse=NO ssl_ciphers=HIGH
Let's restart again for the changes to take effect:
sudo systemctl restart vsftpd
Wonderful! Here you have configured the FTP server on your Ubuntu VPS to work with the SSL/TLS protocol.
Today's FTP clients support TLS encryption settings, so this is a great opportunity to check if our Ubuntu FTP server is working properly. To test the connection, we will use . To get started, launch FileZilla by clicking on the icon site manager.
Click on the button new site in the window that appears, start filling in the information about the Ubuntu FTP server.
Fill in the required fields with information about the newly created Ubuntu FTP server. Since we configured it using TLS, we can check the encryption setting in “ explicit FTP over TLS” position. The final settings window looks like this:
Once set, press Connect and a window will appear asking you to enter the FTP user password.
Finally, you will need to validate the SSL certificate on your Ubuntu VPS FTP server.
After confirmation, the root directory with the test file will appear on your screen.
This is all! Now you can perform any file transfer from your computer to Ubuntu FTP server and vice versa.
In this tutorial, we've gone through a step-by-step process of creating a secure way for a local user to transfer files via FTP with SSL/TLS on an Ubuntu FTP server. We also tested the connections using FileZilla to make sure everything works.