Installing and configuring an FTP server in Linux. Installing and configuring a Linux FTP server How to set up a FTP connection on Linux

From time to time, every system administrator has a need for an FTP server, most often this is due to the need to ensure the exchange of information in automatic mode between applications, for example, during auto-exchange of a distributed 1C infobase, or to access files on a web server. Today we will tell you how to create such a server on the Ubuntu platform in less than half an hour.

But first, a little theory. FTP (File Transfer Protocol) is intended, as the name suggests, to transfer files and appeared in 1971, but despite its advanced age, it continues to be widely used to this day. Although its use today is more of a technical nature, it is common for end users to access data using a browser and HTTP. The advantages of FTP include the ability to resume a file when the connection is broken and the ability to read files and write them equally easily. But there are also disadvantages, the most serious is low security, so this issue should be given the utmost attention.

FTP, like PPTP, uses different connections for transferring commands and transferring data. When initiating a connection, the client transmits control commands to port 21 of the server, which, in turn, establishes an outgoing connection for data transmission on port 20, the port from the client's side is determined as a result of negotiation. However, when the client is behind NAT, the connection cannot be established in this way, therefore an additional FTP passive mode was developed, when the client, rather than the server, establishes the connection for data transfer, but with the parameters specified by the server. These points should be considered when forwarding FTP and when configuring a network filter.

For our server, we will use vsftpd- simple, fast and secure FTP server. Since it will serve both external and internal networks, it makes sense to add this role to ours. Server installation is extremely simple:

Apt-get install vsftpd

The server is configured through the configuration file /etc/vsftpd.conf it has a simple structure, is well commented and allows you to configure the server without any instructions with minimal knowledge. Let's consider its main parameters.

The server can be started constantly, as a service, or started if necessary, the first option is more suitable for us:

Listen = YES

This option has a mutually exclusive record, which should be reduced to the form:

Listen_ipv6 = NO

Allow only local users to log in:

Anonymous_enable = NO
local_enable = YES

Let us allow users to write files and tell the server to automatically set the necessary rights (755 for folders and 644 for files):

Write_enable = YES
local_umask = 022

If you need to set a different set of rights: 775 and 664, then the umask must be 002.

By default, the server uses GMT time to set the files to the time of your time zone, use the option:

Use_localtime = YES

Let's enable the log of uploaded and downloaded files:

Xferlog_enable = YES

Let the server establish data connections on port 20 (active mode):

Connect_from_port_20 = YES

The following options set the location and format for storing the logs:

Xferlog_file = / var / log / vsftpd.log
xferlog_std_format = YES

Let's set the session timeouts:

Idle_session_timeout = 600
data_connection_timeout = 120

Also, for security purposes, we isolate the user in his home directory and immediately allow writing to his root:

Chroot_local_user = YES
allow_writeable_chroot = YES

For correct work with text data, you can enable ASCII support, this will allow when transferring a text file from a Windows system to UNIX (Linux) to correctly replace the line break characters from CR + LF to LF for correct display of the content and perform the reverse transformation when transferring it back.

Ascii_upload_enable = YES
ascii_download_enable = YES

You can enable only one option, for upload or download. Please note that transferring a binary file in ASCII mode may corrupt the latter.

Quite an interesting option:

Ls_recurse_enable = YES

It allows recursive directory browsing, on the one hand it is convenient, on the other hand it can cause a heavy load on the server, if, for example, you get a listing of a directory containing a large number of files and directories.

We leave all other options by default, although you can edit the server greeting by writing whatever you like:

Ftpd_banner = Welcome to Roga i Kopyta LLC FTP

At the end of the configuration file, we will set the settings for the passive mode, it is recommended to explicitly set the ports so that you can specify them during forwarding if the server is behind NAT or in the firewall rules:

Pasv_enable = YES
pasv_min_port = 62000
pasv_max_port = 62999

Restart the server (this must be done every time after making changes to the configuration):

Service vsftpd restart

and try to connect with any FTP client using the credentials of an existing user. We need to get into his home directory and be isolated in it.

In case of an error related to the incorrect operation of vsftpd and the seccomp security system:

500 OOPS: prctl PR_SET_SECCOMP failed

add the undocumented option to the file:

Seccomp_sandbox = NO

However, remember that FTP is an insecure protocol, so letting any local user on the server, as it is done now, is not the best option. To avoid this situation vsftpd has a built-in user control mechanism. Let's add an option to the configuration file:

Userlist_enable = YES

and create a user list file:

Touch /etc/vsftpd.user_list

By default vsftpd prohibits access to the server for users specified in this list even before entering the password, i.e. implements the principle is allowed to everyone who is not prohibited. But it would be much better to implement a different approach: forbidden to everyone who is not allowed. Those. permit access only to specified users. To do this, add an option:

Userlist_deny = NO

Now only explicitly specified users will have access to the FTP server, they should be specified in vsftpd.user_list one per line, for example:

Ivanov
petrov

Unless otherwise specified, after connecting via FTP, users get to their home directory. This is not always convenient, often you need to redirect them to a different directory. If this is a common folder for all, say / var / ftp, then you can specify the option:

Local_root = / var / ftp

Which will redirect all users to the specified directory and isolate them there.

This is the simplest situation, real tasks are usually more difficult, let's say we need to set the user Ivanov as the root directory /var/www/example1.com and Petrov /var/www/example2.com so that each of them works with its own folder. For these purposes, you can use another feature of vsftpd - user settings, which override the settings in the main configuration file.

To do this, add an option:

User_config_dir = / etc / vsftpd_user_conf

Then we will create the directory itself

Mkdir / etc / vsftpd_user_conf

To set his own settings for the user in this directory, create a file with the user name and add the necessary options to it. The changes are applied without restarting the FTP server the next time the client connects.

Let's create a file with settings for Ivanov:

Tocuh / etc / vsftpd_user_conf / ivanov

and add an option to it:

Local_root = / var / www / example1.com

The next time you connect, the user's root directory will change to the specified one. Also in this file we can set any personal options, for example, another umask or file permissions. However, we cannot use global settings here: connection, logging, authentication options, they will simply be ignored.

If you need to hide the real owners of files and folders, then you can use the option:

Hide_ids = YES

In this case, ftp: ftp will be indicated instead of the real owners and groups, this can be useful in the case of a public server or if there are unauthorized persons in the list of users to whom you do not want to disclose the real usernames of your system.

As you can see, we actually set up a working FTP server in less than half an hour.

F TP (File Transfer Protocol) is a standard network protocol used to transfer files to and from a remote network. For safer and faster data transfer, use SCP.

There are many open source FTP servers available for Linux. The most popular and widely used are PureFTPd, ProFTPD and vsftpd. In this tutorial, we will be installing vsftpd. It is a stable, secure and fast FTP server. We'll also show you how to configure vsftpd to restrict user access to their home directory and encrypt all transmission using SSL / TLS.

Although this article was written for Ubuntu 18.04, the same instructions apply to Ubuntu 16.04 and any Debian-based distribution, including Debian, Linux Mint, and Elementary OS.

Prerequisites

Installing vsftpd on Ubuntu 18.04

The vsftpd package is available in the repositories. To install it, just run the following commands:

Sudo apt update sudo apt install vsftpd

The vsftpd service will automatically start after the installation process is complete. Check it by printing the service status:

Sudo systemctl status vsftpd

The output will look something like this, showing that the vsftpd service is up and running:

* vsftpd.service - vsftpd FTP server Loaded: loaded (/lib/systemd/system/vsftpd.service; enabled; vendor preset: enabled) Active: active (running) since Mon 2018-10-15 03:38:52 PDT; 10min ago Main PID: 2616 (vsftpd) Tasks: 1 (limit: 2319) CGroup: /system.slice/vsftpd.service `-2616 / usr / sbin / vsftpd /etc/vsftpd.conf

Configuring vsftpd

The vsftpd server can be configured by editing the /etc/vsftpd.conf file. Most of the settings are documented inside the configuration file. For all the options available, visit the official vsftpd page.

In the following sections, we will go over some of the important settings required to configure a secure installation of vsftpd.

Start by opening your vsftpd config file:

Sudo nano /etc/vsftpd.conf

1. FTP access

We only allow local users to access the FTP server, find the anonymous_enable and local_enable directives, and check that your configuration matches the following lines:

/etc/vsftpd.conf

Anonymous_enable = NO local_enable = YES

2. Enabling download

Uncomment the write_enable setting to allow changes to the filesystem, such as uploading and deleting files.

/etc/vsftpd.conf

Write_enable = YES

3. Chroot

To prevent FTP users from accessing any files outside their home directories, uncomment the chroot setting.

/etc/vsftpd.conf

Chroot_local_user = YES

By default, to prevent a security vulnerability when chroot is enabled, vsftp will refuse to download files if the directory where users are locked is writable.

Method 1.- The recommended way to allow uploads is to enable chroot and configure FTP directories. In this tutorial, we will create an ftp directory inside the user's home that will serve as a chroot and write an uploads directory for uploading files.
/etc/vsftpd.conf
User_sub_token = $ USER local_root = / home / $ USER / ftp
Method 2. Another option is to add the following directive to your vsftpd config file. Use this parameter if you must grant write access to your user in your home directory.
/etc/vsftpd.conf
Allow_writeable_chroot = YES

4. Passive FTP connections

vsftpd can use any port for passive FTP connections. We will specify the minimum and maximum port range and then open the range in our firewall.

Add the following lines to the config file:

/etc/vsftpd.conf

Pasv_min_port = 30000 pasv_max_port = 31000

5. Restricting user login

To allow only certain users to log into the FTP server, add the following lines to the end of the file:

/etc/vsftpd.conf

Userlist_enable = YES userlist_file = / etc / vsftpd.user_list userlist_deny = NO

When this option is enabled, you need to explicitly specify which users can log in by adding usernames to the /etc/vsftpd.user_list file (one user per line).

6. Securing transmission using SSL / TLS

To encrypt FTP transfers using SSL / TLS, you need to have an SSL certificate and configure your FTP server to use it.

You can use a signed by a trusted certification authority or create a self-signed certificate.

If you have a domain or subdomain pointing to the IP address of the FTP server, you can easily create a free SSL certificate for encryption.

In this article, we will generate a self signed SSL certificate using the openssl command.

The following command will generate a 2048-bit private key and a self-signed certificate valid for 10 years. Both the private key and the certificate will be saved in the same file:

Sudo openssl req -x509 -nodes -days 3650 -newkey rsa: 2048 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem

Now that the SSL certificate has been created, open the vsftpd config file:

Sudo nano /etc/vsftpd.conf

Find the rsa_cert_file and rsa_private_key_file directives, change their pam value in the file path, and set the ssl_enable directive to YES:

/etc/vsftpd.conf

Rsa_cert_file = / etc / ssl / private / vsftpd.pem rsa_private_key_file = / etc / ssl / private / vsftpd.pem ssl_enable = YES

Unless otherwise noted, the FTP server will only use TLS to ensure secure connections.

Restart vsftpd service

After you're done editing, the vsftpd config file (excluding comments) should look something like this:

/etc/vsftpd.conf

Listen = NO listen_ipv6 = YES anonymous_enable = NO local_enable = YES write_enable = YES dirmessage_enable = YES use_localtime = YES xferlog_enable = YES connect_from_port_20 = YES chroot_local_user = YES secure_chroot_dir = / vard / run / etc private / vsftpd.pem rsa_private_key_file = / etc / ssl / private / vsftpd.pem ssl_enable = YES user_sub_token = $ USER local_root = / home / $ USER / ftp pasv_min_port = 30000 pasv_max_port = 31000 userlist_enable = etc userlist_deny = NO

Save the file and restart the vsftpd service for the changes to take effect:

Sudo systemctl restart vsftpd

Opening firewall

If you are using UFW firewall, you need to allow FTP traffic.

To open port 21 (FTP command port), port 20 (FTP data port) and 30000-31000 (passive port range), run the following commands:

Sudo ufw allow 20: 21 / tcp sudo ufw allow 30000: 31000 / tcp

To avoid blocking, we'll open port 22:

Sudo ufw allow OpenSSH

Reload the UFW rules by disabling and re-enabling UFW:

Sudo ufw disablesudo ufw enable

To check the progress of the changes:

Sudo ufw status Status: active To Action From - ------ ---- 20: 21 / tcp ALLOW Anywhere 30000: 31000 / tcp ALLOW Anywhere OpenSSH ALLOW Anywhere 20: 21 / tcp (v6) ALLOW Anywhere (v6 ) 30000: 31000 / tcp (v6) ALLOW Anywhere (v6) OpenSSH (v6) ALLOW Anywhere (v6)

Create FTP user

To test our FTP server, we will create a new user.

If you already have a user that you want to grant FTP access to, skip step 1.
If you have set allow_writeable_chroot = YES in your config file, skip the 3rd step.

Create a new user named newftpuser: sudo adduser newftpuser
Add the user to the FTP Allowed Users list: echo "newftpuser" | sudo tee -a /etc/vsftpd.user_list
Create FTP directory tree and set correct permissions: sudo mkdir -p / home / newftpuser / ftp / uploadsudo chmod 550 / home / newftpuser / ftpsudo chmod 750 / home / newftpuser / ftp / uploadsudo chown -R newftpuser: / home / newftpuser / ftp
As discussed in the previous section, the user will be able to upload their files to the ftp / upload directory.

At this point, your FTP server is fully operational and you should be able to connect to your server with anyone that can be configured to use TLS encryption, such as FileZilla.

Disable shell access

By default, when creating a user, unless explicitly specified, the user will have access to the SSH server.

To disable shell access, we will create a new shell that will simply print a message telling the user that their account is only limited to FTP access.

Create a shell / bin / ftponly and make it executable:

Echo -e "#! / Bin / sh \ necho" This account account is limited to FTP access only. "" | sudo tee -a / bin / ftponlysudo chmod a + x / bin / ftponly

Add the new shell to the list of valid shells in the / etc / shells file

Echo "/ bin / ftponly" | sudo tee -a / etc / shells

Change the user's shell to / bin / ftponly:

Sudo usermod newftpuser -s / bin / ftponly

Conclusion

In this article, you learned how to install and configure a secure and fast FTP server on your Ubuntu 18.04 system.

File Transfer Protocol (FTP) is a TCP protocol for transferring files between computers. In the past, it was also used to download [files on the Internet], but since this method does not use encryption, user data, like the contents of files, is transmitted openly and is easily intercepted. Therefore, if you are looking for a way to securely transfer and upload files here, it is best to refer to the OpenSSH article in the Remote Administration section.

FTP works on a client / server basis. The server component is called an FTP service. It constantly listens for FTP requests from remote clients. When a request is received, it controls the entry and connection establishment. During the session, it executes any commands sent by the FTP client.

vsftpd - FTP server setup

vsftpd is an FTP service available in Ubuntu. It's easy to install, configure, and maintain. To install vsftpd, you can run the following command:

Sudo apt install vsftpd

To start the service, you need to add it to startup. Since Ubuntu 15.04, Systemd is used, so to add vsftpd to autostart, enter the following commands:

Sudo systemctl start vsftpd sudo systemctl enable vsftpd

The ufw firewall can be used on Ubuntu Server. Then you need to allow ports 20 and 21

Sudo ufw allow 20 / tcp sudo ufw allow 21 / tcp

The configuration file contains many customization options. Information for each parameter is available in the same file. Alternatively you can look at the system command manual

Man 5 vsftpd.conf

to clarify details for each parameter.

Access to the FTP server can be organized in two ways:

V anonymous mode a remote client can access the FTP server using the default user account named "anonymous" or "ftp" and passing the email address as a password. V authorized mode the user must have an account name and password. This latter option is highly insecure and should not be used except in special circumstances. If you want to transfer files securely, see SFTP in the section on OpenSSH Server. User access to directories and files of the FTP server depends on the access rights of the user specified during login. Typically, the FTP service hides the root directory of the FTP server, replacing it with the FTP home directory. This hides the root of the filesystem from remote sessions.

Configuring Anonymous FTP Access

The default vsftpd configuration does not allow anonymous uploads. If you want to allow anonymous uploads, change the following in /etc/vsftpd.conf:

Anonymous_enable = YES

The installation process creates a user ftp with the home directory / srv / ftp. This is the default FTP directory.

If you want to change its location to, for example, / srv / files / ftp, just create a new directory and change the home directory of the ftp user:

Sudo mkdir / srv / files / ftp sudo usermod -d / srv / files / ftp ftp

After the changes, restart vsftpd:

Finally, copy any files and directories that you want to make available for anonymous FTP to / srv / files / ftp (or / srv / ftp if you want to keep the default settings).

By default, an anonymous user does not have the ability to upload files to the FTP server. To change this setting, uncomment the next line and restart vsftpd:

Anon_upload_enable = YES

Allowing an anonymous user to download files can be a serious security risk. It is best not to allow anonymous uploads of files to servers with direct access from the Internet.

Configuring Authorized FTP Access

Before making any changes to the config file, it is recommended to copy the sample to be able to roll back the changes without reinstalling the package sudo cp /etc/vsftpd.conf /etc/vsftpd.conf.orig

To authenticate local users, you need to uncomment the line

Local_enable = YES

By default vsftpd is configured to authenticate system users with the ability to receive files. If you want to allow users to upload files, change in /etc/vsftpd.conf:

Write_enable = YES

then restart vsftpd:

Sudo service vsftpd restart

Now, when system users log in via FTP, they will be taken to their home directories, where they can download, upload [files], create directories, etc.

FTP security

Limiting users

There are options in /etc/vsftpd.conf to help make vsftpd more secure. For example, this option allows you to put a local user in a chroot () "imprisonment", above which (along the directory tree) he will not be able to climb.

Chroot_local_user = YES

You can also define a list of users who only have access to the home directory:

Chroot_list_enable = YES chroot_list_file = / etc / vsftpd.chroot_list

After uncommenting these options, create /etc/vsftpd.chroot_list containing a list of users, one per line. Then restart vsftpd:

Sudo service vsftpd restart

If you have removed comments from all three lines, then users from the list will not be limited to their home directories, unlike users who are not included in the list

Similarly, the / etc / ftpusers file contains a list of users who are denied FTP access. By default, it includes root, daemon, nobody, etc. To deny FTP access for additional users, just add them to this list.

If you see an error when trying to connect:

Answer: 500 OOPS: vsftpd: refusing to run with writable root inside chroot ()

it means that the local user has write access to the home directory, which should not. There are several ways to solve this error:

Deny the local user from writing to the home directory (not for everyone and not always)

sudo chmod a-w / home / user / allow_writeable_chroot = YES

Register / home with the directory where local users will go after logging into the FTP server. Then each of them will be able to write only to their home directory

local_root = / home

Encryption

FTP can be encrypted when used FTPS... Unlike SFTP, FTPS is FTP over SSL. SFTP is an FTP-like session over an encrypted SSH connection. The main difference is that SFTP users must have a shell account instead of the nologin shell. Granting shell access to all users may not be the best solution for some systems, such as a shared web server. However, it is possible to restrict such accounts to SFTP only and prevent interaction with the shell. See the section on OpenSSH for more information.

To configure FTPS, add the following to the end of /etc/vsftpd.conf:

Ssl_enable = Yes

Also take a look at the certificate and key options:

Rsa_cert_file = / etc / ssl / certs / ssl-cert-snakeoil.pem rsa_private_key_file = / etc / ssl / private / ssl-cert-snakeoil.key

By default these options are set to the values provided by the package ssl-cert... For a production environment, they should be replaced with a certificate and key generated for a specific computer. See section Certificates for more information.

Now reload vsftpd and non-anonymous users will use FTPS:

Sudo service restart vsftpd

To allow users with the / usr / sbin / nologin shell to access FTP but not provide shell access, edit / etc / shells by adding nologin to the shell:

# / etc / shells: valid login shells / bin / csh / bin / sh / usr / bin / es / usr / bin / ksh / bin / ksh / usr / bin / rc / usr / bin / tcsh / bin / tcsh / usr / bin / esh / bin / dash / bin / bash / bin / rbash / usr / bin / screen / usr / sbin / nologin

This is necessary because vsftpd uses PAM authorization by default and the configuration file /etc/pam.d/vsftpd contains:

Auth required pam_shells.so

PAM module shells restricts access to shells listed in the / etc / shells file.

Most popular FTP clients can be configured to use FTPS. The lftp command line FTP client also has the ability to use FTPS.

It is the ability to transfer files using the file transfer protocol. It is used for easy file sharing over wired and wireless LAN. This local server can be useful both at work and at home. With Ubuntu, the FTP server is even more convenient as it requires a minimum of effort and resources to set up and use.

An ftp server can be installed based on Ubuntu.

Today, the file exchange protocol is especially often used to transfer your own resources to servers on the Internet, as well as between trusted computers. Well-known FTP clients for Windows, such as FileZilla, aim to communicate between two computers in a way that makes communication between them as simple and manageable as possible.

The protocol is built on the basis of client-server logic. This means that there are two technical sides - the client (whose needs are served) and the server (which serves the needs). Connection to the server can be performed using either open authentication (username and password) or anonymously (if supported). Despite this, the FTP protocol is weak in terms of security, especially by today's standards. However, on Ubuntu, an FTP installation may include some additional security standards.

Let's get down to practice. Daemon Profpd

In order to successfully install the Ubuntu FTP server, we use a so-called "daemon". It is a program that allows you to perform routine tasks while running in the background. The daemon needed for FTP on Ubuntu is Proftpd. Its installation is performed by a simple command in the Terminal:

"Sudo apt-get install proftpd".

When the installation is complete, you will need to update the server configuration and change the baseline settings. This will help you configure the server login process. All necessary changes must be made in the file "/etc/proftpd/proftpd.conf". It can be opened directly with the nano editor.

So the Ubuntu FTP server setup started. First of all, let's change the 2 required parameters.

At the very end of the file, add the line:

"AuthUserFile /etc/proftpd/ftpd.passwd"

It is in this document, which we will invite you to add later, that the main login parameters will be stored. We remove the comment symbol from the line "DefaultRoot" - "#". Now let's move on to editing the "/ etc / shells" file. You need to add the line "/ bin / false" to it. With the help of these commands you can add new users to an existing group:

"Addgroup username group", if you insert "username" = "ftp" and "group" = "www-data", it becomes possible to work with files in the "property" of the server.

In addition, the Ubuntu FTP server installation provides the command "change owner": "chown -R ftp: www-data". It can be used to make the owner of the files the user "ftp". The "www-data" user group will be given group access to documents. When all the settings are complete, just restart the server:

"Sudo /etc/init.d/proftpd restart"

Now you need to set up virtual user accounts. This must be done according to the following scheme:

"Ftpasswd -passwd -file = / etc / proftpd / ftpd.passwd -name = (username) -shell = / bin / false -home = / var / www / html -uid = (User ID, can be found by the command" id ftp ") -gid = (group ID, let's say for the group" www-data "- 33)

"Sudo nano /etc/dhcp3/dhcpd.conf"

You need to write the following into it:

“# Domain name (internal).
option domain-name “domain_name”;
#DNS server on the connected PC.
option domain-name-servers ip_address;
# Remove the "#" comment from this line.
authoritative;
# Desired subnet data for the server.
subnet 192.168.0.0 netmask 255.255.255.0 (
# Range of issuing addresses.
range IP_address IP_address;
# A router with Internet access. option routers IP_address;
# The file to be loaded at boot time on the network.
filename = “tftp / pxelinux.0”;
}»

Now all that remains is to restart the DHCP server:

"Sudo /etc/init.d/dhcp3-server restart".

As you can see, setting up an Ubuntu FTP server doesn't require any special technical skills. In addition, it is quite easy to implement for anyone who has worked on Linux.

In conclusion

In this article, we examined in detail and in detail how to install an FTP server on Ubuntu, and also paid attention to setting up a TFTP server. These tools are a perfect example of how flexible and functional Ubuntu is. If you still have questions about its use and configuration, do not hesitate to ask them in the comments to this article. And also read other materials on the pages of our site.

F ile T ransfer P rotocol, that is, FTP is a file transfer protocol and, as the full name implies, is designed to transfer files between remote computers over a network. Despite the fact that the FTP protocol itself is currently not the most perfect due to the fact that the transmitted data is not encrypted, this does not make it obsolete. In addition, it is still possible to apply cryptographic protection based on the SSL protocol to FTP, which makes FTP a worthy tool for transferring files.

Since FTP works according to a client-server interaction scheme, a skillful and reliable implementation of the protocol (and indeed the system in general) is able to provide it with reliable protection, high speed and, as a result, popularity, which can be observed today, because most large projects such as ftp.gnu.org, ftp.suse.com, ftp.redhat.com, ftp.gnome.org, etc., use FTP to distribute software from their servers. It should be noted that such popularity of FTP is due, to a greater extent, to one of its many implementations - vsFTPd. This is an FTP server that supports work with the most modern technologies for data protection - SSL and IPv6, its implementation combines high reliability, stability, speed of operation and data transfer, as well as flexible configuration of the server and wide functionality. VsFTPd is developed by Chris Evans, a professional data protection and information security researcher. vsFTPd is the default FTP server in almost all Linux systems, because, as already mentioned, in addition to reliability and high speed of operation, it has great functionality, the most significant of which are:

Working with virtual users.
Working with virtual IP addresses.
Configuring users.
Support
SSL encryption to protect the transmitted data.
Bandwidth control.

This article discusses the installation and configuration of an FTP server using the example of vsFTPd, which, by the way, is free and open source software. Official project page: https://security.appspot.com/vsftpd.html.

Installing vsFTPd

To install Vsftd on Debian-oriented Linux distributions, use the command:

$ sudo apt-get install vsftpd

It will also be useful to install a simple FTP client for testing connections and file transfers:

$ apt-get install ftp

For distributions based on RPM packages, CentOS, RedHat:

$ yum install vsftpd $ yum install ftp

Usually, after installation, the vsFTPd daemon starts automatically, you can verify this using the following commands:

$ systemctl status vsftpd

$ service vsftpd status

Starting, restarting and stopping the server:

$ systemctl start vsftpd $ systemctl restart vsftpd $ systemctl stop vsftpd

To enable the vsftpd daemon to start at startup, use the command:

$ systemctl enable vsftpd

Likewise with the service command.

If vsFTPd is used in server distributions that often run a firewall, for example ufw, then you may also need to allow the use of ports 20 and 21:

$ ufw allow 20 / tcp $ ufw allow 21 / tcp

Configuring vsFTPd

The configuration file for configuring vsFTPd is the vsftpd.conf file, which is usually found in the etc / directory. You can familiarize yourself with his obsession with the cat command:

$ cat /etc/vsftpd/vsftpd.conf

Just in case, it is useful to make a backup copy of it before editing the original settings file:

$ sudo cp /etc/vsftpd.conf vsftpd.conf.backup

The vsFTPd FTP server provides two main options for working with anonymous and authenticated users. The first option is considered "more secure", but only because practically nothing needs to be configured to ensure reliable protection. But with a competent organization of authorized access, which involves working with FTP local users of the system, you can ensure security no worse than using anonymous access.

Setting up in anonymous access mode

The work of vsFTPd in this mode is that actions with files on a remote server are performed by one user defined by default, for example, a user named " ftp" or " anonymous", In this case e-mail is used as a password.

To enable anonymous FTP access, you need to set the value "YES" for the corresponding directive in the vsftpd.conf file:

Anonymous_enable = YES

Now a specific directory (usually / srv / ftp) and a specific user - usually ftp will be used to manage files.

You can define a different file location for anonymous FTP access, i.e. change the home directory of the ftp user:

$ sudo mkdir / srv / share / ftp $ sudo usermod -d / srv / share / ftp ftp

If you want anonymous users to be able to upload files to a remote server, then this will be done by the directive:

Anon_upload_enable = YES

Now you can copy the files necessary for anonymous access to the ftp user's home folder and restart the vsftpd daemon:

$ systemctl restart vsftpd

Usually, this set of settings is sufficient for organizing anonymous FTP access. To test the connection, you can run the ftp address_host command:

$ ftp 127.0.0.1

$ ftp localhost

which, if successful, will give something like this:

Configuring in Authorized Access Mode

Local_enable = YES

Write_enable = YES

Now you need to restart vsftpd to activate the changes made:

$ systemctl restart vsftpd

Limiting users to their home directories

To define users who are allowed access only to their home directory, there are directives:

Chroot_list_enable = YES chroot_list_file = / etc / vsftpd.chroot_list

The first enables the use of a list of users, the second defines a file in which each line lists users with access only to their home directories. If at the same time you also specify the directive:

Chroot_local_user = YES

which "locks" local users in chroot () and they cannot rise above their home directories, in this case users in the vsftpd.chroot_list file will not be limited to their home directories, unlike those who are not included in this list.

When distributing FTP access among users, an error may occur, which occurs due to the fact that the local user has write access to the root of the home directory, which is unacceptable for security reasons. This error looks like this:

500 OOPS: vsftpd: refusing to run with writable root inside chroot ()

The best way to fix this error is to specify a certain common root directory, where all users will go when connecting, having access only to their home subdirectories, for example:

Local_root = / home

You can also disable checking for writing to the home directory to eliminate this error:

Allow_writeable_chroot = YES

But still, this should be done only when there is a clear understanding of why it is needed for a particular situation.

Data protection with SSL

To be able to encrypt the transmitted data, you must configure vsFTPd in FTPS mode. This is the same FTP transfer, but over the SSL protocol. Encrypting and verifying data using certificates and keys.

To enable FTPS mode, you need to use the following directive:

Ssl_enable = Yes

By default, the vsftpd.conf configuration file also contains options that define certificates and keys, for example:

Rsa_cert_file = / etc / ssl / certs / ssl-cert-snakeoil.pem rsa_private_key_file = / etc / ssl / private / ssl-cert-snakeoil.key

This certificate and key must be replaced. To use FTPS, you need to use a certificate and key. Generated (or received) for a specific server or computer.

If you find an error, please select a piece of text and press Ctrl + Enter.