Setup FTP server using VsFtp and Configure Secure FTP connections (Using TLS/SSL) on Ubuntu 16.04 Server
Sponsored Link
VsFTPd Features
Despite being small for purposes of speed and security, many more complicated FTP setups are achievable with vsftpd! By no means an exclusive list, vsftpd will handle:
Virtual IP configurations
Virtual users
Standalone or inetd operation
Powerful per-user configurability
Bandwidth throttling
Per-source-IP configurability
Per-source-IP limits
IPv6
Encryption support through SSL integration
Install VsFTPd server on ubuntu 16.04 Server
Open the terminal and run the following command
sudo apt-get install vsftpd openssh-server
Configuring Vsftpd server
The default configuration file is located at /etc/vsftpd.conf so you need to edit this file to configure your vsftpd server
sudo vi /etc/vsftpd.conf
Disable the ability for users to log in anonymously by changing the following option
anonymous_enable=NO
Next, we need to enable user logins that use the local authentication files, since we disabled anonymous access. Uncomment the following line
local_enable=YES
To enable users to make modifications to the filesystem, we will uncomment the following option
write_enable=YES
uncomment the chroot_local_user option to restrict users to their own home directories
chroot_local_user=YES
Save and close the file.
Creating FTP User
Because of the way vsftpd secures its chroot jails, the chroot must not be owned by the user and must not be writeable. Because of this, it is best to implement a user specifically for use with FTP.
Create the user using the following command
sudo adduser ftpuser1
Assign a password and feel free to press "ENTER" through the other prompts. Now, give root ownership of the ftpuser1's home directory:
sudo chown root:root /home/ftpuser1
We need to create a separate directory within this home directory where files can be uploaded. Then, we need to give this directory over to our FTP user:
sudo mkdir /home/ftpuser1/files
sudo chown ftpuser:ftpuser /home/ftpuser1/files
Now, we should be able to log in (insecurely) as the ftpuser1 and upload files to the files directory.
Configure SSL with vsftpd
We need to create some SSL certificates to use with vsftpd.Create SSL certificates uding the following command and this certificate valid for 1 year It will be placed in the /etc/ssl/private/ directory, which we can reference in our configuration file.
sudo openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem
Add the SSL Details to the vsftpd Configuration
Open the vsftpd configuration file using the following command
sudo vi /etc/vsftpd.conf
You should see similar to the following line that matches the SSL certificate we just created
rsa_cert_file=/etc/ssl/private/vsftpd.pem
When we created the certificate, we included both the key file and the certificate in one file, so we can also point our private key line to that:
rsa_private_key_file=/etc/ssl/private/vsftpd.pem
After that, we will add the following lines to force SSL. This will restrict clients that can't deal with TLS, but that is what we want.
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
After this we configure the server to use TLS, which is actually a successor to SSL, and preferred:
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
Finally, we will require add some additional options to flesh out our configuration file
require_ssl_reuse=NO
ssl_ciphers=HIGH
Save and close the file.
Finally we need to restart vsftpd service to take all these changes
sudo service vsftpd restart
Now you can use filezilla or coreftp clients to connect vsftpd server
Well… What would you teach next? Hieroglyphs? FTP should die ASAP. It is firewall/NAT unfriendly, encrypted version is not widely adopted. Moreover, FTPS makes NAT connection tracking impossible.
For encrypted read-only access you have HTTPS. For encrypted read-write access with users, ACL-s you have SFTP (running on top of SSH). It is preinstalled on most of the Linux machines (“just works”), supports password and passwordless logins and has clients for all the major operating systems – either native or as free applications.