Install FTP
Published on: 22nd Apr 2014
Updated on: 11th Jan 2023
What is FTP
FTP (File Transfer Protocol) is for users to upload their file to the server and download the file from the server.
Why
Usually, we need the FTP service for maintaining a website by uploading the changes. For example, you have edited a web page and added new pictures and you want to upload (i.e., publish) these changes to the server.
Install and configure vsftpd
-
To install
vsftpd, run the following command,sudo apt install vsftpd -
In
/etc/vsftpd.conf, ensure the following settings match the following:listen=YES listen_ipv6=NO anonymous_enable=NO local_enable=YES write_enable=YES chroot_local_user=YES user_sub_token=$USER local_root=/home/$USER pasv_min_port=40000 pasv_max_port=40100 userlist_enable=YES userlist_file=/etc/vsftpd.userlist userlist_deny=NO allow_writeable_chroot=YES # Connection limit for each IP: max_per_ip=2 # Maximum number of clients: max_clients=10 -
You must create (if not exists) this file
/etc/vsftpd.userlistand each line is the user ID (ie, the OS user ID). This will prevent them from accessing the parent directory and also the root. -
Just in case all changes have been made in
vsftpd.confbut you are still not able to connect to the FTP service, make the following change in/etc/vsftpd.conf.pam_service_name=vsftpdNotes: you may refer to the following article for the explanation on why setting it to 'vsftpd' which is a pam configuration file in
/etc/pam.ddirectory.https://askubuntu.com/questions/617370/why-vsftpd-doesnt-work-when-pam-service-name-vsftpd
-
22.Sep.2022: Configure vsftpd with an SSL
Run this command:
sudo nano /etc/vsftpd.confto edit the vsftpd configuration.Then, look for 'rsa_cert_file' line and start editing.
rsa_cert_file=/etc/ssl/certs/your-domain-com.pem rsa_private_key_file=/etc/ssl/private/your-domain-com.key ssl_enable=YES allow_anon_ssl=NO force_local_data_ssl=YES force_local_logins_ssl=YES ssl_tlsv1=YES ssl_sslv2=NO ssl_sslv3=NO require_ssl_reuse=YES ssl_ciphers=HIGHNOTES: for
rsa_cert_fileandrsa_private_key_file, you may point it to the Let's encrypt SSL cert for your domain. In the above, it is pointing to the SSL for yourdomain.com.Once you have enabled the SSL support on port 21, the user will be able to access service with 'FTP over TLS/SSL explicit ecryption'.
Reference: https://help.ubuntu.com/community/vsftpd#TLS.2FSSL.2FFTPS
Some article mention about the following setting and it is redundant. Turn on the following settings will crash the
vsftpd. So, disable the setting by commented it.#ssl_tlsv1_1=YES #ssl_tlsv1_2=YES -
To restart the FTP service,
sudo systemctl restart vsftpd -
Final step, open port 21:
sudo ufw allow ftp sudo ufw allow 40000:40100/tcp
Add FTP user
-
To add an FTP user, use the following command which creates a folder in 'home' and sets the password.
sudo adduser myftpuserid -
If the user directory already exist and you want to change the ownership,
sudo chmod myftpuserid:myftpuserid /home/myftpuserid -
Make sure that the user directory is
r-x(where 'myftpuserid' is the user directory) and below command removew(write) permission,chmod a-w /home/myftpuserid -
18.Sep.2022: once you have added a new FTP user, the user will have the permission to access FTP service and the shell. To disable the shell access,
First, ensure that
nologinshell has been added to the OS:sudo nano /etc/shellsThen, append the last line to the file and save it.
# /etc/shells: valid login shells /bin/sh /bin/bash /bin/rbash /bin/dash /usr/bin/tmux /usr/bin/screen /usr/sbin/nologinTo disable the shell access for the user, you have to change the shell setting for the user account:
sudo usermod -s /usr/sbin/nologin myftpuserid
Troubleshoot
-
18.Sep.2022: How to find out if the vsftpd is running:
Run this command:
sudo systemctl status vsftpdAnd you will see the following result:
tester@ubuntu11:/$ sudo systemctl status vsftpd ● vsftpd.service - vsftpd FTP server Loaded: loaded (/lib/systemd/system/vsftpd.service; enabled; vendor preset: enabled) Active: active (running) since Mon 2022-09-19 03:08:50 UTC; 4min 34s ago Process: 751 ExecStartPre=/bin/mkdir -p /var/run/vsftpd/empty (code=exited, status=0/SUCCESS) Main PID: 753 (vsftpd) Tasks: 1 (limit: 1066) Memory: 956.0K CGroup: /system.slice/vsftpd.service └─753 /usr/sbin/vsftpd /etc/vsftpd.conf Sep 19 03:08:50 ubuntu11 systemd[1]: Starting vsftpd FTP server... Sep 19 03:08:50 ubuntu11 systemd[1]: Started vsftpd FTP server.From the result, you will see 'active (running)' and 'main PID'. If it is not running, it will show 'unmasked' or 'inactive (dead)'. 'Unmasked' might be due to the vsftpd has been uninstalled. In this case, you will have to reinstall it.
-
18.Sep.2022: How to find out if the server is listening to port 21.
Run this command:
netstat -peanutAnd you will see something like this:
tester@ubuntu11:/$ netstat -peanut (Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.) Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 0 24969 - tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 0 28595 - tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 101 22735 - tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 0 24780 - tcp 0 240 192.168.101.11:22 192.168.101.1:62289 ESTABLISHED 0 27000 - tcp6 0 0 :::8080 :::* LISTEN 1000 26678 955/node /home/test tcp6 0 0 :::80 :::* LISTEN 0 24970 - tcp6 0 0 :::8084 :::* LISTEN 1000 26679 984/node /home/test tcp6 0 0 :::22 :::* LISTEN 0 24791 - udp 0 0 127.0.0.53:53 0.0.0.0:* 101 22647 - udp 0 0 10.0.2.15:68 0.0.0.0:* 100 17443 -From the result, we confirm that the server is listening on port 21.
-
18.Sep.2022: Getting
500 OOPS: vsftpd: refusing to run with writable root inside chroot()upon accessing through FTP.Make sure that the user does not have permission to access shell:
sudo usermod -s /usr/sbin/nologin myftpuseridAllows the FTP user to edit the directory:
sudo chmod a+w /home/myftpuseridFinally, make sure the following setting has been enabled.
echo 'allow_writeable_chroot=YES' >> /etc/vsftpd/vsftpd.conf && systemctl restart vsftpd -
22.Sep.2022: Getting
OOPS: could not read chroot() list file:/etc/vsftpd.chroot_listThe above error means 'vsftpd.chroot_list' file does not exist. To avoid this error, disbale the following setting,
#chroot_list_enable=YESOr disable it with 'NO',
chroot_list_enable=NO -
11.Jan.2023: the following error appear for the new FTP user:
Server asks for authentication with a client certificateTo resolve this issue, add the user ID into the following file,
sudo nano /etc/vsftpd.userlist -
24.Feb.2023 - to set the new file permission in vsftpd.conf:
local_umask=0002 file_open_mode=0777As a result, the new file permission will be set to '777'.
Reference: https://serverfault.com/questions/201305/default-owner-permissions-of-created-files-via-vsftpd
References
-
More about vsftpd: https://help.ubuntu.com/community/vsftpd
-
How to create a user for ftp server: http://askubuntu.com/questions/184917/how-to-create-a-user-for-ftp-server
Related posts
- If you don't want to use
vsftpd, you may consider using sftp which describes in this article: Install OpenSSH
Jump to #UBUNTU blog
Author
Lau Hon Wan, software developer.