Install FTP

Published on: 22nd Apr 2014

Updated on: 11th Jan 2023

What is FTP

FTP (File Transfer Protocol) is for users to upload their file to the server and download the file from the server.

Why

Usually, we need the FTP service for maintaining a website by uploading the changes. For example, you have edited a web page and added new pictures and you want to upload (i.e., publish) these changes to the server.

Install and configure vsftpd

• To install vsftpd, run the following command,

  sudo apt install vsftpd
  

• In /etc/vsftpd.conf, ensure the following settings match the following:

  listen=YES
  listen_ipv6=NO
  anonymous_enable=NO
  local_enable=YES
  write_enable=YES
  chroot_local_user=YES
  
  user_sub_token=$USER
  local_root=/home/$USER
  
  pasv_min_port=40000
  pasv_max_port=40100
  
  userlist_enable=YES
  userlist_file=/etc/vsftpd.userlist
  userlist_deny=NO
  
  allow_writeable_chroot=YES
  
  # Connection limit for each IP:
  max_per_ip=2
  
  # Maximum number of clients:
  max_clients=10
  

• You must create (if not exists) this file /etc/vsftpd.userlist and each line is the user ID (ie, the OS user ID). This will prevent them from accessing the parent directory and also the root.

• Just in case all changes have been made in vsftpd.conf but you are still not able to connect to the FTP service, make the following change in /etc/vsftpd.conf.

  pam_service_name=vsftpd
  

  Notes: you may refer to the following article for the explanation on why setting it to 'vsftpd' which is a pam configuration file in /etc/pam.d directory.

  https://askubuntu.com/questions/617370/why-vsftpd-doesnt-work-when-pam-service-name-vsftpd

• 22.Sep.2022: Configure vsftpd with an SSL

  Run this command: sudo nano /etc/vsftpd.conf to edit the vsftpd configuration.

  Then, look for 'rsa_cert_file' line and start editing.

  rsa_cert_file=/etc/ssl/certs/your-domain-com.pem
  rsa_private_key_file=/etc/ssl/private/your-domain-com.key
  ssl_enable=YES
  allow_anon_ssl=NO
  force_local_data_ssl=YES
  force_local_logins_ssl=YES
  ssl_tlsv1=YES
  ssl_sslv2=NO
  ssl_sslv3=NO
  require_ssl_reuse=YES
  ssl_ciphers=HIGH
  

  NOTES: for rsa_cert_file and rsa_private_key_file, you may point it to the Let's encrypt SSL cert for your domain. In the above, it is pointing to the SSL for yourdomain.com.

  Once you have enabled the SSL support on port 21, the user will be able to access service with 'FTP over TLS/SSL explicit ecryption'.

  Reference: https://help.ubuntu.com/community/vsftpd#TLS.2FSSL.2FFTPS

  Some article mention about the following setting and it is redundant. Turn on the following settings will crash the vsftpd. So, disable the setting by commented it.

  #ssl_tlsv1_1=YES
  #ssl_tlsv1_2=YES
  

  Reference: https://forum.vestacp.com/viewtopic.php?t=18559

• To restart the FTP service,

  sudo systemctl restart vsftpd
  

• Final step, open port 21:

  sudo ufw allow ftp
  sudo ufw allow 40000:40100/tcp
  

Add FTP user

• To add an FTP user, use the following command which creates a folder in 'home' and sets the password.

  sudo adduser myftpuserid
  

• If the user directory already exist and you want to change the ownership,

  sudo chmod myftpuserid:myftpuserid /home/myftpuserid
  

• Make sure that the user directory is r-x (where 'myftpuserid' is the user directory) and below command remove w (write) permission,

  chmod a-w /home/myftpuserid
  

• 18.Sep.2022: once you have added a new FTP user, the user will have the permission to access FTP service and the shell. To disable the shell access,

  First, ensure that nologin shell has been added to the OS:

  sudo nano /etc/shells
  

  Then, append the last line to the file and save it.

  # /etc/shells: valid login shells
  /bin/sh
  /bin/bash
  /bin/rbash
  /bin/dash
  /usr/bin/tmux
  /usr/bin/screen
  /usr/sbin/nologin
  

  To disable the shell access for the user, you have to change the shell setting for the user account:

  sudo usermod -s /usr/sbin/nologin myftpuserid
  

Troubleshoot

• 18.Sep.2022: How to find out if the vsftpd is running:

  Run this command: sudo systemctl status vsftpd

  And you will see the following result:

  tester@ubuntu11:/$ sudo systemctl status vsftpd
  ● vsftpd.service - vsftpd FTP server
      Loaded: loaded (/lib/systemd/system/vsftpd.service; enabled; vendor preset: enabled)
      Active: active (running) since Mon 2022-09-19 03:08:50 UTC; 4min 34s ago
      Process: 751 ExecStartPre=/bin/mkdir -p /var/run/vsftpd/empty (code=exited, status=0/SUCCESS)
  Main PID: 753 (vsftpd)
      Tasks: 1 (limit: 1066)
      Memory: 956.0K
      CGroup: /system.slice/vsftpd.service
              └─753 /usr/sbin/vsftpd /etc/vsftpd.conf
  
  Sep 19 03:08:50 ubuntu11 systemd[1]: Starting vsftpd FTP server...
  Sep 19 03:08:50 ubuntu11 systemd[1]: Started vsftpd FTP server.
  

  From the result, you will see 'active (running)' and 'main PID'. If it is not running, it will show 'unmasked' or 'inactive (dead)'. 'Unmasked' might be due to the vsftpd has been uninstalled. In this case, you will have to reinstall it.

• 18.Sep.2022: How to find out if the server is listening to port 21.

  Run this command: netstat -peanut

  And you will see something like this:

  tester@ubuntu11:/$ netstat -peanut
  (Not all processes could be identified, non-owned process info
  will not be shown, you would have to be root to see it all.)
  Active Internet connections (servers and established)
  Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode      PID/Program name
  tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      0          24969      -
  tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN      0          28595      -
  tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      101        22735      -
  tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      0          24780      -
  tcp        0    240 192.168.101.11:22       192.168.101.1:62289     ESTABLISHED 0          27000      -
  tcp6       0      0 :::8080                 :::*                    LISTEN      1000       26678      955/node /home/test
  tcp6       0      0 :::80                   :::*                    LISTEN      0          24970      -
  tcp6       0      0 :::8084                 :::*                    LISTEN      1000       26679      984/node /home/test
  tcp6       0      0 :::22                   :::*                    LISTEN      0          24791      -
  udp        0      0 127.0.0.53:53           0.0.0.0:*                           101        22647      -
  udp        0      0 10.0.2.15:68            0.0.0.0:*                           100        17443      -
  

  From the result, we confirm that the server is listening on port 21.

• 18.Sep.2022: Getting 500 OOPS: vsftpd: refusing to run with writable root inside chroot() upon accessing through FTP.

  Make sure that the user does not have permission to access shell:

  sudo usermod -s /usr/sbin/nologin myftpuserid
  

  Allows the FTP user to edit the directory:

  sudo chmod a+w /home/myftpuserid
  

  Finally, make sure the following setting has been enabled.

  echo 'allow_writeable_chroot=YES' >> /etc/vsftpd/vsftpd.conf && systemctl restart vsftpd
  

• 22.Sep.2022: Getting OOPS: could not read chroot() list file:/etc/vsftpd.chroot_list

  The above error means 'vsftpd.chroot_list' file does not exist. To avoid this error, disbale the following setting,

  #chroot_list_enable=YES
  

  Or disable it with 'NO',

  chroot_list_enable=NO
  

• 11.Jan.2023: the following error appear for the new FTP user:

  Server asks for authentication with a client certificate
  

  To resolve this issue, add the user ID into the following file,

  sudo nano /etc/vsftpd.userlist
  

• 24.Feb.2023 - to set the new file permission in vsftpd.conf:

  local_umask=0002
  file_open_mode=0777
  

  As a result, the new file permission will be set to '777'.

  Reference: https://serverfault.com/questions/201305/default-owner-permissions-of-created-files-via-vsftpd

References

• More about vsftpd: https://help.ubuntu.com/community/vsftpd

• How to create a user for ftp server: http://askubuntu.com/questions/184917/how-to-create-a-user-for-ftp-server

Related posts

• If you don't want to use vsftpd, you may consider using sftp which describes in this article: Install OpenSSH

Jump to #UBUNTU blog

Author

Lau Hon Wan, software developer.