FTP server is computer software that allows uploading, downloading, deleting files, and creating or making directories via File Transfer Protocol (FTP) connection. FTP is a protocol that transfers files between a server (the sender)and a client (the receiver).

FTP server serves as an intermediary for computers that transfer files on the network. FTP servers allow users to sign in by providing a username and a password to access the files. FTP can also provide access to users without login credentials but these users generally have limited access.

FTP by itself is not secure, it is often secured with SSL/TLS to make the FTPS or replaced with SFTP (SSH FTP) that offers additional levels of data security like data encryption. This is important, especially when transferring data that is sensitive or confidential.

FTP Solutions

  • Filezilla – supports transfer of files larger than 4GB. 
  • File.com that includes features like API for inhouse development.
  • Exavault has a modern web interface with security and FTP.
  • Globalscape that offers Enhanced File Transfer.
  • Smart file that include granular control features for file permission and tracking.

vsftpd

vsftpd stands for “very secure FTP daemon”. It is an FTP server for UNIX-like systems including Linux distributions like Ubuntu and CentOS where it is the default FTP server. It is extremely fast, secure, and stable. If you are looking for a high-performance FTP server that is secure over the network, then look no further than vsftpd.

Features

  • SSL integration that provides Data Encryption.
  • Very High security requirements
  • Assign Virtual IP configurations
  • Create Virtual users
  • Can run on three modes: Standalone or inetd or xinetd operation
  • Powerful per-user configurability
  • Bandwidth throttling for more site control
  • Per-source-IP configurability
  • Per-source-IP limits

In this guide, I will show you how to install vsftpd on KDE Neon/Kubuntu

Install vsftpd on KDE Neon / Kubuntu

Update the system first using the following command

### KDE Neon ###
sudo apt update && sudo pkcon update -y

### Kubuntu ###
sudo apt update && sudo apt upgrade -y

Then install vsftpd using the following command

sudo apt install vsftpd

Copy the configuration file to start with a new configuration while saving the original file.

sudo cp /etc/vsftpd.conf /etc/vsftpd.conf.orig

Open required ports on the firewall

We will configure the firewall to allow FTP access. First, check the status of the firewall using

sudo ufw status

From the results, we can see that it is active.

Status: active

If not active, use

sudo ufw enable

We will configure ports 20 (FTP command port), 21 (FTP data port), and 990/tcp when TLS is enabled.

sudo ufw allow 20,21,990/tcp

Then we will allow a range of 40000-50000 for passive ports that may be needed in the future.

sudo ufw allow 40000:50000/tcp

Then check the status

$ sudo ufw status

The sample output is as shown

Status: active

To                         Action      From
--                         ------      ----
20,21,990/tcp              ALLOW       Anywhere                  
40000:50000/tcp            ALLOW       Anywhere                  
20,21,990/tcp (v6)         ALLOW       Anywhere (v6)             
40000:50000/tcp (v6)       ALLOW       Anywhere (v6)             

Configure vsftpd on KDE Neon / Kubuntu

Open the config file using your preferred text editor.

sudo nano /etc/vsftpd.conf

We will enable local users and disable anonymous users, ensuring the lines are as below.

anonymous_enable=NO
local_enable=YES

Enable File uploads which is the main thing with FTP. Uncomment the respective line by removing # infront of it

write_enable=YES

Scroll down the file to Enable chroot which restricts users from accessing a file outside their directory.

chroot_local_user=YES

To allow file uploads when chroot is enabled, we will use a different directory for the FTP uploads.

user_sub_token=$USER
local_root=/home/$USER/ftp

Add the following lines to limit the range of ports for passive FTP

pasv_min_port=40000
pasv_max_port=50000

To limit only certain users to log in to the FTP server, add the following lines.

userlist_enable=YES
userlist_file=/etc/vsftpd.userlist
userlist_deny=NO

Save and exit the file.

You specify the users on the /etc/vsftpd.userlist file.

Restart the vsftpd to apply the configuration changes

sudo systemctl restart vsftpd

Configure User Directory

Start by adding a test user

sudo adduser sftpuser

Add the fields as you wish or press Enter to use the default.

Adding user `sftpuser' ...
Adding new group `sftpuser' (1002) ...
Adding new user `sftpuser' (1001) with group `sftpuser' ...
Creating home directory `/home/sftpuser' ...
Copying files from `/etc/skel' ...
New password: 
Retype new password: 
passwd: password updated successfully
Changing the user information for sftpuser
Enter the new value, or press ENTER for the default
        Full Name []: 
        Room Number []: 
        Work Phone []: 
        Home Phone []: 
        Other []: 
Is the information correct? [Y/n] y

Add the user to the allowed vsftpd.userlist

echo "sftpuser" | sudo tee -a /etc/vsftpd.userlist

Create FTP and files directory

sudo mkdir /home/sftpuser/ftp

Set its ownership

sudo chown nobody:nogroup /home/sftpuser/ftp

Remove write permissions

sudo chmod a-w /home/sftpuser/ftp

Verify the permissions using the following command

sudo ls -al /home/sftpuser/ftp

Sample Output

total 8
dr-xr-xr-x 2 nobody  nogroup 4096 Mar 21 18:57 .
drwxr-xr-x 3 sftpuser sftpuser 4096 Mar 21 18:57 ..

Create a directory for uploads

sudo mkdir /home/sftpuser/ftp/upload

Assign ownership

sudo chown sftpuser:sftpuser /home/sftpuser/ftp/upload

Verify permissions.

sudo ls -la /home/sftpuser/ftp

Sample Output

total 12
dr-xr-xr-x 3 nobody  nogroup 4096 Mar 21 19:14 .
drwxr-xr-x 3 sftpuser sftpuser 4096 Mar 21 18:57 ..
drwxr-xr-x 2 sftpuser sftpuser 4096 Mar 21 19:14 upload

Now let’s add a text file to use for testing

echo "vsftpd test file" | sudo tee /home/sftpuser/ftp/upload/test.txt

Sample Output

vsftpd test file

Test FTP access from client machine

Since we have disabled anonymous users, let us try to log in as an anonymous user to test. Replace with your IP address.

ftp -p 192.168.200.36

Sample Output

Connected to 192.168.200.36.
220 (vsFTPd 3.0.3)
Name (192.168.200.36:ann): anonymous 
530 Permission denied.
Login failed.
ftp> bye
221 Goodbye.

It shows Login failed, hence works as intended.

Trying to connect as a normal user, say sudo-user, will fail as well

$ ftp -p 192.168.200.36
Connected to 192.168.200.36.
220 (vsFTPd 3.0.3)
Name (192.168.200.36:ann): sudo-user
530 Permission denied.
Login failed.

ftp> bye
221 Goodbye.

Now let’s try connecting with the user ‘sftpuser’ we created for FTP. It will log in with the password you created.

$ ftp -p 192.168.200.36

Connected to 192.168.200.36.
220 (vsFTPd 3.0.3)
Name (192.168.200.36:ann): sftpuser
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> 

Let us switch to upload directory and use the get command to transfer the test file to our local machine

ftp> cd upload
250 Directory successfully changed.
ftp> get test.txt
local: test.txt remote: test.txt
227 Entering Passive Mode (192,168,200,36,160,164).
150 Opening BINARY mode data connection for test.txt (17 bytes).
226 Transfer complete.
17 bytes received in 0.00 secs (224.3454 kB/s)
ftp> 

Next, let us upload the file with a new name using the put command to test the write permissions.

ftp> put test.txt upload.txt
local: test.txt remote: upload.txt
227 Entering Passive Mode (192,168,200,36,175,195).
150 Ok to send data.
226 Transfer complete.
17 bytes sent in 0.00 secs (691.7318 kB/s)
ftp> 

Secure transmissions using TLS/SSL

Create a new openssl certificate and use the -days flag to make it valid for a year.

 sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem

You will be prompted for information on your new certificate. You can fill or skip the parts.

Generating a RSA private key
...................+++++
.................................................................................................+++++
writing new private key to '/etc/ssl/private/vsftpd.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:KE
State or Province Name (full name) [Some-State]:Nairobi
Locality Name (eg, city) []:Nairobi
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Technixleo
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:

Open the vsftpd configuration file

sudo nano /etc/vsftpd.conf

At the bottom of the file, there are 2 lines that begin with ‘rsa’ comment them out by putting # infront of them.

#rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
#rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key

Now add the following lines

rsa_cert_file=/etc/ssl/private/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem

Change the value of ssl-enable to YES

ssl_enable=YES

Add the following lines to explicitly deny anonymous connections over SSL, configure TLS as preferred SSL successor, and disable reuse of SSL.

allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=NO
ssl_ciphers=HIGH

Save and exit the file.

Restart the server to apply settings.

sudo systemctl restart vsftpd

Testing TLS with Filezilla

Install Filezilla

In this tutorial, we are going to use the Filezilla FTP client program to test FTP access.

To install use the following command

sudo apt install -y filezilla

Then launch the program from the Application Launcher.

It opens as shown. Find the site manager by clicking the icon shown below.

Then a new window opens. Click on New Site

A ‘new site’ icon appears under ‘my sites’. You can rename it.

Fill in the Host field with your IP address and can leave the port empty as 21i is the default port. Under the Encryption drop-down menu, select Require explicit FTP over TLS from the menu. Fill in your FTP username and password with the ones we created above. Click the Connect button to proceed.

A server certificate is shown as below. Click OK to continue

You can move the file to the local machine to verify that you can download files

Then rename the file on the local machine and move it to the server to verify you can upload files.

Conclusion

From this guide, you have learned how to install and configure vsftpd on KDE Neon|Kubuntu. It is not hard and is a pretty straight-forward process. You have also learned how to set up FTP for local users and also configured our FTP connection to work using SSL/TLS.

More guides to check out:

LEAVE A REPLY

Please enter your comment!
Please enter your name here