What is vsftpd?
The FTP in the vsftpd is self-explanatory here. It is an FTP server that supports IPV6 as well as SSL.
It is a server for UNIX systems and that includes Linux as well.
So, basically, we are going to learn how to set up a Linux ftp server i.e install vsftpd on ubuntu server 16.04.
If you are looking for an ubuntu FTP server that provides better security, faster performance and provides stability for your FTP operations then vsftpd is a good choice.
Here is a list of features that you have to look forward to once you install vsftpd.
Vsftpd will handle and take care of these for you.
Virtual users - Working with virtual users is how we are going to set up the vsftpd. We will create users, grant permission and let them perform ftp operations.
Bandwidth throttling- Throttling the bandwidth might help decrease the congestion in your network.
Standalone or inetd operation- As both standlone and inetd operations are an option, it will work well for both high and low traffic sites or web pages.
Powerful per-user configurability - Accessing and performing tasks for a particular user with the help of an established FTP connection makes things easier.
Encryption support through SSL integration -This feature adds more security to your website.
IPv6- As we have already seen, vsftpd supports IPv6.
Virtual IP configurations, Per-source-IP configurability and per-source-IP limits are few of the other features.
In this tutorial, we are going to set up vsftpd for a user directory and to achieve that we will create or add new user let’s say for example the user is lucifer.
So, this user will be the one who will be able to access this specific directory that we are going to do vsftpd setup for.
We will enable ftp ubuntu for the version 16.04.
Installed Ubuntu Server 16.04. Refer Ubuntu Server Setup Guide for Beginners (Version 16.04) to set it up.
Setting Up VSFTPD on Ubuntu 16.04.
Step One: To Install Vsftpd.
The command apt-get update is used every time you have to install a new package or update the existing ones.
So, we'll start with the apt-get update command.
sudo apt-get update
This will update all the existing packages.
Next, we will install the vsftpd package.
sudo apt-get install vsftpd
When you hit enter you will see the following. Enter 'y' to continue the process.
But before you go any further. Let's quickly check the firewall status.
You can do that by running the command shown below.
sudo ufw status
This checks the status of the uncomplicated firewall.
It will get you the list of all the services and ports that are allowed.
If you don't see any of the tcp ports on it. Use the following commands to remedy that.
sudo ufw allow 20/tcp sudo ufw allow 21/tcp sudo ufw allow 990/tcp sudo ufw allow 40000:50000/tcp
Once that is done. You can run the ufw status command again. And you will see the new entries in the table.
sudo ufw status
These are all the ports and services that have been allowed now.
Step Two: To Set Up A User Directory.
As our purpose here is to install vsftpd on ubuntu for a user directory.
We will need a user directory.
A] In order to prepare that user directory for vsftpd create user i.e, we have to create a new user.
We will create a new user lucifer.
As you can see in the above screenshot. Once you hit enter after the vsftpd add user command.
Assign a password to the new user.
It will ask you to enter the password again to verify it.
After that, you will be asked to fill in details about the new user, in our case that would be lucifer.
Enter the respective details and hit enter.
Next, you will be asked to verify the details. Enter 'Y' to continue with the installation steps.
B] Setting ownership and access.
There's a reason that we have to restrict write access for vsftpd. It's for strengthening vsftpd ubuntu security.
The security issue calls for limiting the access to a specific directory.
Set the ownership and restrict the write access for the user, lucifer by using the following commands.
sudo mkdir /home/lucifer/ftp sudo chown nobody:nogroup /home/lucifer/ftp sudo chmod a-w /home/lucifer/ftp
These commands will ensure that the user, lucifer does not have the write access to the vsftpd.
To verify the permissions use the following command.
You are going to need a directory to upload files in. So, we will now create a directory.
Following commands are how you do it.
sudo mkdir /home/lucifer/ftp/store sudo chown lucifer:lucifer/home/lucifer/ftp/store
Run a permission check just like you did before as shown in the screenshot.
When that is done you can add a new text file to this new directory.
We created a directory named store and we will be creating the text file and storing it there.
We have given the new user lucifer access to the newly created store directory and also taken measures to make the ftp directory more secure.
In the next step, we will move to the vsftpd configuration file.
Step Three: Configuration.
The gist here is to install it to a specific directory.
So, we are going to allow this user to have the ftp access rights over that directory and for that we need to make some changes in the vsftpd configuration file.
As you already know, this step solely focuses on the content of the vsftpd config file.
sudo nano /etc/vsftpd.conf
Once you open the file, find the below lines.
Check to see if the below lines are present as shown in the screenshot below. (They should be uncommented)
Move down, you should find
Uncomment it. This will allow lucifer to upload new files.
After that, look for
Do the same and uncomment it.
The purpose of this particular line is to restrict lucifer’s access to just this one particular directory.
He will not be able to access any file outside of this directory.
We are going to add
user_sub_token to the
local_root directory path.
This is done so that lucifer or any new user added does not have any trouble with the configuration.
pasv_max_port are used in order to limit the range of the ports.
These ports can even be used for passive FTP. It ensures that there are enough connections.
Ftp access will be given to these users only when one of them is added to a user list. Only the user on this list will be able to have ftp access here.
If you look at the changes we have made userlist_deny is set to NO.
When it is set to no, only the users on this particular list will be able to have ftp access.
But if it is set to yes, none of the users will get ftp access.
Yes, that was it. Now, you can save the file and exit.
Just two more commands and then you can move on to the next step.
Creating user and adding it to our userlist.
You can do it by using the following command:
echo “lucifer” | sudo tee -a /etc/vsftpd.userlist
As you can the user lucifer has been added to the list.
Here’s how you can check again if the user was added or not.
We are almost done. The final step here is to restart the daemon so that we can move on to the next step in the installation process.
sudo systemctl restart vsftpd
Step Three: Test the FTP access.
We are entering the testing phase.
**A]**The first test is to not let any of the anonymous users have ftp access:
As you can clearly see in the below screenshot we have tried to given an anonymous user access to the ftp. But the login failed and the user was denied the permission to login.
The following command is used to connect to ftp.
ftp -p your_ip
To close the ftp connection enter bye as shown below.
B] Now, we will try to connect with a sudo_user.
We have given access to lucifer who has been added to the userlist. So, users other than lucifer should not be able to connect.
When asked for the name, enter the user's name. Here it is sudo_user. As the user is not valid he will be denied access.
Note that all of this is done before the user is asked for a password.
C] Let’s get back to the our user lucifer. He should be able to connect to ftp.
After you enter lucifer, you will be asked for the password. Enter the password you added for the lucifer earlier in this tutorial and then hit enter.
The user lucifer will be able to connect with ftp.
Now we will perform some operations to test the ftp connection for lucifer
This is how vsftpd users work.
i) We are going to change the directory and set it to the store directory that we created earlier.
Use the following command to change the directory.
ii) Transfer the text.txt file we created before to our local directory.
You will be able to transfer the file to the local directory.
You can see it at work in the following screenshot.
**iii)**Our next operation is to test it for the write permission.
To test for the write permission we will upload the text.txt file with the name upload.txt.
put text.txt upload.txt
The above screenshot shows the operation in detail.
This concludes the testing the FTS part of our tutorial.
Our next step will be to secure the server.
Step Four: Securing the transactions.
i] With a 2048-bit RSA key.
The job of an RSA key is to secure transaction.
Here’s an example to explain the RSA key better.
Supposes lucifer wants to send a message to dean.
Lucifer will have access to dean’s public, it’s only then that he will be able to encrypt the message.
Dean, on the other hand, should have his private decryption key.
Dean will send his public key to lucifer and wait for the message to arrive so that he can decrypt it.
Lucifer will not get the decryption key, Dean will be the sole owner of the private decryption key.
Let’s get back to securing of transactions.
First, the openssl command will be used to create a new certificate.
And we can make the certificate last for the duration of a year by using the -days flag in it.
The data being transmitted is not encrypted by FTP and it’s the same with user credentials.
That is the reason we are going to enable TTL/SSL. It provides the necessary encryptions.
And RSA key helps with that.
We will add the 2048-bit RSA key in the openssl command.
There’s a reason -keyout and -out have been assigned the same value.
It ensures that both the private key & the certificate will be in the same file.
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem
Open the vsftpd.conf file once again.
sudo nano /etc/vsftpd.conf
Look for the following lines in that file and then comment them out.
Just add a # in front of these lines to comment out.
The final result should look like this.
Next, you will have to add the following lines.
These lines point to the private key and the certificate that we just created.
The next step is to enable the ssl. Enabling it will ensure that all the traffic received is encrypted.
Adding the following lines is necessary in order to deny any of the anonymous connections over the SSL and also because it requires SSL for both data transfer as well as logins.
We have to add few more things to the file. The next set of lines are right below.
ssl_tlsv1=YES ssl_sslv2=NO ssl_sslv3=NO
These lines are needed to setup the server for TLS.
Next, we need to add to more lines in the config file. We are going to set require_ssl_reuse to No, as we are not going to need it.
Then we will set the ssl_ciphers to HIGH, as we need high encryption cipher suits.
After you have made all the above changes, save the file and close it.
Note: You can save the file by hitting ‘Ctrl+o’ and to exit the file hit ‘Ctrl+x’
The changes you have made will only be made once you restart the server.
sudo systemctl restart vsftpd
iii) If now the user lucifer tried to log in through the insecure command line he will not be able to get in.
ftp -p 18.104.22.168 Connected to 22.214.171.124. 220 (vsFTPd 3.0.3) Name (126.96.36.199:root): lucifer 530 Non-anonymous sessions must use encryption. ftp: Login failed. 421 Service not available, remote server has closed connection ftp>bye 221 Goodbye.
Step Five: Testing the TLS with Filezilla
We are going to perform some ftp operations with filezilla, just like the ones we did earlier.
**i]**You can select the site manage icon that is present right below the file option on the menu bar.
It will open the site manager window. At the bottom corner you will find the new site button. Click on it.
ii] Fill in the respective details:
Enter your ip in the host field.
Protocol should be: FTP- File Transfer Protocol.
Select ‘Require explicit FTP over TLS’ from the drop down menu for encryption.
Select ‘Ask for password’ from the drop down list for Logon Type.
Enter the user name as ‘lucifer’.
**[iii]**After you fill in these details, click on connect.
Enter your password.
Then click the ok button it will connect to your server with TLS/SSL encryption.
[iv] The next step is to accept the certificate.
Once that is done click on the store folder, select the test.txt file and drag it to the left side.
This will confirm that you can download the file.
[v] Now, rename the test.txt to upload.txt and drag it to the right of the screen this will confirm that you can upload the file.
That’s how you install vsftpd on ubuntu server 16.04 for a specific directory.
This covers about everything you need to set up your first vsftpd connection and perform ftp operations as per your requirements.
Testing the established vsftpd connection in two ways helps you set up a connection that will work at all times.
First, we tested it for FTP then we tested it again for the same at TLS.
This gives you a secure ftp access to the directory store.