Guide: Installing an FTP server (vsftpd) on Ubuntu 16.04 / 17.10

Last updated on

In this guide we will install and configure vsftpd on Ubuntu 16.04 / 17.10.

Before you begin…

It’s surprising how many web developers are still unaware of SFTP and the advantages over FTP/FTPS. I admit myself that until recently I would religiously set up a vsftpd server with every new Linux install, but it’s really not necessary. If your FTP client supports SFTP, you should use it!

1. Install vsftpd

Let’s begin by updating the list of available packages and installing vsftpd.

sudo apt-get update
sudo apt-get install vsftpd

To check the status of vsftpd, run

sudo service vsftpd status
 vsftpd.service - vsftpd FTP server
   Loaded: loaded (/lib/systemd/system/vsftpd.service; enabled; vendor preset: e
   Active: active (running) since Sat 2018-02-03 23:59:12 UTC; 16s ago
 Main PID: 31602 (vsftpd)
   CGroup: /system.slice/vsftpd.service
           └─31602 /usr/sbin/vsftpd /etc/vsftpd.conf

Feb 03 23:59:12 myserver systemd[1]: Starting vsftpd FTP server...
Feb 03 23:59:12 myserver systemd[1]: Started vsftpd FTP server.

Above we can see our FTP server is now up and running.

2. Configure Firewall

If you haven’t already done so, it is recommended that you enable the ufw firewall. Before enabling ufw firewall, make sure you add a rule for SSH, otherwise you may get locked out of your server. If you don’t want to set up a firewall, skip to Step 3.

sudo ufw allow OpenSSH

Let’s open ports 20 and 21 for FTP, and ports 40000-50000 for passive FTP. We’ll also open port 990 for TLS, which we will set up later.

sudo ufw allow 20/tcp
sudo ufw allow 21/tcp
sudo ufw allow 40000:50000/tcp
sudo ufw allow 990/tcp

Now, enable the firewall if it isn’t already

sudo ufw enable

To check the status of the firewall, run:

sudo ufw status

3. Create an FTP User

In this example, we will create a new user called ftpuser.

sudo adduser ftpuser

Generate a strong password and keep it safe.

You may also be asked to enter some contact information. You can just press ENTER to each of these.

If you only want ftpuser to log in using FTP, you can disable their SSH/SFTP access by adding their username to the SSH config file. Otherwise, skip to Step 4.

Open the SSH config in nano.

sudo nano /etc/ssh/sshd_config

Add the following to the bottom of the file replacing ftpuser with the user you want to deny SSH and SFTP access. You can add multiple users here separated by a single space. (To paste in nano, press the right mouse button).

/etc/ssh/sshd_config
DenyUsers ftpuser

To save file and exit, press CTRL + X, press Y and then press ENTER.

Restart the SSH service.

sudo service sshd restart

4. Directory Permissions

You now need to decide where this FTP user is allowed to view and upload files.

If you followed our other guide for setting up multiple domains, your document root may be located in /var/www/test1.com/public_html – in that case, you would need to set the home folder for ftpuser to the folder above the document root: /var/www/test1.com, substituting test1.com for your own domain.

In this guide we will assume you are using the default document root in Ubuntu. We are going to give the user ftpuser FTP access to the document root /var/www/html, which is the default document root for both Apache and Nginx.

You will need to set the folder above the document root as the home directory for ftpuser.

sudo usermod -d /var/www ftpuser

Now set ownership of the document root directory to ftpuser. (The default is /var/www/html, though it may be /var/www/test1.com/public_html on your server.)

This will allow our FTP user to write and alter files in the document root directory.

sudo chown ftpuser:ftpuser /var/www/html

5. Configure vsftpd

There are a few changes we have to make to the vsftpd configuration file. If you just want a working config file to paste in yourself, we have created one here for your convenience.

Before editing the config file, create a backup.

sudo cp /etc/vsftpd.conf /etc/vsftpd.conf.bak

Now, open the config file.

sudo nano /etc/vsftpd.conf

This is quite a large file but it’s mostly filled with comments to help you along.

You need to go down the file and make sure that the settings match those below. Note: you can search in nano using CTRL + W

Look for #write_enable=YES and uncomment it by removing the # sign. This will allow FTP users to write files to the server.

etc/vsftpd.conf
write_enable=YES

Look for #chroot_local_user=YES and uncomment it by removing the # sign. This will prevent FTP users from browsing outside their own directory.

etc/vsftpd.conf
chroot_local_user=YES

Look for #local_umask=022 and uncomment it by removing the # sign. This will give uploaded files and folders the correct permissions.

etc/vsftpd.conf
local_umask=022

We now need to add some directives that don’t exist in the file.

Since Linux doesn’t show files beginning with a dot, files like .htaccess will not be visible in FTP. This may be a problem if you intend to use Apache and want to work with .htaccess.

To force vsftpd to show file names that begin with a dot, paste the following to the bottom of the file. (To paste in nano, press the right mouse button)

etc/vsftpd.conf
force_dot_files=YES

Lastly, let’s add some port ranges for passive FTP to make sure enough connections are available. Paste the following to the bottom of the file. (To paste in nano, press the right mouse button)

etc/vsftpd.conf
pasv_min_port=40000
pasv_max_port=50000

We are done with vsftpd.conf for the moment but will return in later steps to set up security and SSL.

To save file and exit, press CTRL + X, press Y and then press ENTER.

Restart vsftpd.

sudo systemctl restart vsftpd

6. Test FTP

We can now test vsftpd to see if we can log in as the user we created earlier. We recommend FileZilla, which works on Windows, Mac and Linux.

Enter your server’s IP, your FTP username and password you created earlier, and click Quickconnect.

Above we can see we have connected successfully and the web root directory html is displayed, though this may be different on your server.

Try uploading, creating and editing folders and files within the web root directory to ensure permissions are working correctly.

You will notice we have a warning in FileZilla “Status: Insecure server, it does not support FTP over TLS.” It is highly recommended that you now configure TLS so that login credentials and traffic are encrypted over the FTP connection.

If you are having problems logging in to the FTP server, try checking the vsftpd log. To view the last 200 entries using tail:

sudo tail /var/log/vsftpd.log -n 200

7. Secure FTP with TLS (optional)

It’s important to keep a few things in mind when using FTP – it is not encrypted by default meaning your credentials and content that you send are sent in the clear so are vulnerable to interception. To address this you should connect to vsftpd using FTPS (FTP over SSL/TLS).

We are going to use openssl to create a new certificate.

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem

You will be asked to enter some details like country, etc. You can just press ENTER for all of these.

Now that you private key has been created, there are a few changes we have to make to the vsftpd configuration file. If you just want a working config file to paste in yourself, we have created one here for your convenience.

Open the config file in nano editor.

sudo nano /etc/vsftpd.conf

Find the following directive: (Note: you can search in nano using CTRL + W)

etc/vsftpd.conf
ssl_enable=NO

Change it to:

etc/vsftpd.conf
ssl_enable=YES

Paste in the following to end of the config file.

etc/vsftpd.conf
rsa_cert_file=/etc/ssl/private/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=NO
ssl_ciphers=HIGH
pasv_min_port=40000
pasv_max_port=50000

Save file and exit (press CTRL + X, press Y and then press ENTER).

Restart vsftpd.

sudo systemctl restart vsftpd

8. Testing TLS with FileZilla

We can now test TLS. We recommend FileZilla, which works on Windows, Mac and Linux.

Enter your server’s IP, your FTP username and password you created earlier, and click Quickconnect.

You may be presented with an Unknown Certificate warning. Click Always trust this certificate in future sessions and click OK.

If you are connected over TLS, it will tell you in the connection log. You will also see a padlock in the bottom right corner.

You’re all done!

Let me know in the comments if this helped. Follow me @DevAnswers or read more.

1 Star2 Stars3 Stars4 Stars5 Stars 4.60 (10 votes)

Feedback

Your email address will not be published. Required fields are marked *

We use Markdown to style comments, like on Github and Reddit.
To do a line break, type two spaces after the sentence.
You can add inline code by wrapping it in backticks: `code here`

    To do an entire block of code  
    type four spaces before the line
    and it will appear in a block like this.
    <-- four empty spaces

7 replies

Hi, Followed the same however after implementing SSL ftp session is not established. Can you pls help me with this.

FIleZilla status
Retrieving directory listing…..

and exits with error.. any clue why?

experiencing same issue

and in log its showing:

Sun Sep 9 10:41:51 2018 [pid 1411] CONNECT: Client “::ffff:...

Sun Sep 9 10:41:54 2018 [pid 1410] [ftpuser] OK LOGIN: Client “::ffff:...

When I try log in with TLS I get “GnuTLS error -15: An unexpected TLS packet was received.”

This can happen if the user’s root directory is writable, which isn’t allowed when using chroot restrictions. To test, add allow_writeable_chroot=YES to /etc/vsftpd.conf and restart vsftpd sudo systemctl restart vsftpd