(ve):Vsftpd on Ubuntu

  • This page was last modified on April 13, 2012, at 15:43.
The (mt) Community Wiki is a collaborative project. Any (mt) Media Temple customer or employee may contribute. Not all articles and/or content have been tested for accuracy by (mt) Media Temple.

For officially moderated and tested articles, be sure to visit our KnowledgeBase.

From (mt) Community Wiki

Contents

Preface

These instructions have been tested on Ubuntu 9.10.

[ Need brief explanation why to install vsftpd, since "sftp" already works on fresh (ve) install. ]

Install

  • Login to your (ve) typing in a Terminal. Windows users should use software like PuTTy that asks for user and password so won't need this. 
ssh root@example.com
  • Make sure your server is up to date: 
# apt-get update
# apt-get upgrade
  • Install vsftpd: 
# apt-get install vsftpd
  • That's it. vsftpd is installed. Now let's configure the server.

Configuration

  • Open vsftpd configuration file: /etc/vsftpd.conf 
# nano /etc/vsftpd.conf
  • There are three types of configuration settings:
    • Boolean. YES or NO.
    • String. Usually paths or user/group names.
    • Numeric. 0-9 values.
  • By default vsftpd is configured to only allow anonymous download. During installation a ftp user is created with a home directory of /home/ftp. This is the default FTP directory.

If you wish to change this location, to /srv/ftp for example, simply create a directory in another location and change the ftp user's home directory: 

sudo mkdir /srv/ftp
sudo usermod -d /srv/ftp ftp

Note: This params should work fine for almost every server out there, but there are a lot more of settings you can set. Check out the vsftpd man page on More info section.

Common options
Setting Value type Description
local_root string Default chroot for local users when they login. You'll probaly want to set this to /var/www or wherever your server root is.
local_enable boolean Allow local users to log in.
write_enable boolean Allow any type of WRITE command on the FTP.
local_umask numeric Default is 077. Most FTPd's use 022.
anon_upload_enable boolean Allows anonymous users to upload files.
anon_mkdir_write_enable boolean Allows anonymous users to create new dirs.
connect_from_port_20 boolean Default YES. Ensures all the connections come from port 20.
chown_uploads boolean Do you want anonymous users to chown their files?
chown_username string When chown_uploads is set to NO, all uploaded files will belong to this user.
  • Once you are done. Restart the server and there you go! 
# /etc/init.d/vsftpd restart

Securing your FTP

  • You can limit local users to their home directories by uncommenting: 
chroot_local_user=YES
  • You can also limit a specific list of users to just their home directories: 
chroot_local_user=YES
chroot_list_file=/etc/vsftpd.chroot_list

After uncommenting the above options, create a /etc/vsftpd.chroot_list containing a list of users one per line.

  • If you've prevented the local users from having shell access, you'll need to edit the list of valid login shells (which is used by vsftpd). Open /etc/shells and add 
/bin/false
  • Also, the /etc/ftpusers file is a list of users that are disallowed FTP access. The default list includes root, daemon, nobody, etc. To disable FTP access for additional users simply add them to the list.
  • Finally, FTP can also be encrypted using FTPS. Different from SFTP, FTPS is FTP over Secure Socket Layer (SSL).

In your vsftpd config file, at the bottom add: 

ssl_enable=YES
  • Don't forget to restart the FTP server to apply the changes! 
# /etc/init.d/vsftpd restart

Configuring iptables firewall

If you've set up iptables as in the getting started guide, you'll need to add some rules to let FTP traffic through.

/etc/iptables.rules 
-A INPUT -p tcp --dport 21 -j ACCEPT
-A OUTPUT -p tcp --sport 20 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10000:10024 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 10000:10024 -m state --state RELATED,ESTABLISHED -j ACCEPT

The last two rules allow passive FTP connections on ports 10,000-10,024 (so feel free to remove them if you only want to support active FTP for some reason, though don't forget to configure vsftpd by setting pasv_enable=NO).

You'll also need to tell vsftpd to use ports in this range. Add this to the bottom of /etc/vsftp.conf.

/etc/vsftpd.conf 
# Passive FTP
pasv_min_port=10000
pasv_max_port=10024

Restart vsftpd and restore (and save) the firewall rules and you should be good to go.

More info

Retrieved from "http://wiki.mediatemple.net/w/(ve):Vsftpd_on_Ubuntu"