In this tutorial we’ll setup secure FTP Server using vsftp software, we’ll allow multiple user to connect to FTP and disable the anonymous user. In many big corporate environment, they only allow FTP protocol, this setup is good for that use case.
There’s some confusion about the SFTP, people thing it’s part of FTP, but it is nothing to do with FTP. SFTP is the SSH File Transfer Protocol aka Secure File Transfer Protocol.
Install FTP Server
The FTP Server software that we’ll install is vsftp
sudo apt install vsftpd -y
the installation is straight forward, by default Debian will start the services after the initial install.
vsftpd Configuration
vsftp configuration are available at /etc/vsftpd.conf, let’s update the minimum configuration, we’ll allow any local user to connect to the FTP Server with their own directory and their own credential. Change the values from
#write_enable=YES
to
write_enable=YES seccomp_sandbox=NO isolate_network=NO pasv_enable=YES pasv_min_port=40000 pasv_max_port=50000
To change the default port (port 21) of FTP to different port number, add
listen_port=3030
in example above we set the port to 3030
then restart the vsftp services
sudo systemctl restart vsftpd # check the vsftp status sudo systemctl status vsftpd
Check the open port using ss
$ sudo ss -tunlp Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process udp UNCONN 0 0 0.0.0.0:68 0.0.0.0:* users:(("dhclient",pid=352,fd=7)) tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=464,fd=3)) tcp LISTEN 0 32 *:3030 *:* users:(("vsftpd",pid=972,fd=3)) tcp LISTEN 0 128 [::]:22 [::]:* users:(("sshd",pid=464,fd=4))
Create FTP User
For each client, we can add local user in Linux, let’s create a imaginary user bank_abcde
adduser USERNAME # output Adding user `bank_abcde' ... Adding new group `bank_abcde' (1002) ... Adding new user `bank_abcde' (1002) with group `bank_abcde (1002)' ... Creating home directory `/home/bank_abcde' ... Copying files from `/etc/skel' ... New password: Retype new password: passwd: password updated successfully Changing the user information for bank_abcde Enter the new value, or press ENTER for the default Full Name []: Room Number []: Work Phone []: Home Phone []: Other []: Is the information correct? [Y/n] Adding new user `bank_abcde' to supplemental / extra groups `users' ... Adding user `bank_abcde' to group `users' ...
Firewall UFW – Optional
This step is optional if you want to whitelist client public ip address.
Install ufw
sudo apt install ufw -y
let say we want to whitelist client ip 1.2.3.4 and 4.3.2.1. In this case we’re running the FTP on port 3030 run the command
# open ssh port # for client/user facing FTP server only whitelist your Network sudo ufw allow 22/tcp # open FTP port sudo ufw allow from 1.2.3.4 to any port 3030 proto tcp sudo ufw allow from 4.3.2.1 to any port 3030 proto tcp # allow passive port for everyone, only whitelist the FTP port it enough sudo ufw allow 40000:50000/tcp
make sure you’re open the correct port for SSH, otherwise it’ll kill the session, and we’ll lost access to the servers. To get the correct SSHD port, run ss -tunlp and grep -i Port /etc/ssh/sshd_config
enable ufw firewall
sudo ufw enable
check the ufw status
sudo ufw status # output Status: active To Action From -- ------ ---- 22/tcp ALLOW Anywhere 3030/tcp ALLOW 1.2.3.4 3030/tcp ALLOW 4.3.2.1 40000:50000/tcp ALLOW Anywhere 22/tcp (v6) ALLOW Anywhere (v6) 40000:50000/tcp (v6) ALLOW Anywhere (v6)
Connect To FTP Server
Use user that we create before as the user name, and password for the password. For example client configuration for WinSCP
To verify create a dummy file and copy it to the FTP Server
