How to set up an FTP server on Ubuntu 14.04

How to set up an FTP server on Ubuntu 14.04

Setting up a fully-functional and highly secure FTP server on Ubuntu is made very easy with a handful of key components and a couple minutes of your time. From anonymous FTP access, root directory restrictions, or even fully encrypted transfers using SSL, this tutorial provides all the basics you'll need to quickly get your FTP server up and running.

DIFFICULTY	Basic - 1 | Medium - 2 | Advanced - 3
TIME REQUIRED	20 min
RELATED PRODUCTS	Ubuntu-based VPS or dedicated servers

Installing vsftpd

While there are a variety of FTP server tools available for Linux, one of the most popular and mature options is vsftpd.

Begin by SSHing into your server as root and use the apt-get command to install vsftpd:

apt-get update

apt-get install vsftpd
Reading package lists... Done
Building dependency tree
Reading state information... Done
[...]
The following NEW packages will be installed:
  vsftpd
0 upgraded, 1 newly installed, 0 to remove and 18 not upgraded.
Need to get 111 kB of archives.
After this operation, 361 kB of additional disk space will be used.
Get:1 http://mirrors.digitalocean.com/ubuntu/ trusty-updates/main vsftpd amd64 3.0.2-1ubuntu2.14.04.1 [111 kB]
Fetched 111 kB in 0s (231 kB/s)
Preconfiguring packages ...
Selecting previously unselected package vsftpd.
(Reading database ... 175600 files and directories currently installed.)
Preparing to unpack .../vsftpd_3.0.2-1ubuntu2.14.04.1_amd64.deb ...
Unpacking vsftpd (3.0.2-1ubuntu2.14.04.1) ...
Processing triggers for man-db (2.6.7.1-1) ...
Processing triggers for ureadahead (0.100.0-16) ...
Setting up vsftpd (3.0.2-1ubuntu2.14.04.1) ...
vsftpd start/running, process 18690
Processing triggers for ureadahead (0.100.0-16) ...

Configuration

The next step is to change any configuration settings for vsftpd. Open the /etc/vsftpd.conf file in your preferred text editor:

nano /etc/vsftpd.conf

Edit the file so it resembles the following:

# Example config file /etc/vsftpd.conf
# ...
# Run standalone?  vsftpd can run either from an inetd or as a standalone
# daemon started from an initscript.
listen=YES
#
# Allow anonymous FTP? (Disabled by default)
anonymous_enable=NO
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
#write_enable=YES
# You may restrict local users to their home directories. See the FAQ for
# the possible risks in this before using chroot_local_user or
# chroot_list_enable below.
#chroot_local_user=YES

The critical settings seen above are outlined below:

• listen=YES tells vsftpd to run as a standalone daemon (the simplest method for getting up and running). anonymous_enable=NO disallows anonymous FTP users, which is generally preferred for security reasons but can be enabled for testing purposes.
• local_enable=YES allows any user account defined in the /etc/passwd file access to the FTP server and is generally how most FTP users will connect.
• write_enable=YES is commented out by default, but removing the hash (#) allows files to be uploaded to the FTP server. chroot_local_user=YES restricts users to their home directory and is also commented out by default.

To begin your testing and make sure everything is working, start with the following settings for the above parameters:

listen=YES
anonymous_enable=YES
local_enable=YES
write_enable=YES
chroot_local_user=YES

Save the vsftpd.conf file then restart the vsftpd service for the changes to take effect:

sudo service vsftpd restart
vsftpd stop/waiting
vsftpd start/running, process 18954

Testing Your FTP Server

To quickly determine if your server was installed properly and is up and running, try to connect to the FTP server from your active shell, using the name anonymous and a blank password:

ftp localhost
Connected to localhost.
220 (vsFTPd 3.0.2)
Name (localhost:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.

With both anonymous_enable and local_enable set to "YES" in the configuration, you should be able to successfully login to your local FTP server as seen above!

With that out of the way, simply enter quit at the ftp> prompt to cancel out:

quit
221 Goodbye.

With the test complete, you may wish to disable anonymous access once again by setting anonymous_enable=NO in the /etc/vsftpd.conf file and restarting the service:

nano /etc/vsftpd.conf

Edit the file to resemble this:

# Set to NO to disable anonymous access
anonymous_enable=NO
sudo service vsftpd restart
vsftpd stop/waiting
vsftpd start/running, process 18996

Adding an FTP User

If this is a new server it may be advisable to add a specific user for FTP access. Doing so is a fairly simple process but begin by creating a new user:

sudo adduser foobar
Adding user `foobar' ...
Adding new group `foobar' (1000) ...
Adding new user `foobar' (1000) with group `foobar' ...
Creating home directory `/home/foobar' ...
Copying files from `/etc/skel' ...

Enter new UNIX password:

Retype new UNIX password:
passwd: password updated successfully
Changing the user information for foobar

Enter the new value, or press ENTER for the default
        Full Name []:
        Room Number []:
        Work Phone []:
        Home Phone []:
        Other []:
Is the information correct? [Y/n]

Y

With a new user added you can now connect to your server remotely with an FTP client such as FileZilla, but you will immediately run into an error:

Status:    Connecting to 104.131.170.253:21...
Status:    Connection established, waiting for welcome message...
Response:    220 (vsFTPd 3.0.2)
Command:    USER foobar
Response:    331 Please specify the password.
Command:    PASS ****************
Response:    500 OOPS: vsftpd: refusing to run with writable root inside chroot()

The "500 OOPS" error vsftpd returns is a security measure designed to prevent writable root access for FTP users by default. To resolve this issue there are two main options available.

Allowing Writable User-root Access

The simplest method is to alter the /etc/vsftpd.conf file once again and enable one particular setting:

nano /etc/vsftpd.conf

Edit the file so it resembles the following:

# Allow users to write to their root directory
allow_writeable_chroot=YES

With allow_writeable_chroot enabled following a service vsftpd restart, you can now successfully FTP into your server remotely as your newly created user:

Status:    Connecting to 104.131.170.253:21...
Status:    Connection established, waiting for welcome message...
Response:    220 (vsFTPd 3.0.2)
Command:    USER foobar
Response:    331 Please specify the password.
Command:    PASS ****************
Response:    230 Login successful.

Using Writeable Subdirectories

The other option to maintain slightly stronger security is not to enable allow_writeable_chroot as outlined above, but instead to create a new subdirectory in the user's root directory with write access:

sudo chown root:root /home/foobar

sudo mkdir /home/foobar/uploads

sudo chown foobar:foobar /home/foobar/uploads

sudo service vsftpd restart

Now when you connect remotely to your FTP server as the new user, that user will not have write access to the root directory, but will instead have full write access to upload files into the newly created uploads directory instead.

Securing Your FTP With SSL

While standard unencrypted FTP access as outlined so far is sufficient in many cases, when transferring sensitive information over FTP it is useful to utilize a more secure connection using SSL.

To begin you'll likely need to generate a new SSL certificate with the following command, following the prompts as appropriate to complete the process:

sudo openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem

Now you must ensure that vsftpd is aware of the SSL certificate. Open the /etc/vsftpd.conf file once again:

sudo nano /etc/vsftpd.conf

Look near the bottom of the file for two rsa_ settings like this, indicating the location of the SSL certificate that was just created:

rsa_cert_file=/etc/ssl/private/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem

If those lines don't exist or match the appropriate path to the SSL certificate created, update them accordingly.

Additionally, there are a number of configuration settings to handle SSL connections, particularly forcing use of the TLS protocol which is ideal:

ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=NO
ssl_ciphers=HIGH

Some of the settings are self-explanatory, but the key components are the overall enabling of SSL, the restriction to use only TLS, and disallowing anonymous access.

With the settings added and the file saved, once again restart the vsftpd service:

sudo service vsftpd restart

Now your FTP server is ready to accept secure connections using "FTP over TLS" encryption. Using a client such as FileZilla, you will be presented with a certificate popup asking to verify the newly created SSL certification.

Upon accepting you will now be securely connected and transfers will be encrypted via SSL:

Status:    Connecting to 104.131.170.253:21...
Status:    Connection established, waiting for welcome message...
Response:    220 (vsFTPd 3.0.2)
Command:    AUTH TLS
Response:    234 Proceed with negotiation.
Status:    Initializing TLS...
Status:    Verifying certificate...
Command:    USER foobar
Status:    TLS/SSL connection established.
Response:    331 Please specify the password.
Command:    PASS ****************
Response:    230 Login successful.

Ubuntu 用vsftpd 配置FTP服务器

 

网上的文章好难懂啊。。只想要简单粗暴，弄好能用就行啊，复杂的以后研究不行吗。。。折腾好久，其实弄出来能用不就这么点内容吗。。。

本文在Ubuntu Server 14.04 amd64系统测试。

Made By：CSGrandeur

安装ftp

sudo apt-get install vsftpd

配置vsftpd.conf

sudo nano /etc/vsftpd.conf

#禁止匿名访问
anonymous_enable=NO
#接受本地用户
local_enable=YES
#允许上传
write_enable=YES
#用户只能访问限制的目录
chroot_local_user=YES
#设置固定目录，在结尾添加。如果不添加这一行，各用户对应自己的目录，当然这个文件夹自己建
local_root=/home/ftp

看网上说加一行“pam_service_name=vsftpd”，我看我这个配置文件本来就有，就不管了。

添加ftp用户

sudo useradd -d /home/ftp -M ftpuser
sudo passwd ftpuser

调整文件夹权限

这个是避免“500 OOPS: vsftpd: refusing to run with writable root inside chroot()”

sudo chmod a-w /home/ftp
sudo mkdir /home/ftp/data

这样登录之后会看到data文件夹，虽然稍麻烦，原因不表了。。查资料这么辛酸已经不易。。

改pam.d/vsftpd

这时候直接用useradd的帐号登录ftp会530 login incorrect

sudo nano /etc/pam.d/vsftpd

注释掉

#auth    required pam_shells.so

重启vsftpd

sudo service vsftpd restart

这时就可以用刚才建的ftpuser这个用户登录ftp了，看到的是local_root设置的/home/ftp，并且限制在该目录。

可以在浏览器用ftp://xxx.xxx.xxx.xxx访问，也可以用ftp软件比如flashFXP，密码就是ftpuser的密码。

关于用户访问文件夹限制

由chroot_local_user、chroot_list_enable、chroot_list_file这三个文件控制，转别人的一段话：

首先，chroot_list_enable好理解，就是：是否启用chroot_list_file配置的文件，如果为YES表示chroot_list_file配置的文件生效，否则不生效；
第二，chroot_list_file也简单，配置了一个文件路径，默认是/etc/vsftpd.chroot_list，该文件中会填入一些账户名称。但是这些账户的意义不是固定的，是跟配置项chroot_local_user有关的。后一条中说明；
第
三，chroot_local_user为YES表示所有用户都*不能*切换到主目录之外其他目录，但是！除了chroot_list_file配置的文
件列出的用户。chroot_local_user为NO表示所有用户都*能*切换到主目录之外其他目录，但是！除了chroot_list_file配
置的文件列出的用户。也可以理解为，chroot_list_file列出的“例外情况”的用户。

 如果客户端登录时候提示“以pasv模式连接失败”

编辑/etc/vsftpd.conf

最后添加

pasv_promiscuous=YES

然后再重启vsftpd服务。

http://askubuntu.com/questions/545600/ftp-refuses-any-and-all-connections-vsftpd

FTP refuses any and all connections (vsftpd)

up vote1down votefavorite

 

Even on localhost using the ftp command, through the web server on WordPress, on my personal computer through FileZilla, in short, I need my FTP server but it refuses to let anyone connect.
Using SSH FTP (or whatever it's called) works perfectly, but even when I enable SSL on vsftpd which I think is the same thing, it still doesn't work.
I've followed many tutorials on how to set it up, tried wiping my server multiple times, nothing works.

Using netstat -tlpn returns this result, it seems the process is running but is not listening, even though in the config file listen is set to YES.


Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 9563/mysqld
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 972/sshd
tcp6 0 0 :::58623 :::* LISTEN 25429/java
tcp6 0 0 :::49505 :::* LISTEN 25429/java
tcp6 0 0 :::80 :::* LISTEN 22955/apache2
tcp6 0 0 :::8080 :::* LISTEN 25429/java
tcp6 0 0 :::22 :::* LISTEN 972/sshd


ftp

shareimprove this question

edited Nov 4 '14 at 18:25

asked Nov 4 '14 at 14:45 Wargog 962311

Could you paste the exact error message that is being shown while trying to connect to the server for ftp? Are all sources getting the same message? – heemayl Nov 4 '14 at 16:33 

All attempted connections are getting the error message: connect: connection refused – Wargog Nov 4 '14 at 16:59

Have you checked that your ftp server is actually listening on port 21 or any other configured port by netstat orss or lsof or any other method? – heemayl Nov 4 '14 at 17:33 

No, thats not the command you should be using. Use netstat -tlpn or ss -antu or sudo lsof -i:21 and post the output of any one of them preferably netstat -tlpn and remove your last edit. – heemayl Nov 4 '14 at 18:16 

Updated, sorry, I added my thoughts as well. – Wargog Nov 4 '14 at 18:25

show 4 more comments

2 Answers

activeoldestvotes

up vote2down vote

The vsftpd service is not running and hence is not listening on port 21 or any preconfigured port. As a result you are getting the connect: connection refused error message every time while using a ftp client to connect to the the server. I think you should check the setup procedure and configuration files for sorting out the issues. This and this might be a very good place to start.

shareimprove this answer

answered Nov 4 '14 at 18:45 heemayl 50.9k797160

add a comment

up vote1down voteaccepted

This actually turned out to be that SSH SFTP was somehow running on 21 instead of 22. So, if anyone is having the same issue, trying connecting through an SFTP client instead of plain old FTP, still using port 21

shareimprove this answer

answered Aug 31 '15 at 3:45 Wargog 962311

Vsftpd supports FTP over SSH (aka FTPS) over standard FTP port numbers by default. It does not support SFTP, which is a different protocol. – Michael Steele May 23 '16 at 21:28

@MichaelSteele FTPS is not FTP over SSH, it is FTP over SSL/TLS. – heemayl Jan 20 at 14:30