FTP

FTP

With VSFTPD

  • Very Secure File Transfer Protocol Daemon (vsftpd)

  • Written by a security researcher (Chris Evans)

  • Ubiquitous across the web

Install it:

sudo apt install vsftpd

Start it and enable it :

sudo systemctl enable --now vsftpd

Allow it through the firewall:

sudo ufw allow ftp

It will add port 21 but not 20 because passive mode will take in place

With passive mode : sudo ufw allow 10000:20000/tcp

Or if you want to use Active mode than you should allow port 20

sudo ufw allow 20/tcp

Default config works, but it is not very secure, and i need to tell it the ports range

sudo vim /etc/vsftpd.conf

VSFTPD Configuration

Restrict listening addresses

Allow anonymous FTP users if you are planning for a public FTP server

listen_address=192.168.1.5
anonymous_enable=YES

By default VSFTPD read only, so users can download but no upload (but only for users ofcourse)

# Uncomment this to enable any form of FTP write command.
write_enable=YES

Enable passive mode :

pasv_enable=YES
pasv_min_port=10000
pasv_max_port=20000

Now, restart the service:

sudo systemctl restart vsftpd

Now Users, like linux users can see their datalike their home directory

But if an anonymous user will see the content of /srv/ftp

And sure enough, now i can see my files:

FILEZILLA GUI

And f i connect as an anonymous user 👍

Logging is enabled by default :

# Activate logging of uploads/downloads.
xferlog_enable=YES

sudo tail /var/log/vsftpd.log

Sun Sep  3 12:46:11 2023 [pid 33142] CONNECT: Client "::ffff:192.168.1.100"
Sun Sep  3 12:46:11 2023 [pid 33141] [ftp] OK LOGIN: Client "::ffff:192.168.1.100", anon password "anonymous@example.com"
Sun Sep  3 12:47:28 2023 [pid 33596] CONNECT: Client "::ffff:192.168.1.100"
Sun Sep  3 12:47:28 2023 [pid 33595] [ftp] OK LOGIN: Client "::ffff:192.168.1.100", anon password "anonymous@example.com"
Sun Sep  3 12:47:28 2023 [pid 33597] [ftp] OK DOWNLOAD: Client "::ffff:192.168.1.100", "/anon_content", 0.00Kbyte/sec

Authenticated users

Default to their home folder

chroot_local_user=YES

Let’s understand one thing before we jump to something else:

FTPS is on top SSL

SFTP is on top of SSH

ENABLE TLS

I have my own certs from Let’s Encrypt i will use it :

This is the default configuration, you should enable SSL from NO to YES

rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
ssl_enable=NO
PreviousMore About IptablesNextSSH

Last updated