- Advertisement -

FTP (File Transfer Protocol) is a relatively old and most used standard network protocol used for uploading/downloading files between two computers over a network. However, FTP by its original insecure, because it transmits data together with user credentials (username and password) without encryption.

Warning: If you planning to use FTP, consider configuring FTP connection with SSL/TLS (will cover in next article). Otherwise, it’s always better to use secure FTP such as SFTP.

In this tutorial, we will show how to install, configure and secure a FTP server (VSFTPD in full “Very Secure FTP Daemon“) in Ubuntu to have a powerful security against FTP vulnerabilities.

Step 1: Installing VsFTP Server in Ubuntu

1. First, we need to update the system package sources list and then install VSFTPD binary package as follows:

2. Once the installation completes, the service will be disabled initially, therefore, we need to start it manually for the mean time and also enable it to start automatically from the next system boot:

- Advertisement -

3. Next, if you have UFW firewall enabled ( its not enabled by default) on the server, you have to open ports 21 and 20 where the FTP daemons are listening, in order to allow access to FTP services from remote machines, then add the new firewall rules as follows:

Step 2: Configuring and Securing VsFTP Server in Ubuntu

4. Let’s now perform a few configurations to setup and secure our FTP server, first we will create a backup of the original config file /etc/vsftpd/vsftpd.conf like so:

Next, let’s open the vsftpd config file.

Add/modify the following options with these values:

5. Now, configure VSFTPD to allow/deny FTP access to users based on the user list file /etc/vsftpd.userlist.

Note that by default, users listed in userlist_file=/etc/vsftpd.userlist are denied login access with userlist_deny=YES option if userlist_enable=YES.

But, the option userlist_deny=NO twists the meaning of the default setting, so only users whose username is explicitly listed in userlist_file=/etc/vsftpd.userlist will be allowed to login to the FTP server.

Important: When users login to the FTP server, they are placed in a chrooted jail, this is the local root directory which will act as their home directory for the FTP session only.

Next, we will look at two possible scenarios of how to set the chrooted jail (local root) directory, as explained below.

6. At this point, let’s add/modify/uncomment these two following options to restrict FTP users to their Home directories.

The option chroot_local_user=YES importantly means local users will be placed in a chroot jail, their home directory by default after login.

And we must as well understand that VSFTPD does not permit the chroot jail directory to be writable, by default for security reasons, however, we can use the option allow_writeable_chroot=YES to disable this setting.

Save the file and close it. Then we have to restart VSFTPD services for the changes above to take effect:

Step 3: Testing VsFTP Server in Ubuntu

7. Now we will test FTP server by creating a FTP user with useradd command as follows:

Then, we have to explicitly list the user aaronkilik in the file /etc/vsftpd.userlist with the echo command and tee command as below:

8. Now it’s about time to test our above configurations are functioning as required. We will begin by testing anonymous logins; we can clearly see from the output below that anonymous logins are not permitted on the FTP server:

9. Next, let’s test if a user not listed in the file /etc/vsftpd.userlist will be granted permission to login, which is not true from the output that follows:

10. Now we will carry out a final test to determine whether a user listed in the file /etc/vsftpd.userlist, is actually placed in his/her home directory after login. And this is true from the output below:

Warning: Setting the option allow_writeable_chroot=YES can be so dangerous, it has possible security implications, especially if the users have upload permission, or more so, shell access. Only use it if you exactly know what you are doing.

We should note that these security implications are not specific to VSFTPD, they can also affect all other FTP daemons which offer to put local users in chroot jails.

Because of this reason, in the section below, we will explain a more secure method of setting a different non-writable local root directory for a user.

Step 4: Configure FTP User Home Directories in Ubuntu

11. Now, open the VSFTPD configuration file once more time.

and comment out the unsecure option using the # character as shown below:

Next, create the alternative local root directory for the user (aaronkilik, yours is possibly not the same) and set the required permissions by disabling write permissions to all other users to this directory:

12. Then, create a directory under the local root with the appropriate permissions where the user will store his files:

Afterwards, add/modify the options below in the VSFTPD config file with their corresponding values:

Save the file and close it. And restart the VSFTPD services with the recent settings:

13. Now, let’s perform a final check and make sure that the user’s local root directory is the FTP directory we created in his Home directory.


- Advertisement -

There are no comments yet

  • Hello, guest