Installing and configuring vsftpd

vsftpd (Very secure FPT daemon) is a very fast and easily configurable FTP server. You can install it on Ubuntu-based machines directly from the Ubuntu repositories. Below are the steps and tips for configuration on a desktop machine.

Open terminal and execute the following:

sudo apt-get install vsftpd

Make a copy of the original configuration file. It is very well commented. Keep a copy to have the original settings and comments, just in case.

sudo cp /etc/vsftpd.conf /etc/vsftpd.conf.original

To disable anonymous login and to enable local users login and give them write permissions:

# No anonymous login
anonymous_enable=NO
# Let local users login
# If you connect from the internet with local users, you should enable TLS/SSL/FTPS
local_enable=YES
 
# Write permissions
write_enable=YES

NOTE: It is not advisable to use FTP without TLS/SSL/FTPS over the internet because the FTP protocol does not encrypt passwords. If you do need to transfer files over FTP, consider the use of virtual users (same system users but with non system passwords) or TLS/SSL/FTPS (see below).

To jail/chroot users (not the vsftpd service), there are three choices. Search for “chroot_local_users” on the file and consider one of the following:

# 1. All users are jailed by default:
chroot_local_user=YES
chroot_list_enable=NO
 
# 2. Just some users are jailed:
chroot_local_user=NO
chroot_list_enable=YES
# Create the file /etc/vsftpd.chroot_list with a list of the jailed users.
 
# 3. Just some users are "free":
chroot_local_user=YES
chroot_list_enable=YES
# Create the file /etc/vsftpd.chroot_list with a list of the "free" users.

To deny some users to login, add the following options in the end of the file:

userlist_deny=YES
userlist_file=/etc/vsftpd.denied_users

In the file /etc/vsftpd.denied_users add the username of the users that can't login. One username per line.

To allow just some users to login:

userlist_deny=NO
userlist_enable=YES
userlist_file=/etc/vsftpd.allowed_users

In the file /etc/vsftpd.allowed_users add the username of the users that can login.

The not allowed users will get an error that they can't login before they type their password.

NOTE: you definitely have to use this if you connect from the Internet.

To use vsftpd with encryption (it's safer), change or add the following options (some options aren't on the original config file, so add them):

ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=YES
ssl_sslv3=YES
# Filezilla uses port 21 if you don't set any port
# in Servertype "FTPES - FTP over explicit TLS/SSL"
# Port 990 is the default used for FTPS protocol.
# Uncomment it if you want/have to use port 990.
#listen_port=990

No need to create a certificate. vstfpd uses the certificate Ubuntu creates upon it's installation, the “snake-oil” certificate (openssl package, installed by default). Please don't be afraid of it's name!

Install Filezilla (on the repositories), and use the Servertype “FTPES - FTP over explicit TLS/SSL” option to connect to the server with TLS/SSL/FTPS.

Here are some other available options. The values are examples:

# Show hidden files and the "." and ".." folders.
# Useful to not write over hidden files:
force_dot_files=YES
 
# Hide the info about the owner (user and group) of the files.
hide_ids=YES
 
# Connection limit for each IP:
max_per_ip=2
 
# Maximum number of clients:
max_clients=20

Don't forget that to apply new configurations, you must restart the vsftpd service.

sudo /etc/init.d/vsftpd restart

If you find problems when set pasv_min_port and pasv_max_port in /etc/vsftpd.conf and allow outbound connections in the ports you set in your firewall.