How To Setup FTP account on Ubuntu

In today's article, we will read and learn how to set up an FTP account on Ubuntu.

What is FTP?

FTP, stands for File Transfer Protocol, which is a network protocol that is used for moving files between a client and server. 

In this article, you’ll configure vsftpd to allow a user to upload files to his or her home directory using FTP with login credentials secured by SSL/TLS.

Steps to Install FTP

Step 1: Install vsftpd  daemon

sudo apt-get update

sudo apt-get install vsftpd

When the installation is complete, create a backup of the configuration file so we can restore the original configuration in the future if anything goes wrong.

sudo cp /etc/vsdtfp.conf /etc/vsftpd.conf.bak

Step 2: Allow Ports in Firewall

We need to allow the FTP ports in the firewall. Here we will allow Ports 20 and 21 for FTP, 990 for TLS when it will be enabled, and ports 40000-50000 for the passive ports which we will set in the configuration files.

sudo ufw allow 20/tcp

sudo ufw allow 21/tcp

sudo ufw allow 990/tcp

sudo ufw allow 40000:50000/tcp

sudo ufw status

After installing the vsftpd daemon and allowing the ports in the firewall, Now we will create an FTP user and directory.

Step 3: Create User and Prepare Directory

To create a New User use this command 

sudo adduser raiseup

Assign the password to the user when prompted and press Enter.

Let's create the FTP directory and set its ownership using the following commands.

sudo mkdir /home/raiseup/web

sudo chown nobody:nogroup /home/raiseup/web

sudo chown a-w /home/raiseup/web

Create the folder and assign ownership to the user by following this command.

sudo mkdir /home/raiseup/web/raiseup.co.in

sudo chown raiseup:raiseup /home/raiseup/web/raiseup.co.in

Now we have secured the FTP directory and allowed the user access to the raiseup.co.in directory. The next step is the configuration of FTP Access.

Steps to Configuration Access

Step 4: Configuring FTP Access

We are going to allow a single user with a local shell account to connect FTP. For this there are two settings are available in the vsdtpd.conf file. Match those settings by opening the vsftpd.conf file.

sudo nano /etc/vsftpd.conf

. . .
# Allow anonymous FTP? (Disabled by default).
anonymous_enable=NO
#
# Uncomment this to allow local users to log in.
local_enable=YES
. . .

Next, we will change some values in this file, to allow users to upload the file to remove the comment(#) for the write_enable.

write_enable=YES 

We’ll also uncomment the chroot to prevent the FTP-connected user from accessing any files or commands outside the directory tree.

chroot_local_user=YES

We will add a user_sub_token & local_root directory that will work for the current user and future users that might be added.

user_sub_token=$USER
local_root=/home/$USER/web

Now we will limit the ports that can be used for the FTP to make sure enough connections are available.

pasv_min_port=40000
pasv_max_port=50000

We’ll set up the configuration so that access is given to a user only when they are added in the list.

userlist_enable=YES
userlist_file=/etc/vsftpd.userlist
userlist_deny=NO

Save and exit the vsftpd.conf file.

After configuring the setting we will append the user in the list using -a flag.

echo "raiseup" | sudo tee -a /etc/vsftpd.userlist

Restart the daemon to load the configuration changes:

sudo systemctl restart vsftpd

Step:5 Securing the transactions

FTP does not encrypt any data in transition, including user credentials, to achieve the encryption we’ll enable TTL/SSL. The first step is to create the SSL certificates for use with vsftpd.

We’ll use openssl to create a new certificate and use the -days flag to make it valid for one year.  To create the SSL run the following command.

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem

After executing this command, you need to provide the address information for the certificate.

Generating a 2048 bit RSA private key
............................................................................+++
...........+++
writing new private key to '/etc/ssl/private/vsftpd.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:DL
Locality Name (eg, city) []:New Delhi
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Raiseup
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []: your_IP_address
Email Address []:

Once you provide all the information, the SSL is issued. Now open the vsftpd.conf file again to give set the path of SSL for FTP that will be used for encryption.

In the vsftpd configuration file comment out these two following lines:

# rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
# rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key

Now add the following lines which will point to the certificate and private key file.

rsa_cert_file=/etc/ssl/private/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem

After that, change the ssl_enable value to YES to ensure all traffic is encrypted.

ssl_enable=YES

After that, add the following lines in the bottom to deny anonymous connections and server to use TLS.

allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES

 

ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO

 

require_ssl_reuse=NO
ssl_ciphers=HIGH

After adding these lines save and close the file. Now we need to restart the FTP server to apply the changes.

sudo systemctl restart vsftpd

In the last step, we will disable the shell access for the FTP user, so the user will only authorized for the FTP access not for the SSH/SFTP.

Step:6 Disable Shell access

To disable the shell access, open the ftponly file in the bin directory.

sudo nano /bin/ftponly

We’ll add a message telling the user why they are unable to log in by adding these lines.

#!/bin/sh
echo "This account is authorized to access the FTP only."

Change the file permission to be executable.

sudo chmod a+x /bin/ftponly

Open the list of valid shells and add the lines at the bottom.

sudo nano /etc/shells

. . .
/bin/ftponly

Update the user shell by executing this command

sudo usermod raiseup -s /bin/ftponly

Now we have successfully completed all steps to set up the FTP account on the server. You can start uploading the files using FTP client software Filezilla. 

Note: To make all files executable uploaded by the FTP user change the value of local_unmask to 0022.