How To Setup FTP account on Ubuntu
In today's article, we will read and learn how to set up an FTP account on Ubuntu.
What is FTP?
FTP, stands for File Transfer Protocol, which is a network protocol that is used for moving files between a client and server.
In this article, you’ll configure vsftpd to allow a user to upload files to his or her home directory using FTP with login credentials secured by SSL/TLS.
Steps to Install FTP
Step 1: Install vsftpd daemon
sudo apt-get update
sudo apt-get install vsftpd
When the installation is complete, create a backup of the configuration file so we can restore the original configuration in the future if anything goes wrong.
sudo cp /etc/vsdtfp.conf /etc/vsftpd.conf.bak
Step 2: Allow Ports in Firewall
We need to allow the FTP ports in the firewall. Here we will allow Ports 20 and 21 for FTP, 990 for TLS when it will be enabled, and ports 40000-50000 for the passive ports which we will set in the configuration files.
sudo ufw allow 20/tcp
sudo ufw allow 21/tcp
sudo ufw allow 990/tcp
sudo ufw allow 40000:50000/tcp
sudo ufw status
After installing the vsftpd daemon and allowing the ports in the firewall, Now we will create an FTP user and directory.
Step 3: Create User and Prepare Directory
To create a New User use this command
sudo adduser raiseup
Assign the password to the user when prompted and press Enter.
Let's create the FTP directory and set its ownership using the following commands.
sudo mkdir /home/raiseup/web
sudo chown nobody:nogroup /home/raiseup/web
sudo chown a-w /home/raiseup/web
Create the folder and assign ownership to the user by following this command.
sudo mkdir /home/raiseup/web/raiseup.co.in
sudo chown raiseup:raiseup /home/raiseup/web/raiseup.co.in
Now we have secured the FTP directory and allowed the user access to the raiseup.co.in directory. The next step is the configuration of FTP Access.
Steps to Configuration Access
Step 4: Configuring FTP Access
We are going to allow a single user with a local shell account to connect FTP. For this there are two settings are available in the vsdtpd.conf file. Match those settings by opening the
sudo nano /etc/vsftpd.conf
. . . # Allow anonymous FTP? (Disabled by default). anonymous_enable=NO # # Uncomment this to allow local users to log in. local_enable=YES . . .
Next, we will change some values in this file, to allow users to upload the file to remove the comment(#) for the
We’ll also uncomment the chroot to prevent the FTP-connected user from accessing any files or commands outside the directory tree.
We will add a user_sub_token & local_root directory that will work for the current user and future users that might be added.
Now we will limit the ports that can be used for the FTP to make sure enough connections are available.
We’ll set up the configuration so that access is given to a user only when they are added in the list.
userlist_enable=YES userlist_file=/etc/vsftpd.userlist userlist_deny=NO
Save and exit the
After configuring the setting we will append the user in the list using -a flag.
echo "raiseup" | sudo tee -a /etc/vsftpd.userlist
Restart the daemon to load the configuration changes:
sudo systemctl restart vsftpd
Step:5 Securing the transactions
FTP does not encrypt any data in transition, including user credentials, to achieve the encryption we’ll enable TTL/SSL. The first step is to create the SSL certificates for use with vsftpd.
openssl to create a new certificate and use the
-days flag to make it valid for one year. To create the SSL run the following command.
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem
After executing this command, you need to provide the address information for the certificate.
Generating a 2048 bit RSA private key ............................................................................+++ ...........+++ writing new private key to '/etc/ssl/private/vsftpd.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:IN State or Province Name (full name) [Some-State]:DL Locality Name (eg, city) :New Delhi Organization Name (eg, company) [Internet Widgits Pty Ltd]:Raiseup Organizational Unit Name (eg, section) : Common Name (e.g. server FQDN or YOUR name) : your_IP_address Email Address :
Once you provide all the information, the SSL is issued. Now open the
vsftpd.conf file again to give set the path of SSL for FTP that will be used for encryption.
In the vsftpd configuration file comment out these two following lines:
# rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem # rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
Now add the following lines which will point to the certificate and private key file.
After that, change the
ssl_enable value to YES to ensure all traffic is encrypted.
After that, add the following lines in the bottom to deny anonymous connections and server to use TLS.
allow_anon_ssl=NO force_local_data_ssl=YES force_local_logins_ssl=YES
ssl_tlsv1=YES ssl_sslv2=NO ssl_sslv3=NO
After adding these lines save and close the file. Now we need to restart the FTP server to apply the changes.
sudo systemctl restart vsftpd
In the last step, we will disable the shell access for the FTP user, so the user will only authorized for the FTP access not for the SSH/SFTP.
Step:6 Disable Shell access
To disable the shell access, open the
ftponly file in the bin directory.
sudo nano /bin/ftponly
We’ll add a message telling the user why they are unable to log in by adding these lines.
#!/bin/sh echo "This account is authorized to access the FTP only."
Change the file permission to be executable.
sudo chmod a+x /bin/ftponly
Open the list of valid shells and add the lines at the bottom.
sudo nano /etc/shells
. . . /bin/ftponly
Update the user shell by executing this command
sudo usermod raiseup -s /bin/ftponly
Now we have successfully completed all steps to set up the FTP account on the server. You can start uploading the files using FTP client software Filezilla.
Note: To make all files executable uploaded by the FTP user change the value of
local_unmask to 0022.