Anthony Heddings
FTP, or File Transfer Protocol, is a standard protocol for sending and receiving files from remote servers. It’s easier to use than command line alternatives like scp, especially with GUI interfaces like FileZilla.
What Is FTP?
In the olden days of the internet, public FTP servers were a very common way of making files available to a large number of people. Today, FTP is still around, and widely used for administrative tasks.
While some form of FTP CLI is shipped with most major operating systems, GUI clients like FileZilla make the process of moving files between servers as simple as dragging and dropping from local storage onto remote storage, or vice versa. All the underlying traffic is handled using FTP.
Setting this up requires you to install and configure an FTP server, like vsftpd, on the remote machine you want to access.
It should be noted that users logged in via FTP will have access to your system, just like you do. There are steps you can take to mitigate these risks, such as whitelisting access and locking users to their home directories.
Installing vsftpd
To get started, install vsftpd from your distro’s package manager. For Debian-based systems like Ubuntu, that would be from apt:
sudo apt-get install vsftpd
Next, you’ll have to start the service and set it to run at boot time:
systemctl start vsftpd
systemctl enable vsftpd
FTP has two primary methods of authentication:
- Anonymous FTP, where anyone can log in with no password. This is used for public file sharing, and is disabled by default.
- Local User Login, which allows any user in
/etc/passwdto access FTP using a username and password.
You’ll probably want to enable local user login, and keep anonymous access disabled. Signing into FTP using your user account will give you access to anything your account can access.
Open up /etc/vsftpd.conf in your favorite text editor, and change the following line to YES:
local_enable=YES
If you want to be able to upload files, change write_enable to YES as well:
write_enable=YES
With a restart of vsftpd (systemctl restart vsftpd), you should now be able to login to FTP using a client like FileZilla, or the CLI on your personal machine.
If you only want to enable FTP for specific users, you can whitelist access. Open up /etc/vsftpd.userlist, and add the names of each account you want to enable on seperate lines.
nano /etc/vsftpd.userlist
Then, add the following lines to /etc/vsftpd.conf:
userlist_enable=YES userlist_file=/etc/vsftpd.userlist userlist_deny=NO
This will restrict access to only the users defined in the userlist file, and deny all others.
If you don’t want users accessing files outside of their home directory, you can place them in a chroot jail, which will prevent them from interacting with any upper-level directories. You can enable this by uncommenting the following line in /etc/vsftpd.conf:
chroot_local_user=YES
Restart vsftpd with systemctl restart vsftpd to apply the changes.
Setting Up FTPS
Standard FTP traffic is sent unencrypted like HTTP. This obviously isn’t great, so you should configure vsftpd to encrypt traffic with TLS.
To do so, generate a new key and sign a request with openssl:
openssl genrsa -des3 -out FTP.key
openssl req -new -key FTP.key -out certificate.csr
vsftpd needs the password removed from this key, so copy the key and pass it back to openssl:
cp FTP.key FTP.key.orig openssl rsa -in FTP.key.orig -out ftp.key
Finally, generate a TLS certificate using this key:
openssl x509 -req -days 365 -in certificate.csr -signkey ftp.key -out mycertificate.crt
Copy the key and cert over to /etc/pki/tls/certs/:
cp ftp.key /etc/pki/tls/certs/ cp mycertificate.crt /etc/pki/tls/certs
Now that all the certs are set up, you can once again open up /etc/vsftpd.conf, and add the following lines:
ssl_enable=YES allow_anon_ssl=YES ssl_tlsv1=YES ssl_sslv2=NO ssl_sslv3=NO rsa_cert_file=/etc/pki/tls/certs/mycertificate.crt rsa_private_key_file=/etc/pki/tls/certs/ftp.key ssl_ciphers=HIGH require_ssl_reuse=NO
Restart vsftpd with systemctl restart vsftpd to apply the changes.
