Quick Links

FTP, or File Transfer Protocol, is a standard protocol for sending and receiving files from remote servers. It's easier to use than command line alternatives like

        scp
    

, especially with GUI interfaces like FileZilla.

What Is FTP?

In the olden days of the internet, public FTP servers were a very common way of making files available to a large number of people. Today, FTP is still around, and widely used for administrative tasks.

While some form of FTP CLI is shipped with most major operating systems, GUI clients like FileZilla make the process of moving files between servers as simple as dragging and dropping from local storage onto remote storage, or vice versa. All the underlying traffic is handled using FTP.

Setting this up requires you to install and configure an FTP server, like vsftpd, on the remote machine you want to access.

It should be noted that users logged in via FTP will have access to your system, just like you do. There are steps you can take to mitigate these risks, such as whitelisting access and locking users to their home directories.

Installing vsftpd

To get started, install vsftpd from your distro's package manager. For Debian-based systems like Ubuntu, that would be from

        apt
    

:

sudo apt-get install vsftpd

Next, you'll have to start the service and set it to run at boot time:

systemctl start vsftpd

systemctl enable vsftpd

FTP has two primary methods of authentication:

  • Anonymous FTP, where anyone can log in with no password. This is used for public file sharing, and is disabled by default.
  • Local User Login, which allows any user in /etc/passwd to access FTP using a username and password.

You'll probably want to enable local user login, and keep anonymous access disabled. Signing into FTP using your user account will give you access to anything your account can access.

Open up /etc/vsftpd.conf in your favorite text editor, and change the following line to YES:

local_enable=YES

If you want to be able to upload files, change write_enable to YES as well:

write_enable=YES

With a restart of vsftpd (systemctl restart vsftpd), you should now be able to login to FTP using a client like FileZilla, or the CLI on your personal machine.

If you only want to enable FTP for specific users, you can whitelist access. Open up /etc/vsftpd.userlist, and add the names of each account you want to enable on seperate lines.

nano /etc/vsftpd.userlist

Then, add the following lines to /etc/vsftpd.conf:

userlist_enable=YES

userlist_file=/etc/vsftpd.userlist

userlist_deny=NO

This will restrict access to only the users defined in the userlist file, and deny all others.

If you don't want users accessing files outside of their home directory, you can place them in a chroot jail, which will prevent them from interacting with any upper-level directories. You can enable this by uncommenting the following line in /etc/vsftpd.conf:

chroot_local_user=YES

Restart vsftpd with systemctl restart vsftpd  to apply the changes.

Setting Up FTPS

Standard FTP traffic is sent unencrypted like HTTP. This obviously isn't great, so you should configure vsftpd to encrypt traffic with TLS.

To do so, generate a new key and sign a request with openssl:

openssl genrsa -des3 -out FTP.key

openssl req -new -key FTP.key -out certificate.csr

vsftpd needs the password removed from this key, so copy the key and pass it back to openssl:

cp FTP.key FTP.key.orig

openssl rsa -in FTP.key.orig -out ftp.key

Finally, generate a TLS certificate using this key:

openssl x509 -req -days 365 -in certificate.csr -signkey ftp.key -out mycertificate.crt

Copy the key and cert over to /etc/pki/tls/certs/:

cp ftp.key /etc/pki/tls/certs/

cp mycertificate.crt /etc/pki/tls/certs

Now that all the certs are set up, you can once again open up /etc/vsftpd.conf, and add the following lines:

ssl_enable=YES

allow_anon_ssl=YES

ssl_tlsv1=YES

ssl_sslv2=NO

ssl_sslv3=NO

rsa_cert_file=/etc/pki/tls/certs/mycertificate.crt

rsa_private_key_file=/etc/pki/tls/certs/ftp.key

ssl_ciphers=HIGH

require_ssl_reuse=NO

Restart vsftpd with systemctl restart vsftpd to apply the changes.