Tutorial
How To Set Up vsftpd for a User's Directory on Ubuntu 18.04
Not using Ubuntu 18.04?Choose a different version or distribution.
Introduction
FTP, short for File Transfer Protocol, is a network protocol that was once widely used for moving files between a client and server. It has since been replaced by faster, more secure, and more convenient ways of delivering files. Many casual Internet users expect to download directly from their web browser with https, and command-line users are more likely to use secure protocols such as the scp or SFTP.
FTP is still used to support legacy applications and workflows with very specific needs. If you have a choice of what protocol to use, consider exploring the more modern options. When you do need FTP, however, vsftpd is an excellent choice. Optimized for security, performance, and stability, vsftpd offers strong protection against many security problems found in other FTP servers and is the default for many Linux distributions.
In this tutorial, you’ll configure vsftpd to allow a user to upload files to his or her home directory using FTP with login credentials secured by SSL/TLS.
Prerequisites
To follow along with this tutorial you will need:
- An Ubuntu 18.04 server, and a non-root user with sudo privileges: You can learn more about how to set up a user with these privileges in our Initial Server Setup with Ubuntu 18.04 guide.
Step 1 — Installing vsftpd
Let’s start by updating our package list and installing the vsftpd daemon:
When the installation is complete, let’s copy the configuration file so we can start with a blank configuration, saving the original as a backup:
With a backup of the configuration in place, we’re ready to configure the firewall.
Step 2 — Opening the Firewall
Let’s check the firewall status to see if it’s enabled. If it is, we’ll ensure that FTP traffic is permitted so firewall rules don’t block our tests.
Check the firewall status:
In this case, only SSH is allowed through:
OutputStatus: active
To Action From
-- ------ ----
OpenSSH ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
You may have other rules in place or no firewall rules at all. Since only SSH traffic is permitted in this case, we’ll need to add rules for FTP traffic.
Let’s open ports 20 and 21 for FTP, port 990 for when we enable TLS, and ports 40000-50000 for the range of passive ports we plan to set in the configuration file:
Our firewall rules should now look like this:
OutputStatus: active
To Action From
-- ------ ----
OpenSSH ALLOW Anywhere
990/tcp ALLOW Anywhere
20/tcp ALLOW Anywhere
21/tcp ALLOW Anywhere
40000:50000/tcp ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
20/tcp (v6) ALLOW Anywhere (v6)
21/tcp (v6) ALLOW Anywhere (v6)
990/tcp (v6) ALLOW Anywhere (v6)
40000:50000/tcp (v6) ALLOW Anywhere (v6)
With vsftpd installed and the necessary ports open, let’s move on to creating a dedicated FTP user.
Step 3 — Preparing the User Directory
We will create a dedicated FTP user, but you may already have a user in need of FTP access. We’ll take care to preserve an existing user’s access to their data in the instructions that follow. Even so, we recommend that you start with a new user until you’ve configured and tested your setup.
First, add a test user:
Assign a password when prompted. Feel free to press ENTER through the other prompts.
FTP is generally more secure when users are restricted to a specific directory. vsftpd accomplishes this with chroot jails. When chroot is enabled for local users, they are restricted to their home directory by default. However, because of the way vsftpd secures the directory, it must not be writable by the user. This is fine for a new user who should only connect via FTP, but an existing user may need to write to their home folder if they also have shell access.
In this example, rather than removing write privileges from the home directory, let’s create an ftp directory to serve as the chroot and a writable files directory to hold the actual files.
Create the ftp folder:
Set its ownership:
Remove write permissions:
Verify the permissions:
Outputtotal 8
4 dr-xr-xr-x 2 nobody nogroup 4096 Aug 24 21:29 .
4 drwxr-xr-x 3 sammy sammy 4096 Aug 24 21:29 ..
Next, let’s create the directory for file uploads and assign ownership to the user:
A permissions check on the ftp directory should return the following:
Outputtotal 12
dr-xr-xr-x 3 nobody nogroup 4096 Aug 26 14:01 .
drwxr-xr-x 3 sammy sammy 4096 Aug 26 13:59 ..
drwxr-xr-x 2 sammy sammy 4096 Aug 26 14:01 files
Finally, let’s add a test.txt file to use when we test:
Now that we’ve secured the ftp directory and allowed the user access to the files directory, let’s modify our configuration.
Step 4 — Configuring FTP Access
We’re planning to allow a single user with a local shell account to connect with FTP. The two key settings for this are already set in vsftpd.conf. Start by opening the config file to verify that the settings in your configuration match those below:
. . .
# Allow anonymous FTP? (Disabled by default).
anonymous_enable=NO
#
# Uncomment this to allow local users to log in.
local_enable=YES
. . .
Next, let’s enable the user to upload files by uncommenting the write_enable setting:
. . .
write_enable=YES
. . .
We’ll also uncomment the chroot to prevent the FTP-connected user from accessing any files or commands outside the directory tree:
. . .
chroot_local_user=YES
. . .
Let’s also add a user_sub_token to insert the username in our local_root directory path so our configuration will work for this user and any additional future users. Add these settings anywhere in the file:
. . .
user_sub_token=$USER
local_root=/home/$USER/ftp
Let’s also limit the range of ports that can be used for passive FTP to make sure enough connections are available:
. . .
pasv_min_port=40000
pasv_max_port=50000
Note: In step 2, we opened the ports that we set here for the passive port range. If you change the values, be sure to update your firewall settings.
To allow FTP access on a case-by-case basis, let’s set the configuration so that users have access only when they are explicitly added to a list, rather than by default:
. . .
userlist_enable=YES
userlist_file=/etc/vsftpd.userlist
userlist_deny=NO
userlist_deny toggles the logic: When it is set to YES, users on the list are denied FTP access. When it is set to NO, only users on the list are allowed access.
When you’re done making the changes, save the file and exit the editor.
Finally, let’s add our user to /etc/vsftpd.userlist. Use the -a flag to append to the file:
Check that it was added as you expected:
Outputsammy
Restart the daemon to load the configuration changes:
With the configuration in place, let’s move on to testing FTP access.
Step 5 — Testing FTP Access
We’ve configured the server to allow only the user sammy to connect via FTP. Let’s make sure that this works as expected.
Anonymous users should fail to connect: We’ve disabled anonymous access. Let’s test that by trying to connect anonymously. If our configuration is set up properly, anonymous users should be denied permission. Open another terminal window and run the following command. Be sure to replace 203.0.113.0 with your server’s public IP address:
OutputConnected to 203.0.113.0.
220 (vsFTPd 3.0.3)
Name (203.0.113.0:default): anonymous
530 Permission denied.
ftp: Login failed.
ftp>
Close the connection:
Users other than sammy should fail to connect: Next, let’s try connecting as our sudo user. They should also be denied access, and it should happen before they’re allowed to enter their password:
OutputConnected to 203.0.113.0.
220 (vsFTPd 3.0.3)
Name (203.0.113.0:default): sudo_user
530 Permission denied.
ftp: Login failed.
ftp>
Close the connection:
The user sammy should be able to connect, read, and write files: Let’s make sure that our designated user can connect:
OutputConnected to 203.0.113.0.
220 (vsFTPd 3.0.3)
Name (203.0.113.0:default): sammy
331 Please specify the password.
Password: your_user's_password
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
Let’s change into the files directory and use the get command to transfer the test file we created earlier to our local machine:
Output227 Entering Passive Mode (203,0,113,0,169,12).
150 Opening BINARY mode data connection for test.txt (16 bytes).
226 Transfer complete.
16 bytes received in 0.0101 seconds (1588 bytes/s)
ftp>
Next, let’s upload the file with a new name to test write permissions:
Output227 Entering Passive Mode (203,0,113,0,164,71).
150 Ok to send data.
226 Transfer complete.
16 bytes sent in 0.000894 seconds (17897 bytes/s)
Close the connection:
Now that we’ve tested our configuration, let’s take steps to further secure our server.
Step 6 — Securing Transactions
Since FTP does not encrypt any data in transit, including user credentials, we’ll enable TLS/SSL to provide that encryption. The first step is to create the SSL certificates for use with vsftpd.
Let’s use openssl to create a new certificate and use the -days flag to make it valid for one year. In the same command, we’ll add a private 2048-bit RSA key. By setting both the -keyout and -out flags to the same value, the private key and the certificate will be located in the same file:
You’ll be prompted to provide address information for your certificate. Substitute your own information for the highlighted values below:
OutputGenerating a 2048 bit RSA private key
............................................................................+++
...........+++
writing new private key to '/etc/ssl/private/vsftpd.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:NY
Locality Name (eg, city) []:New York City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:DigitalOcean
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []: your_server_ip
Email Address []:
For more detailed information about the certificate flags, see OpenSSL Essentials: Working with SSL Certificates, Private Keys and CSRs
Once you’ve created the certificates, open the vsftpd configuration file again:
Toward the bottom of the file, you will see two lines that begin with rsa_. Comment them out so they look like this:
. . .
# rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
# rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
. . .
Below them, add the following lines that point to the certificate and private key we just created:
. . .
rsa_cert_file=/etc/ssl/private/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem
. . .
After that, we will force the use of SSL, which will prevent clients that can’t deal with TLS from connecting. This is necessary to ensure that all traffic is encrypted, but it may force your FTP user to change clients. Change ssl_enable to YES:
. . .
ssl_enable=YES
. . .
After that, add the following lines to explicitly deny anonymous connections over SSL and to require SSL for both data transfer and logins:
. . .
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
. . .
After this, configure the server to use TLS, the preferred successor to SSL, by adding the following lines:
. . .
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
. . .
Finally, we will add two more options. First, we will not require SSL reuse because it can break many FTP clients. We will require “high” encryption cipher suites, which currently means key lengths equal to or greater than 128 bits:
. . .
require_ssl_reuse=NO
ssl_ciphers=HIGH
. . .
The finished file section should look like this:
# This option specifies the location of the RSA certificate to use for SSL
# encrypted connections.
#rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
#rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
rsa_cert_file=/etc/ssl/private/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=NO
ssl_ciphers=HIGH
When you’re done, save and close the file.
Restart the server for the changes to take effect:
At this point, we will no longer be able to connect with an insecure command-line client. If we tried, we’d see something like:
Outputftp -p 203.0.113.0
Connected to 203.0.113.0.
220 (vsFTPd 3.0.3)
Name (203.0.113.0:default): sammy
530 Non-anonymous sessions must use encryption.
ftp: Login failed.
421 Service not available, remote server has closed connection
ftp>
Next, let’s verify that we can connect using a client that supports TLS.
Step 7 — Testing TLS with FileZilla
Most modern FTP clients can be configured to use TLS encryption. We will demonstrate how to connect with FileZilla because of its cross-platform support. Consult the documentation for other clients.
When you first open FileZilla, find the Site Manager icon just above the word Host, the left-most icon on the top row. Click it:
A new window will open. Click the New Site button in the bottom right corner:
Under My Sites a new icon with the words New site will appear. You can name it now or return later and use the Rename button.
Fill out the Host field with the name or IP address. Under the Encryption drop down menu, select Require explicit FTP over TLS.
For Logon Type, select Ask for password. Fill in your FTP user in the User field:
Click Connect at the bottom of the interface. You will be asked for the user’s password:
Click OK to connect. You should now be connected with your server with TLS/SSL encryption.
Upon success, you will be presented with a server certificate that looks like this:
When you’ve accepted the certificate, double-click the files folder and drag upload.txt to the left to confirm that you’re able to download files:
When you’ve done that, right-click on the local copy, rename it to upload-tls.txt and drag it back to the server to confirm that you can upload files:
You’ve now confirmed that you can securely and successfully transfer files with SSL/TLS enabled.
Step 8 — Disabling Shell Access (Optional)
If you’re unable to use TLS because of client requirements, you can gain some security by disabling the FTP user’s ability to log in any other way. One relatively straightforward way to prevent it is by creating a custom shell. This will not provide any encryption, but it will limit the access of a compromised account to files accessible by FTP.
First, open a file called ftponly in the bin directory:
Add a message telling the user why they are unable to log in:
#!/bin/sh
echo "This account is limited to FTP access only."
Save the file and exit your editor.
Change the permissions to make the file executable:
Open the list of valid shells:
At the bottom add:
. . .
/bin/ftponly
Update the user’s shell with the following command:
Now try logging into your server as sammy:
You should see something like:
OutputThis account is limited to FTP access only.
Connection to 203.0.113.0 closed.
This confirms that the user can no longer ssh to the server and is limited to FTP access only.
Conclusion
In this tutorial we covered setting up FTP for users with a local account. If you need to use an external authentication source, you might want to look into vsftpd’s support of virtual users. This offers a rich set of options through the use of PAM, the Pluggable Authentication Modules, and is a good choice if you manage users in another system such as LDAP or Kerberos.
Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.
About the author(s)
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Become a contributor for community
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
DigitalOcean Documentation
Full documentation for every DigitalOcean product.
Resources for startups and SMBs
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
Get our newsletter
Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.
New accounts only. By submitting your email you agree to our Privacy Policy
The developer cloud
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Get started for free
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.
Great Article, but I want to know how can I change the user FTP directory to /var/www/html/sammy/ftp instead of the /home/sammy/ftp ?
I’m thinking we simply change local_root to the path we want to give them access to
Also, I think we can add the user to a group (find another tut) Then
chown -R :group /var/www/example.comSo more than 1 user can ftp in to CRUD ;-)
Can we get confirmation or more info? TIA
this can get complex, I managed to get this working, however I did this:
BUT I found the ftp connection didn’t work because the directory didn’t map, so I needed to do this:
as, somewhere in the system, it was still though of that that user’s home directory was in fact in
/homeTo change the FTP user’s directory to
/var/www/html/sammy/ftpinstead of/home/sammy/ftp, you’ll need to update the user’s home directory and make a few configuration adjustments for permissions and security invsftpd. Here’s how to do it:Steps to Change the FTP Directory
/var/www/html/sammy/ftpexists:sammy) to the new directory:vsftpdConfiguration: In/etc/vsftpd.conf, make sure the following options are set to restrict the user to their home directory:vsftpdservice to apply the changes:After these steps,
sammyshould have access to/var/www/html/sammy/ftpas their FTP root directory. This setup will restrict the user to this directory and ensurevsftpdserves it as the user’s home for FTP operations.I simply couldn’t get this to work. It is such a well written article, but no matter how hard I tried, I always got a “connection refused” message. As soon as I changed from ftp to sftp, everything started to work.
I could not get it to work.
try this: [https://www.howtoforge.com/tutorial/ubuntu-vsftpd/]
Great Articel! What if we try to ftp with the root user? Can we make a difference if the user is root then we can see the all folder in the /home directory or something?
Allowing the root user to log in via FTP is generally not recommended for security reasons. However, if you want to enable root access for FTP and allow it to view all directories, here’s how you can configure it carefully with
vsftpd.Important Considerations
sudoprivileges or limiting FTP root access to specific trusted IP addresses.Steps to Enable Root FTP Access
vsftpdconfiguration file:Add or update these settings:
userlist_deny=NOallows only users listed invsftpd.userlistto access FTP. -userlist_enable=YESactivates this list./etc/vsftpd.userlist, add therootuser:/bin/bashor/bin/sh) is in/etc/shells, whichvsftpdchecks to allow FTP access:Ensure
/bin/bashor the shell assigned to root is listed here.Enable chroot for Root: If you want root to see the entire filesystem (
/), do not applychroot_local_user=YESinvsftpd.conffor root. However, if you want to restrict root to a particular directory, enablechroot_local_userand set the home directory accordingly.Restart vsftpd: Apply the changes by restarting the
vsftpdservice.Alternative: Create a Special FTP User with Root Privileges
A safer approach might be to create a dedicated user with the necessary permissions to view the
/homedirectory but limited access to critical system directories. This could be done by adding the user to specific groups and setting appropriate permissions, thus avoiding exposing the root account itself.everything ok except now i cant login with root ssh :/ i have only access with ftp
When I log in via SFTP remotely, I get this error and am logged out immediately:
The error
Received message too long 1416128883usually indicates that when you connect via SFTP, the server is sending unexpected output before starting the SFTP protocol. This can happen if there’s extra text or messages in the shell configuration files (like.bashrc,.bash_profile, or/etc/motd) that produce output even for non-interactive sessions.Here’s how to fix it:
1. Check for Extraneous Output in Shell Configuration Files
Open the shell initialization files, such as
.bashrcor.bash_profile, for the SFTP user and remove any output-producing commands (likeecho,print, or any commands that output text).For example, check:
Look for and remove any lines that produce output, like:
Additionally, wrap any necessary output commands within an
ifstatement that only executes in interactive shells:2. Check
/etc/motdand/etc/issueFilesThe
/etc/motd(Message of the Day) or/etc/issuefiles might also be configured to print messages upon login. These files should not affect SFTP, but it’s worth checking if any output-producing commands are present.If you see any text, try removing it temporarily to see if the SFTP connection issue resolves.
3. Confirm SFTP-only Shell Configuration (if applicable)
If you’re using an SFTP-only setup, make sure that the user’s shell is set to
/usr/sbin/nologinor/bin/falseto prevent shell access but still allow SFTP connections. Update the shell with:4. Test the SFTP Connection
After making these changes, try reconnecting with SFTP. If any commands are producing output in a non-interactive session, this should now be suppressed, and SFTP should work without the “Received message too long” error.
How to create symlink from /home/user/ftp/files to /var/www so files go to /var/www? or change the config of vsftpd.conf to /var/www ?
You have two options for making
/var/wwwaccessible via FTP:/var/wwwin the user’s FTP directory./var/wwwin thevsftpd.conf.Option 1: Create a Symlink from
/home/user/ftp/filesto/var/www/var/www. You can either adjust the directory permissions or add the user to the group that owns/var/www:vsftpdchroot restriction, you may need to allow symlink following invsftpd.conf:vsftpd:Option 2: Change FTP Directory Directly to
/var/wwwIf you’d rather make
/var/wwwthe FTP root directory, here’s how:/var/wwwas the home directory for the FTP user:chroot_local_user=YESinvsftpd.confto prevent directory traversal outside the home:/var/www:vsftpd:You have two options for making
/var/wwwaccessible via FTP:/var/wwwin the user’s FTP directory./var/wwwin thevsftpd.conf.Let’s go through both methods:
Option 1: Create a Symlink from
/home/user/ftp/filesto/var/wwwCreate the Symlink:
bash Copy code
ln -s /var/www /home/user/ftp/filesAdjust Permissions: Ensure the FTP user has the correct permissions to access
/var/www. You can either adjust the directory permissions or add the user to the group that owns/var/www:bash Copy code
sudo chown -R ftpuser:ftpuser /var/www # OR add ftpuser to the group sudo usermod -aG www-data ftpuserUpdate vsftpd Configuration (if necessary): If the symlink isn’t accessible due to the
vsftpdchroot restriction, you may need to allow symlink following invsftpd.conf:plaintext Copy code
allow_writeable_chroot=YESThen restart
vsftpd:bash Copy code
sudo systemctl restart vsftpdOption 2: Change FTP Directory Directly to
/var/wwwIf you’d rather make
/var/wwwthe FTP root directory, here’s how:Edit the FTP User’s Home Directory: Set
/var/wwwas the home directory for the FTP user:bash Copy code
sudo usermod -d /var/www ftpuserUpdate vsftpd Configuration: Ensure the FTP user has access to the new directory by setting
chroot_local_user=YESinvsftpd.confto prevent directory traversal outside the home:plaintext Copy code
chroot_local_user=YESSet Permissions: As with the symlink method, verify the FTP user has necessary permissions to
/var/www:bash Copy code
sudo chown -R ftpuser:ftpuser /var/wwwRestart vsftpd: Restart the service to apply changes:
bash Copy code
sudo systemctl restart vsftpdNote: Using a symlink can be simpler if you need to keep the original FTP directory structure. However, setting the FTP root to
/var/wwwdirectly can offer a more straightforward experience for the FTP user. Either approach should work, so choose the one that best fits your needs!You have two options for making
/var/wwwaccessible via FTP:/var/wwwin the user’s FTP directory./var/wwwin thevsftpd.conf.Option 1: Create a Symlink from
/home/user/ftp/filesto/var/www/var/www. You can either adjust the directory permissions or add the user to the group that owns/var/www:vsftpdchroot restriction, you may need to allow symlink following invsftpd.conf:vsftpd:Option 2: Change FTP Directory Directly to
/var/wwwIf you’d rather make
/var/wwwthe FTP root directory, here’s how:/var/wwwas the home directory for the FTP user:chroot_local_user=YESinvsftpd.confto prevent directory traversal outside the home:/var/www:vsftpd:You have two options for making
/var/wwwaccessible via FTP:/var/wwwin the user’s FTP directory./var/wwwin thevsftpd.conf.Let’s go through both methods:
Option 1: Create a Symlink from
/home/user/ftp/filesto/var/wwwCreate the Symlink:
bash Copy code
ln -s /var/www /home/user/ftp/filesAdjust Permissions: Ensure the FTP user has the correct permissions to access
/var/www. You can either adjust the directory permissions or add the user to the group that owns/var/www:bash Copy code
sudo chown -R ftpuser:ftpuser /var/www # OR add ftpuser to the group sudo usermod -aG www-data ftpuserUpdate vsftpd Configuration (if necessary): If the symlink isn’t accessible due to the
vsftpdchroot restriction, you may need to allow symlink following invsftpd.conf:plaintext Copy code
allow_writeable_chroot=YESThen restart
vsftpd:bash Copy code
sudo systemctl restart vsftpdOption 2: Change FTP Directory Directly to
/var/wwwIf you’d rather make
/var/wwwthe FTP root directory, here’s how:Edit the FTP User’s Home Directory: Set
/var/wwwas the home directory for the FTP user:bash Copy code
sudo usermod -d /var/www ftpuserUpdate vsftpd Configuration: Ensure the FTP user has access to the new directory by setting
chroot_local_user=YESinvsftpd.confto prevent directory traversal outside the home:plaintext Copy code
chroot_local_user=YESSet Permissions: As with the symlink method, verify the FTP user has necessary permissions to
/var/www:bash Copy code
sudo chown -R ftpuser:ftpuser /var/wwwRestart vsftpd: Restart the service to apply changes:
bash Copy code
sudo systemctl restart vsftpdNote: Using a symlink can be simpler if you need to keep the original FTP directory structure. However, setting the FTP root to
/var/wwwdirectly can offer a more straightforward experience for the FTP user. Either approach should work, so choose the one that best fits your needs!Should port
990be in vsftpd config? Why should we open it in firewall? Where is it used?Maybe we should open it only in implicit ssl mode:
Explicit TLS works OK over ports
20/21+ passive range without990in firewall.You’re absolutely correct about port 990. Port 990 is specifically used for Implicit FTPS, where the SSL/TLS connection is established as soon as the client connects to the server. In contrast, Explicit FTPS uses ports 20 and 21, with TLS/SSL negotiation happening only after the connection is initiated, which allows for greater flexibility and backward compatibility.
Here’s a breakdown of when and why port 990 is needed:
1. Implicit FTPS Mode
implicit_ssl=YESinvsftpd.confand specify thatvsftpdshould listen on port 990:2. Explicit FTPS Mode (Default)
vsftpd.conf.Example Configuration for Both Modes
After setting up, remember to adjust your firewall:
Since Explicit FTPS is often sufficient for secure file transfers, you usually only need ports 20, 21, and the passive range, without opening port 990.
Great guide, thank you!
For others following along, there were a couple of stumbling blocks for me.
The first was that inetd/xinetd were not installed by default for me, so I had to run vsftpd standalone by setting
listen=YESin /etc/vsftpd.conf, and then enabling viasystem vsftpd start.The second issue for me was that in the generation of the TLS key, the example has the same value for
-keyoutand-out, which causes OpenSSL to throw an error. We need something likesudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/certs/vsftpd.pem(Note the different paths). I generally prefer to use the suffix
.keyfor my key files, but this is arbitrary.Awesome Article 👏
I was reading the documentation of using FTP Service on Ubuntu… https://ubuntu.com/server/docs/service-ftp
Found that we can restrict shell access simply by doing this 👇
To allow users with a shell of /usr/sbin/nologin access to FTP, but have no shell access, edit /etc/shells adding the nologin shell:
Is this the right way to do it ?
Yes, adding
/usr/sbin/nologinto/etc/shellsis the correct and commonly used way to allow FTP access for users while preventing them from gaining shell access. Here’s how it works and why it’s effective:Purpose of
/usr/sbin/nologin: Setting a user’s shell to/usr/sbin/nologinprevents them from logging into the shell directly. When they try to access the shell, it displays a “This account is currently not available” message and terminates the session, providing a simple way to disable shell access.Adding to
/etc/shells: The FTP server (likevsftpd) often checks/etc/shellsto verify allowed shells before granting FTP access. By adding/usr/sbin/nologinto/etc/shells, you’re explicitly permitting FTP access for users with that shell set, without granting them interactive shell access.Steps to Configure:
/etc/shellsfile to include/usr/sbin/nologinas a valid shell:After this setup, users assigned
/usr/sbin/nologinwill have access to FTP but will be unable to access the shell, effectively restricting their permissions as intended.I followed the article and seems my FTP server accepts connections and am able to establish TLS connections with my username but at the end I get the following errors from my Filezilla client.
Error: GnuTLS error -15 in gnutls_record_recv: An unexpected TLS packet was received. Error: Could not read from socket: ECONNABORTED - Connection aborted Error: Disconnected from server Error: Failed to retrieve directory listing
I also tried using LFTP but when I try to see the directory using LS command or use GET command I get “ls: Login failed: 530 Permission denied.” error message. Any idea what could cause this?
Thanks, Ramin
Hey man, you probably already have fixed it but for those who don’t know why that happens…
So, I had to roll back the server to unsafe non-encryption FTP mode to figure this out. When I did so, it said you can’t login to writable chroot, so that’s the reason.
If you’re completely sure you need to have write access to files (e.g. you’ve configured your account to have access to /var/www/somesite/ to edit some of your website files) you have to allow access to writable chroot.
Beware that this is considered non-safe practice and creates many security holes that you can read about yourself, especially when you allow this in normal user home directory (/home/{{user}}/) and not in /var/www/somesite/ directory.
The best way would be to change files and folders permissions to non-writable and then everything will start working normal again.
To allow access to writable chroot do this and make sure you know about all of the possible security holes this thing opens:
Add this line to the file and save it:
Then restart vsftpd:
This worked for me. Had tried enabling passive mode on both FTP Client and vsftpd.