This article describes how to install and configure the FTP server you use to share files between devices on Ubuntu 20.04.
FTP (File Transfer Protocol) is the standard network protocol used to transfer files to a remote network. There are several open source FTP servers available for Linux. The most famous and widely used ones are pureftpd, Proftpd, VSFTPD. We will install VSFTPD (VSFTPD daemon), a stable, secure and fast FTP server. We will also show you how to configure the server to restrict users to its home directory and encrypt the entire transfer using SSL/TLS.
Although FTP is a very popular protocol, for more secure and faster data transfer, you should use SCP or SFTP.
Installing VSFTPD on Ubuntu 20.04
The VSFTPD package is available in the Ubuntu repository. To install it, execute the following command.
Once the installation process is complete, the FTP service will start automatically. To verify it, print the service status.
The output should show that the VSFTPD service is active and running.
VSFTPD server configuration is stored in the
Most server settings are in the file. For all available options, please visit the VSFTPD documentation page.
In the following sections, we will describe some important settings needed to configure a secure VSFTPD installation.
First open the VSFTPD configuration file.
We only allow access to the FTP server for local users. Search for the
local_enable directives and verify that your configuration matches the following lines.
Locate and uncomment the
write_enable directive to allow file system changes, such as uploading and deleting files.
To prevent local FTP users from accessing files outside their home directory, uncomment from
By default, for security reasons, when chroot is enabled, VSFTPD will refuse to upload files if the user’s locked directory is writable.
Use one of the following solutions to allow uploading when chroot is enabled.
Option 1. The recommended option is to keep chroot enabled and configure the FTP directory. In this example, we will create an
ftp directory in the user home page that will be used as chroot and the writable
uploads directory for uploading files:
Option 2. Another option is to enable the
Your user to its home directory Use this option only if you must grant writable access.
Passive FTP connection
By default, VSFTPD uses active mode. To use passive mode, set the minimum and maximum range of ports:
You can use any port for passive FTP connections. When passive mode is enabled, the FTP client opens a connection to the server on a random port in the selected range.
Restrict user logins
You can configure VSFTPD to allow only certain users to log in. To do this, add the following line to the end of the file.
When enabling this option, you need to explicitly specify the user name to be added to the
/etc/vsftpd.user_list file (one user per line) to specify the logged in user.
Use SSL/TLS encrypted transfers
To encrypt FTP transfers via SSL/TLS, you need to have an SSL certificate and configure your FTP server to use it.
You can use an existing SSL certificate signed by a trusted certificate authority or create a self-signed certificate.
If you have a domain or subdomain that points to the IP address of your FTP server, you can quickly generate a free Let’s Encrypt SSL certificate.
We will generate a 2048-bit private key and self-signed SSL certificate, which is valid for ten years.
Both the private key and the certificate will be saved in the same folder.
Once the SSL certificate is created, open the VSFTPD configuration file.
rsa_private_key_file directives, change their values to the
pam file path, and set the
ssl_enable directive to
Restart VSFTPD service
After completing the edits, the VSFTPD configuration file (excluding comments) should look as follows.
Save the file and restart the VSFTPD service to make the changes to take effect.
If you are running the UFW firewall, you need to allow FTP traffic.
21 (FTP command port), port
20 (FTP data port) and
30000-31000 (passive port range) and run the following commands.
To avoid being locked out, make sure port
22 is open.
Reload UFW rules by disabling and re-enabling UFW.
Create FTP user
To test the FTP server, we will create a new user.
- If the user to be granted FTP access already exists, skip step 1.
allow_writeable_chroot=YESis set in the configuration file, skip step 3.
Create a new user named
Add the user to the list of allowed FTP users.
Create the FTP directory tree and set the correct permissions.
As described in the previous section, users will be able to upload their files to the
At this point, your FTP server is fully functional. You should be able to connect to the server using any FTP client that can be configured to use TLS encryption, such as Filezilla.
Disable shell access
By default, when creating a user, if not explicitly specified, the user will have SSH access to the server. To disable shell access, create a new shell that will print a message telling the user that their account is restricted to ftp access.
Run the following command to create the
/bin/ftponly file and make it executable.
Append the new shell to the list of valid shells in the
Change the user shell to
You can use the same command to change the shell for all users who want to provide FTP access only.