Well, I have found many articles on the web which claim to explain the installation of an FTP Server running specifically on Ubuntu 20.04 LTS but none of them seem to actually deliver a clear working and feasible solution, and that means one thing, welcome to my Homelab.
In this article, I am going through all the steps necessary for anyone to install an FTP service using VSFTPD on an instance with TLS/SSL and properly integrate it with the main web server directory for either Apache or Nginx, the way it should be done.
The end result is going to be one system user that you can use to authenticate an FTP client like FileZilla to any website root directory you have on /var/www which is the path used for web services specifically on Ubuntu itself.
Getting Started on Linux Ubuntu
Get remote access to your instance with superuser credentials provided to you. Now, lets prepare this operating system environment with the software required for an FTP server running VSFTPD.
Install Software Package
sudo apt update
sudo apt install vsftpd
sudo service vsftpd statusYou should now see that VSFTPD service is actually active and running without any issues.
Setting Permissions
sudo chgrp -R www-data /var/www/*
sudo find /var/www -type f -exec chmod 664 {} \;
sudo find /var/www -type d -exec chmod 775 {} \;
sudo find /var/www -type d -exec chmod g+s {} \;
sudo chown root:root /var/wwwThat's like the magic touch for this particular tutorial, which is setting a proper directory permissions for our websites document root.
Configure UFW Firewall
sudo ufw allow 20,21,22,990,40000:50000/tcp
sudo ufw enableThen, you can confirm firewall status to observe whether firewall is truly enabled with the ports forwarded.
sudo ufw statusYou will only need this if your are going to use the firewall on your Ubuntu instance, otherwise you can completely skip this step.
Create FTP System User
sudo useradd sftp -d /var/www
sudo passwd sftp
sudo adduser sftp www-data
sudo echo "DenyUsers sftp" >> /etc/ssh/sshd_config
sudo systemctl reload sshdHere we're creating the system user to authenticate an FTP client while restricting SSH access which means it's only going to be valid for use through the FTP protocol, just make sure to specify a password that you can remember.
Configure VSFTPD to Enable FTP Server
In order for VSFTPD to work on your Linux Ubuntu environment, it needs to be configured accordingly with special settings.
VSFTPD Configuration
sudo mv /etc/vsftpd.conf /etc/vsftpd.conf.bak
sudo nano /etc/vsftpd.confThis will create a backup for the original configuration file while defining new settings. So, insert the following inside the config file created:
# FTP
listen=NO
listen_ipv6=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
chroot_local_user=YES
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
force_dot_files=YES
pasv_min_port=40000
pasv_max_port=50000
allow_writeable_chroot=YES
# SSL
ssl_enable=YES
rsa_cert_file=/etc/ssl/private/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=NO
ssl_ciphers=HIGHThat's like everything typically needed for a perfect implementation of VSFTPD alongside a web server like Apache or Nginx running on Linux Ubuntu.
Enable SSL over TLS for VSFTPD
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pemFinally, we will create an SSL certificate for FTP over TLS.
Verify FTP Server Implementation
You must restart the VSFTPD service for all changes to take effect.
sudo systemctl restart vsftpdThere you go, navigate to your favourite FTP client which happens to be FileZilla for my own preference. In particular, you will need to specify your host address, username, password and port settings.
As a result, you will use sftp for username and 21 for port, when successful you will be presented with a welcome dialog showing SSL over TLS certificate information, just confirm to complete authorization.
