VSFTPD CONFIGURATION IN LINUX UBUNTU -16.04.3-server

Sankalpa H.T.S
Jul 5, 2018
4 min read

In this document I’ll show how to configure vsftpd (192.168.200.200) to allow a specific user to use FTP with user login credentials using a client machine (192.168.200.4).

Client machine’s host name – san (192.168.200.4)

Vsftpd Server’s host name – smallco (192.168.200.200)

Vsftpd server:

Installation

I’ll start by updating our package list and installing the vsftpd daemon:

Search for vsftpd package:

install vsftpd:

Check installed package:

When the installation is complete, we’ll copy the configuration file so we can start with a blank configuration, saving the original as a backup

Check the backup file is copied.

Setup the IPtable Rules

I’ll check the iptables -L rule lists to see if it’s already have rules. So I’ll ensure that FTP traffic is permitted so you won’t run into firewall rules blocking you when it comes time to test.

We’ll need to open ports 20 and 21 for FTP, and ports 40000-50000 for the range of passive ports we plan to set in the configure file: Run below commands:

Now our iptables rules looks like:

If we adding iptables rules we have to make sure our ufw is not active. See ufw status:

With vsftpd installed and the necessary ports ope, we are ready to proceed to the next step.

Preparing the User Directory

In this document I have already created a password disabled user named amaa which has a user directory in the home folder.. And I have already created a directory structure as below: I’m going to configure FTP access to the web directory:

In that public_html folder I have sparce files and a .html file.

Set ownership to the web directory as follows:

Verify the permissions:

Remove write permissions with the following:

Verify it:

Assign ownership to the user for the public_html folder recursively.

Verify the changes:

Now that I’ve secured the web directory and allowed user access to the public_html directory. Let’s move to the configuration.

Configuring FTP access

We're planning to allow a single user with a local shell account to connect with FTP. The two key settings for this are already set in vsftpd.conf. Start by opening the config file to verify that the settings in your configuration match those below:

Open the config file:

It will looks like this:

Make the changes as pointed: If those lines already in the file with comment mark just uncomment it:

In order to allow the user to upload files, we’ll uncomment the write_enable setting so that we have:

We’ll also uncomment the chroot to prevent the FTP-connected user from accessing any files or commands outside the directory tree.

We’ll add a user_sub_token in order to insert the username in our local_root directory path so our configuration will work for this user and any future users that might be added.

We'll limit the range of ports that can be used for passive FTP to make sure enough connections are available:

Since we’re only planning to allow FTP access on a case-by-case basis, we’ll set up the configuration so that access is given to a user only when they are explicitly added to a list rather than by default:

userlist_deny toggles the logic. When it is set to "YES", users on the list are denied FTP access. When it is set to "NO", only users on the list are allowed access. When you're done making the change, save and exit the file.

Finally, we’ll create and add our user to the file.

Add the user:

Save and exit:

Restart the Vsftpd Service

See the syslog for errors:

Confirm the service restarted successfully:

Testing FTP Access

Anonymous users should fail to connect: We disabled anonymous access. Here we'll test that by trying to connect anonymously. If we've done it properly, anonymous users should be denied permission:

Close the connection:

Users other than amaa should fail to connect: Next, we'll try connecting as our sudo user. They, too, should be denied access, and it should happen before they're allowed to enter their password.

amaa should be able to connect, as well as read and execute files, can’t write files because of the permissions: Here, we'll make sure that our designated user can connect:

But when I try to connect I will ask to enter the password for establish the connection. In the beginning I mentioned that I am using the password disabled user. So in order to connect to FTP I should set a password for my user amaa:

Enter the New password:

Re-enter the password:

Now try to connect:

Enter the password which we added:

We can see our login to the FTP server is successful.

We'll change into the public_html directory, then use the get command to transfer the amaa1.jpg file I created earlier to our current working directory:

Get command:

Close the connection:

Check the file is transferred successfully to the current directory:

Transfer via FTP works.

Testing FTP Access via Client Machine

Client machine:

Try to connect to the FTP server:

Enter user credentials:

List the directories/files in the web folder:

Go to the public_html folder:

We changed into the public_html directory, then use the get command to transfer the amaa3.jpg file we created earlier to our client machine:

close the connection and check whether that file transferred to the client machine’s present working directory:

In this document we covered setting up FTP for users with a local account. If you need to use an external authentication source, you might want to look into vsftpd's support of virtual users.