top of page

VSFTPD CONFIGURATION IN LINUX UBUNTU -16.04.3-server

  • Writer: Sankalpa H.T.S
    Sankalpa H.T.S
  • Jul 5, 2018
  • 4 min read

ree

In this document I’ll show how to configure vsftpd (192.168.200.200) to allow a specific user to use FTP with user login credentials using a client machine (192.168.200.4).


Client machine’s host name – san (192.168.200.4)

Vsftpd Server’s host name – smallco (192.168.200.200)


Vsftpd server:

ree

Installation


I’ll start by updating our package list and installing the vsftpd daemon:

ree

Search for vsftpd package:

ree

install vsftpd:

ree

Check installed package:

ree

When the installation is complete, we’ll copy the configuration file so we can start with a blank configuration, saving the original as a backup

ree

Check the backup file is copied.

ree

Setup the IPtable Rules


I’ll check the iptables -L rule lists to see if it’s already have rules. So I’ll ensure that FTP traffic is permitted so you won’t run into firewall rules blocking you when it comes time to test.

ree

We’ll need to open ports 20 and 21 for FTP, and ports 40000-50000 for the range of passive ports we plan to set in the configure file: Run below commands:

ree

Now our iptables rules looks like:

ree

If we adding iptables rules we have to make sure our ufw is not active. See ufw status:

ree

With vsftpd installed and the necessary ports ope, we are ready to proceed to the next step.


Preparing the User Directory


In this document I have already created a password disabled user named amaa which has a user directory in the home folder.. And I have already created a directory structure as below: I’m going to configure FTP access to the web directory:

ree

In that public_html folder I have sparce files and a .html file.

ree

Set ownership to the web directory as follows:

ree

Verify the permissions:

ree

Remove write permissions with the following:

ree

Verify it:

ree

Assign ownership to the user for the public_html folder recursively.

ree

Verify the changes:

ree

Now that I’ve secured the web directory and allowed user access to the public_html directory. Let’s move to the configuration.


Configuring FTP access


We're planning to allow a single user with a local shell account to connect with FTP. The two key settings for this are already set in vsftpd.conf. Start by opening the config file to verify that the settings in your configuration match those below:


Open the config file:

ree

It will looks like this:

ree

Make the changes as pointed: If those lines already in the file with comment mark just uncomment it:

ree

In order to allow the user to upload files, we’ll uncomment the write_enable setting so that we have:

ree

We’ll also uncomment the chroot to prevent the FTP-connected user from accessing any files or commands outside the directory tree.

ree

We’ll add a user_sub_token in order to insert the username in our local_root directory path so our configuration will work for this user and any future users that might be added.


We'll limit the range of ports that can be used for passive FTP to make sure enough connections are available:


Since we’re only planning to allow FTP access on a case-by-case basis, we’ll set up the configuration so that access is given to a user only when they are explicitly added to a list rather than by default:


userlist_deny toggles the logic. When it is set to "YES", users on the list are denied FTP access. When it is set to "NO", only users on the list are allowed access. When you're done making the change, save and exit the file.

ree

Finally, we’ll create and add our user to the file.

ree

Add the user:

ree

Save and exit:


Restart the Vsftpd Service

ree

See the syslog for errors:

ree

Confirm the service restarted successfully:

ree

Testing FTP Access


Anonymous users should fail to connect: We disabled anonymous access. Here we'll test that by trying to connect anonymously. If we've done it properly, anonymous users should be denied permission:

ree

Close the connection:

ree

Users other than amaa should fail to connect: Next, we'll try connecting as our sudo user. They, too, should be denied access, and it should happen before they're allowed to enter their password.

ree

amaa should be able to connect, as well as read and execute files, can’t write files because of the permissions: Here, we'll make sure that our designated user can connect:

ree

But when I try to connect I will ask to enter the password for establish the connection. In the beginning I mentioned that I am using the password disabled user. So in order to connect to FTP I should set a password for my user amaa:

ree

Enter the New password:

ree

Re-enter the password:

ree

Now try to connect:

ree

Enter the password which we added:

ree

We can see our login to the FTP server is successful.


We'll change into the public_html directory, then use the get command to transfer the amaa1.jpg file I created earlier to our current working directory:

ree

Get command:

ree

Close the connection:

ree

Check the file is transferred successfully to the current directory:

ree

ree

Transfer via FTP works.


Testing FTP Access via Client Machine


Client machine:

ree

Try to connect to the FTP server:

ree

Enter user credentials:

ree

List the directories/files in the web folder:

ree

Go to the public_html folder:

ree

We changed into the public_html directory, then use the get command to transfer the amaa3.jpg file we created earlier to our client machine:

ree

close the connection and check whether that file transferred to the client machine’s present working directory:

ree

In this document we covered setting up FTP for users with a local account. If you need to use an external authentication source, you might want to look into vsftpd's support of virtual users.


References

https://www.digitalocean.com/community/tutorials/how-to-set-up-vsftpd-for-a-user-s-directory-on-ubuntu-16-04




 
 
 

Comments


bottom of page