Technology, Tutorial, Ubuntu

How to Setup FTP to Specific Ubuntu Server Directory

First, I want to give full credits to this blog because this is the brains behind this tutorial. However, because I’m not as smart as the author, I got stuck a few times so this blog is a ‘dumbed down’ version of the same tutorial but with my notes added for the ‘less smart’ 🙂

Please note that if you have further issues connecting and get this error, you’ll probably want to do the last section where we set up a secure FTP connection using SSL/TLS which seems to be required these days…

You should also have the IP address of your server near you if you don’t already.

1. Create FTP User

ADD USER

sudo useradd -d <ftp_path> -p <ftp_password> -s /usr/sbin/nologin <ftp_login>

  • ftp_path = the path to the directory you want to give someone access to
  • ftp_password = the password you will give the person who wants to log into this directory
  • ftp_login = the ftp username you will give to the person who wants to log into this directory
  • note: I added ‘sudo’ to his command – add this if you get stuck with commands

CONFIRM USER EXISTS

Check if the user has been created (see blog above for more)

cat /etc/passwd | grep <ftp_login>

You should see something like this:

your_user_name:1000:1000::/path/to/shared/folder:/usr/sbin/nologin

  • your_user_name = the ftp_login thing (ftp username you created in step 1)

2. Set Up vsftp (very secure server)

INSTALL VSFTP SOFTWARE

sudo apt install -y vsftpd

  • This just works (with sudo)

CONFIRM VSFTP

Check if it’s running:

service --status-all | grep vsftpd

If it is you should see something like this:

[ + ] vsftpd

CONFIRM PORT 21 IS OPEN

FTP runs on port 21. I used a new terminal window on my local machine because I figured it’s probably better to test it from a remote machine since we’re dealing with FTP but the tutorial suggests it doesn’t matter. Grab the server IP address and change it with my demo IP address here:

telnet 123.123.123.123

The tutorial is a little unclear here so I’ll give a few more details. After you enter the command, it should ‘hang’ with this message:

Trying 123.123.123.123...

And then nothing more… until a long time later you should get this if you wait long enough:

telnet: Unable to connect to remote host: Connection timed out

But the tutorial says you can just exit while it is ‘hanging’. Note he said ‘control enter’ but that didn’t work for me but ‘control+C’ like any other terminal command did work for me to exit.

OPEN PORT 21 IF IT IS CLOSED

Mine was closed and didn’t connect so that means I need to open my port 21. He linked to a blog but even easier is to just run this command blindly from my random blog, lol:

sudo ufw allow 21/tcp

You should see this:

Rule added
Rule added (v6)

And then when you run your ufw status command it should show port 21 as ‘open’. The command is:

sudo ufw status

Confirm your port 21 is open (see instructions above) again from another terminal window. If it’s open like mine is now, you should see this:

Connected to 178.128.238.225.
Escape character is ‘^]’.
220 (vsFTPd 3.0.3)

Of course not mentioned anywhere is how to get out of this session so I tried the ] key which brought me back to the telnet session root, when I finally searched online you just need to type ‘quit’ in the telnet session to close it…

3. Configure vsftp

UPDATE THE VSFTP CONFIGURATION FILE

We need to open the configuration file with nano in the terminal and add the recommended settings from the blog. How you do that is copy the settings to you clipboard and then:

sudo nano /etc/vsftp.conf

This part was unclear in the blog. I first pasted his entire block of settings to the file at the bottom, however, many of these settings were already in the config file and just needed commenting or uncommenting as follows:

#listen=YES
#listen_ipv6=NO
#anonymous_enable=NO
#local_enable=YES
#write_enable=YES
#chroot_local_user=YES

So go from the top of the config file down and adjust and uncomment as needed.

Then, at the bottom of the file for those that aren’t there, paste them as follows:

allow_writeable_chroot=YES
force_dot_files=YES
pam_service_name=ftp

userlist_deny=NO
userlist_enable=YES
userlist_file=/etc/vsftpd.userlist

local_umask=0000
file_open_mode=0777

Then, control+x
Then, ‘y’ to say yes
Then, press enter to save /write the changes to the file.

Now your settings are saved in the configuration file.

Note: likely you will be coming back into this file to add in the SSL/TLS settings at some point.

ADD FTP USER TO THE LOGIN LIST

For security this newly created FTP user has to be on the userlist thingy. However, for whatever reason, I could not get the section of his blog to work with this command:

echo <ftp_login> >> /etc/vsftpd.userlist

Instead, I had to first create the userlist file and simply add the username in it as one line by itself and save, like this:

sudo nano /etc/vsftpd.userlist

This opens up a blank file to enter data in. Then I just typed in my ftp_login (FTP username I created in step 1) into the file. Then I just did the usual control x, y, and enter to save changes.

Confirm the file is there by ls -al /etc/ and you should see the new vsftpd.userlist file there.

4. Restart the Vsftp service

As per his blog:

sudo service vsftpd restart

  • Note, it will ask for your sudo user password for this command

5. Set Directory Permissions

For this part, it was tricky as always. I had this permissions convertor open and pasted in each of the permissions for each directory in the path working backwards from the final directory. So mine was /var/www/html/shop/directory2/directory1 so I ran a check on:

ls -al /var/www/html/shop/directory2/directory1 and then pasted in the drwxr-xr-x from the terminal into the calculator because I’m not smart enough to know if that is 755 (which it was…)

Then I did:

ls -al /var/www/html/shop/directory2/ etc

I found that everything in the path was 755 but the connection still did not work.

This was because something went wrong with my password during the initial user setup. Perhaps it was some special characters? Perhaps it was too long the password? Not sure, but I just ran a password reset for my FTP user with the help of this nice blog and now everything is working fine.

Many thanks to the original author of the blog above and I hope this version helps others.

Bonus section: Setting Up a Secure FTP Server using SSL/TLS on Ubuntu

As always, thanks to other brains out there, in this case it’s this blog.

I heard from someone trying to connect to my specific folder (which I spent much time above trying to set up) experienced these errors in Filezilla:

Status: Insecure server, it does not support FTP over TLS.
Status: Server does not support non-ASCII characters.

Sure enough I confirmed it too.

Here are my notes to go with this SSL/TLS setup in the blog above.

  • Step 1: my server already had the /etc/ssl/private directory so I skipped step 1
  • Step 2: filling in these fields was a first to me and another blog pointed me to this list to confirm my two digit country code. For the rest, I just filled out the best of my ability the other fields using my company’s info. After filling out the last field it got me back to terminal prompt.
  • Step 3 – straightforward. Just followed and it worked. Note: the last command sudo ufw status is just to see the list to make sure the first two commands worked and ended up in the ufw list.
  • Step 4 –

Note 1:
I don’t use VIM or whatever that horribly difficult editor is called, haha. So I used sudo nano.
Note 2:
I’m not sure why his path had an actual vsftp directory in it, but based on the first part of my tutorial above, the .conf file was located directly in the /etc directory so I used this command in full to edit the file: sudo nano /etc/vsftpd.conf.

Note 3:
I found this already in my config file after scrolling a bit so although not clearly mentioned in blog, do your setting changes in this section that looks like this

# This option specifies the location of the RSA certificate to use for SSL
# encrypted connections.
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
ssl_enable=NO

When you are done following the steps of the blog, your section should now look like this:

# This option specifies the location of the RSA certificate to use for SSL
# encrypted connections.
#rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
#rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
rsa_cert_file=/etc/ssl/private/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem
ssl_enable=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
require_ssl_reuse=NO
ssl_ciphers=HIGH
pasv_min_port=40000
pasv_max_port=50000

Step 9 – didn’t bother with debug…

After restarting the service with the sudo systemctl restart vsftpd.service I was able to successfully use FTP.

Tagged , ,

Leave a Reply

Your email address will not be published. Required fields are marked *