First, I want to give full credits to this blog because this is the brains behind this tutorial. However, because I’m not as smart as the author, I got stuck a few times so this blog is a ‘dumbed down’ version of the same tutorial but with my notes added for the ‘less smart’ 🙂
Please note that if you have further issues connecting and get this error, you’ll probably want to do the last section where we set up a secure FTP connection using SSL/TLS which seems to be required these days…
You should also have the IP address of your server near you if you don’t already.
1. Create FTP User
ADD USER
sudo useradd -d <ftp_path> -p <ftp_password> -s /usr/sbin/nologin <ftp_login>
- ftp_path = the path to the directory you want to give someone access to
- ftp_password = the password you will give the person who wants to log into this directory
- ftp_login = the ftp username you will give to the person who wants to log into this directory
- note: I added ‘sudo’ to his command – add this if you get stuck with commands
CONFIRM USER EXISTS
Check if the user has been created (see blog above for more)
cat /etc/passwd | grep <ftp_login>
You should see something like this:
your_user_name:1000:1000::/path/to/shared/folder:/usr/sbin/nologin
- your_user_name = the ftp_login thing (ftp username you created in step 1)
2. Set Up vsftp (very secure server)
INSTALL VSFTP SOFTWARE
sudo apt install -y vsftpd
- This just works (with sudo)
CONFIRM VSFTP
Check if it’s running:
service --status-all | grep vsftpd
If it is you should see something like this:
[ + ] vsftpd
CONFIRM PORT 21 IS OPEN
FTP runs on port 21. I used a new terminal window on my local machine because I figured it’s probably better to test it from a remote machine since we’re dealing with FTP but the tutorial suggests it doesn’t matter. Grab the server IP address and change it with my demo IP address here:
telnet 123.123.123.123
The tutorial is a little unclear here so I’ll give a few more details. After you enter the command, it should ‘hang’ with this message:
Trying 123.123.123.123...
And then nothing more… until a long time later you should get this if you wait long enough:
telnet: Unable to connect to remote host: Connection timed out
But the tutorial says you can just exit while it is ‘hanging’. Note he said ‘control enter’ but that didn’t work for me but ‘control+C’ like any other terminal command did work for me to exit.
OPEN PORT 21 IF IT IS CLOSED
Mine was closed and didn’t connect so that means I need to open my port 21. He linked to a blog but even easier is to just run this command blindly from my random blog, lol:
sudo ufw allow 21/tcp
You should see this:
Rule added
Rule added (v6)
And then when you run your ufw status command it should show port 21 as ‘open’. The command is:
sudo ufw status
Confirm your port 21 is open (see instructions above) again from another terminal window. If it’s open like mine is now, you should see this:
Connected to 178.128.238.225.
Escape character is ‘^]’.
220 (vsFTPd 3.0.3)
Of course not mentioned anywhere is how to get out of this session so I tried the ] key which brought me back to the telnet session root, when I finally searched online you just need to type ‘quit’ in the telnet session to close it…
3. Configure vsftp
UPDATE THE VSFTP CONFIGURATION FILE
We need to open the configuration file with nano in the terminal and add the recommended settings from the blog. How you do that is copy the settings to you clipboard and then:
sudo nano /etc/vsftp.conf
This part was unclear in the blog. I first pasted his entire block of settings to the file at the bottom, however, many of these settings were already in the config file and just needed commenting or uncommenting as follows:
#listen=YES
#listen_ipv6=NO
#anonymous_enable=NO
#local_enable=YES
#write_enable=YES
#chroot_local_user=YESSo go from the top of the config file down and adjust and uncomment as needed.
Then, at the bottom of the file for those that aren’t there, paste them as follows:
allow_writeable_chroot=YES
force_dot_files=YES
pam_service_name=ftp
userlist_deny=NO
userlist_enable=YES
userlist_file=/etc/vsftpd.userlist
local_umask=0000
file_open_mode=0777Then, control+x
Then, ‘y’ to say yes
Then, press enter to save /write the changes to the file.
Now your settings are saved in the configuration file.
Note: likely you will be coming back into this file to add in the SSL/TLS settings at some point.
ADD FTP USER TO THE LOGIN LIST
For security this newly created FTP user has to be on the userlist thingy. However, for whatever reason, I could not get the section of his blog to work with this command:
echo <ftp_login> >> /etc/vsftpd.userlist
Instead, I had to first create the userlist file and simply add the username in it as one line by itself and save, like this:
sudo nano /etc/vsftpd.userlist
This opens up a blank file to enter data in. Then I just typed in my ftp_login (FTP username I created in step 1) into the file. Then I just did the usual control x, y, and enter to save changes.
Confirm the file is there by ls -al /etc/ and you should see the new vsftpd.userlist file there.
4. Restart the Vsftp service
As per his blog:
sudo service vsftpd restart
- Note, it will ask for your sudo user password for this command
5. Set Directory Permissions
For this part, it was tricky as always. I had this permissions convertor open and pasted in each of the permissions for each directory in the path working backwards from the final directory. So mine was /var/www/html/shop/directory2/directory1 so I ran a check on:
ls -al /var/www/html/shop/directory2/directory1 and then pasted in the drwxr-xr-x from the terminal into the calculator because I’m not smart enough to know if that is 755 (which it was…)
Then I did:
ls -al /var/www/html/shop/directory2/ etc
I found that everything in the path was 755 but the connection still did not work.
This was because something went wrong with my password during the initial user setup. Perhaps it was some special characters? Perhaps it was too long the password? Not sure, but I just ran a password reset for my FTP user with the help of this nice blog and now everything is working fine.
Many thanks to the original author of the blog above and I hope this version helps others.
Bonus section: Setting Up a Secure FTP Server using SSL/TLS on Ubuntu
As always, thanks to other brains out there, in this case it’s this blog.
I heard from someone trying to connect to my specific folder (which I spent much time above trying to set up) experienced these errors in Filezilla:
Status: Insecure server, it does not support FTP over TLS.
Status: Server does not support non-ASCII characters.
Sure enough I confirmed it too.
Here are my notes to go with this SSL/TLS setup in the blog above.
- Step 1: my server already had the /etc/ssl/private directory so I skipped step 1
- Step 2: filling in these fields was a first to me and another blog pointed me to this list to confirm my two digit country code. For the rest, I just filled out the best of my ability the other fields using my company’s info. After filling out the last field it got me back to terminal prompt.
- Step 3 – straightforward. Just followed and it worked. Note: the last command
sudo ufw statusis just to see the list to make sure the first two commands worked and ended up in the ufw list. - Step 4 –
Note 1:
I don’t use VIM or whatever that horribly difficult editor is called, haha. So I used sudo nano.
Note 2:
I’m not sure why his path had an actual vsftp directory in it, but based on the first part of my tutorial above, the .conf file was located directly in the /etc directory so I used this command in full to edit the file: sudo nano /etc/vsftpd.conf.
Note 3:
I found this already in my config file after scrolling a bit so although not clearly mentioned in blog, do your setting changes in this section that looks like this
# This option specifies the location of the RSA certificate to use for SSL
# encrypted connections.
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
ssl_enable=NOWhen you are done following the steps of the blog, your section should now look like this:
# This option specifies the location of the RSA certificate to use for SSL
# encrypted connections.
#rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
#rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
rsa_cert_file=/etc/ssl/private/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem
ssl_enable=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
require_ssl_reuse=NO
ssl_ciphers=HIGH
pasv_min_port=40000
pasv_max_port=50000Step 9 – didn’t bother with debug…
After restarting the service with the sudo systemctl restart vsftpd.service I was able to successfully use FTP.
