Install and configure VSFTPD on Ubuntu

As the name suggest ‘Very Secure File Transfer Protocol Deamon’ (VSFTPD) is one of the most secure FTP daemons available, vsftpd is used as the default FTP server in the Ubuntu, CentOS, Fedora, NimbleX, Slackware and RHEL Linux distros. It is authorized under the GNU General Public License. It is secure and very quick. It is stable. VSFTPD is a developed and trusted arrangement which sustains virtual clients with PAM (pluggable confirmation modules). In this tutorial, we will see how to install VSFTPD and how to setup VSFTPD for different uses on UBUNTU.

Installation

For the installation, you need to enter the following command:

sudo apt-get install vsftpd

After the successful installation, we will move to the configuration part for some security issues and user management.

Configuration

To begin with the configuration, open the vsftpd.conf file by typing:

sudo nano /etc/vsftpd.conf

Disable anonymous login and allow local users to write

The very first change we will be making in the config file is:

anonymous_enable=NO

This will prevent anonymous login from unidentified users. Which can prevent many security issues. Then just find the following lines and uncomment them:

local_enable=YES
write_enable=YES

The change above will allow local users to login and allow the users to write to the directory.

Chroot users

Now there are multiple options available for chrooting users. Search “chroot_local_users” and select one of these as per your needs:

chroot_local_user=YES
chroot_list_enable=NO

The above will chroot all the users.

chroot_local_user=NO
chroot_list_enable=YES

This will allow you to chroot some particular users. You will have to create a file /etc/vsftpd.chroot_list with a list of usernames that you want to chroot.

chroot_local_user=YES
chroot_list_enable=YES

All the users will be free of chroot except some. Create a file /etc/vsftpd.chroot_list with a list of usernames that you want under chroot.

Allowing and denying users from logging

To deny some particular users to login add these lines to the file:

userlist_deny=YES
userlist_file=/etc/vsftpd.denied_users

Then create a file vsftpd.denied_users and add denied users to it just by adding one user per line. The above will help to deny some particular users from login. You can allow some particular list of users by adding the following to the code:

userlist_deny=NO
userlist_enable=YES
userlist_file=/etc/vsftpd.allowed_users

Then create a file vsftpd.allowed_users and add all the usernames, one per line, that you want to allow.

Configuring TLS/SSL/FTPS

If you connect to your system remotely then you should go through these settings thoroughly, or else your passwords will be sent in plain text. Just make sure to add these options to your config file, some of them are already available check those and then change the options.

ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
# Filezilla uses port 21 if you don't set any port
# in Servertype "FTPES - FTP over explicit TLS/SSL"
# Port 990 is the default used for FTPS protocol.
# Uncomment it if you want/have to use port 990.
# listen_port=990

This will be it with the basic configuration part.

To apply the above settings just close your config file and type:

sudo /etc/init.d/vsftpd restart

Restarting the service will use the new settings and you are done 🙂

Source