Installing VSFTPD

Yes, yes I know people should be using SFTP over regular FTP and blah, blah, blah. I might set that up for my own uses, but for systems where I’m going to have to deal with regular people I keep normal FTP running but have it running over TLS. I’m not here to try to change the world.

Anyways to install the VSFTPD service (Very Secure FTP Daemon) on Debian/Ubuntu, it’s really easy.

sudo apt-get install vsftpd

However, since regular FTP isn’t all that secure and most ftp clients support FTP over TLS these days (running FTP over a secure connection). We can do so by doing the following:

Generate the certificates (TLS uses SSL certificates)

sudo openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem

This will generate a certificate that’s good for a year. You’ll have to generate another one a year later to keep it valid.

edit your vsftpd.conf (in Debian it’s located at /etc/vsftpd.conf )

Add the following lines in the conf file:

rsa_private_key_file=/etc/ssl/private/vsftpd.pem
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=NO
ssl_ciphers=HIGH

note: Force local_data_ssl and for_local_logins_ssl can be set to NO if you want to give your users the choice of using a secured ftp connection over TLS or a regular FTP connection.

If you want to restrict your users to their home directories(which is most likely)

Uncomment the line that says

chroot_local_user=YES

I also added the following lines under

user_sub_token=$USER
local_root=/home/$USER

UPDATE 30NOV16:

I just had to setup everything in a fresh Debian 8 install and noticed that the server didn’t want to start due to a configuration error. This new version of VSFTPD by default had rsa_cert_file and rsa_private_key_file as seperate files, just point them both to the same file.

(The following section is no longer required on Debian 8 Jessie, left here in case someone is still using Debian 7 Wheezy)
————————————————————

If you are on Debian Wheezy you’ll also need this workaround as the package that comes with the distro is a tad outdated.

Copy the following to get an updated package

echo “deb http://ftp.cyconet.org/debian wheezy-updates main non-free contrib” >> \
/etc/apt/sources.list.d/wheezy-updates.cyconet.list; \
aptitude update; aptitude install -t wheezy-updates debian-cyconet-archive-keyring vsftpd && \
echo “allow_writeable_chroot=YES” >> /etc/vsftpd.conf && /etc/init.d/vsftpd restart

What the command string will do is add a repository, install the keyring, add the line allow_writeable_chroot=YES to your vsftpd config file and then restart the service. Pretty awesome! (note: I claim absolutely no credit for that, I found that on the interwebs and just have it in my notes. Props to whoever did it).

————————————————————

ENABLE PASV CONNECTIONS

Now that we have FTP over TLS running, we’ll most likely need to get our server to accept PASV connections. Do to that edit your vsftpd.conf again.

Add the following lines

Pasv_min_port=30000
Pasv_max_port=30999

Save & close

Then add this rule to UFW so it’ll allow two-way data transfers for TCP ports 30000-30999 (those were just the arbitrary high number ports I picked).

ufw allow proto tcp from any to any port 30000:30999

<– Back to Step 3  |  Onwards to Step 5 –>