Yes, yes I know people should be using SFTP over regular FTP and blah, blah, blah. I might set that up for my own uses, but for systems where I’m going to have to deal with regular people I keep normal FTP running but have it running over TLS. I’m not here to try to change the world.
Anyways to install the VSFTPD service (Very Secure FTP Daemon) on Debian/Ubuntu, it’s really easy.
sudo apt-get install vsftpd
However, since regular FTP isn’t all that secure and most ftp clients support FTP over TLS these days (running FTP over a secure connection). We can do so by doing the following:
Generate the certificates (TLS uses SSL certificates)
sudo openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem
This will generate a certificate that’s good for a year. You’ll have to generate another one a year later to keep it valid.
edit your vsftpd.conf (in Debian it’s located at /etc/vsftpd.conf )
Add the following lines in the conf file:
note: Force local_data_ssl and for_local_logins_ssl can be set to NO if you want to give your users the choice of using a secured ftp connection over TLS or a regular FTP connection.
If you want to restrict your users to their home directories(which is most likely)
Uncomment the line that says
I also added the following lines under
I just had to setup everything in a fresh Debian 8 install and noticed that the server didn’t want to start due to a configuration error. This new version of VSFTPD by default had rsa_cert_file and rsa_private_key_file as seperate files, just point them both to the same file.
(The following section is no longer required on Debian 8 Jessie, left here in case someone is still using Debian 7 Wheezy)
If you are on Debian Wheezy you’ll also need this workaround as the package that comes with the distro is a tad outdated.
Copy the following to get an updated package
echo “deb http://ftp.cyconet.org/debian wheezy-updates main non-free contrib” >> \
aptitude update; aptitude install -t wheezy-updates debian-cyconet-archive-keyring vsftpd && \
echo “allow_writeable_chroot=YES” >> /etc/vsftpd.conf && /etc/init.d/vsftpd restart
What the command string will do is add a repository, install the keyring, add the line allow_writeable_chroot=YES to your vsftpd config file and then restart the service. Pretty awesome! (note: I claim absolutely no credit for that, I found that on the interwebs and just have it in my notes. Props to whoever did it).
ENABLE PASV CONNECTIONS
Now that we have FTP over TLS running, we’ll most likely need to get our server to accept PASV connections. Do to that edit your vsftpd.conf again.
Add the following lines
Save & close
Then add this rule to UFW so it’ll allow two-way data transfers for TCP ports 30000-30999 (those were just the arbitrary high number ports I picked).
ufw allow proto tcp from any to any port 30000:30999