I like vsftpd. It's very very simple to configure.
Now let's get to the point.
This installs ssl-cert, openssl and vsftpd, only with anonymous login and just for downloads from a jailed /home/ftp/.
sudo apt-get install vsftpd
Make a copy of the original configuration file. It is very well commented. Keep a copy to have the original settings and comments, just in case.
Now edit the file /etc/vsftpd.conf and change it's settings as follows.
sudo cp /etc/vsftpd.conf /etc/vsftpd.conf.original
To disable anonymous login and to enable local users login and give them write permissions:
NOTE: It is not advisable to use FTP without TLS/SSL/FTPS over the internet because the FTP protocol does not encrypt passwords. If you do need to transfer files over FTP, consider the use of virtual users (same system users but with non system passwords) or TLS/SSL/FTPS (see below).
# No anonymous login
# Let local users login
# If you connect from the internet with local users, you should enable TLS/SSL/FTPS
# Write permissions
To chroot users
To jail/chroot users (not the vsftpd service), there are three choices. Search for "chroot_local_users" on the file and consider one of the following:
To deny (or allow) just some users to login
# 1. All users are jailed by default:
# 2. Just some users are jailed:
# Create the file /etc/vsftpd.chroot_list with a list of the jailed users.
# 3. Just some users are "free":
# Create the file /etc/vsftpd.chroot_list with a list of the "free" users.
To deny some users to login, add the following options in the end of the file:
In the file /etc/vsftpd.denied_users add the username of the users that can't login. One username per line.
To allow just some users to login:
In the file /etc/vsftpd.allowed_users add the username of the users that can login.
The not allowed users will get an error that they can't login before they type their password.
NOTE: you definitely have to use this if you connect from the Internet.
To use vsftpd with encryption (it's safer), change or add the following options (some options aren't on the original config file, so add them):
No need to create a certificate. vstfpd uses the certificate Ubuntu creates upon it's installation, the "snake-oil" certificate (openssl package, installed by default). Please don't be afraid of it's name!
# Filezilla uses port 21 if you don't set any port
# in Servertype "FTPES - FTP over explicit TLS/SSL"
# Port 990 is the default used for FTPS protocol.
# Uncomment it if you want/have to use port 990.
Install Filezilla (on the repositories), and use the Servertype "FTPES - FTP over explicit TLS/SSL" option to connect to the server with TLS/SSL/FTPS.
Here are some other available options. The values are examples:
# Show hidden files and the "." and ".." folders.
# Useful to not write over hidden files:
# Hide the info about the owner (user and group) of the files.
# Connection limit for each IP:
# Maximum number of clients:
Apply new configuration settings
Don't forget that to apply new configurations, you must restart the vsftpd service.
sudo /etc/init.d/vsftpd restart
For those who use webadmin, there is a module for VSFTPD here http://www.webmin.com/third.html.
If you find problems when connecting, set pasv_min_port and pasv_max_port in /etc/vsftpd.conf and allow outbound connections in the ports you set in your firewall.
Virtual users with TLS/SSL/FTPS and a common upload directory - Complicated vsftpd
Virtual users are users that do not exist on the system - they are not in /etc/passwd, do not have a home directory on the system, can not login but in vsftpd - or if they do exist, they can login in vsftpd with a non system password - security.
You can set different definitions to each virtual user, granting to each of these users different permissions. If TLS/SSL/FTPS and virtual users are enabled, the level of security of your vsftpd server is increased: encrypted passwords, with passwords that are not used on the system, and users that can't access directly to their home directory (if you want).
The following example is based and adapted on the example for virtual users in vsftpd site, on documentation and the very good examples in this forum that can be found here and here.
From the FAQ in vsftpd site:
This is a polite way to say that if the default vsftpd PAM file is used, the system users will be guests too. To avoid confusions change the PAM file used by vsftpd to authenticate only virtual users, make all vsftpd users as virtual users and set their passwords, home and permissions based on this example.
Note - currently there is a restriction that with guest_enable enabled, local
users also get mapped to guest_username.
This is an example for a work directory where various virtual users can save (upload) their work - in this case it will be /home/work, that must be owned by the guest_username (workers).
Create the system user (workers) and the work directory (/home/work) to be used by the virtual users in vsftpd where they will upload their work in it:
Create directories to save the virtual users definitions.
# Don't use -m (--create-home) option. This avoids creating a home
# directory based on /etc/skel (.bash* and .profile files).
sudo useradd -d /home/work workers
sudo mkdir /home/work
sudo chown workers /home/work
Change the PAM authentication in vsftpd.conf and create a new PAM file that uses the pam_userdb module to provide authentication for the virtual users.
sudo mkdir /etc/vsftpd
sudo mkdir /etc/vsftpd/vusers
If you still didn't do it, make a backup copy of your vsftpd.conf or make a backup copy of the default one (it is a very good starting point and it is very well commented, as I previously wrote).
Edit the default /etc/vsftpd.conf:
Change the line anonymous=YES, uncomment local_enable=YES and change pam_service_name=vsftpd:
sudo nano /etc/vsftpd.conf
Then add the TLS/SSL/FTPS definitions (from above) in the end of the file and after it also add:
# Disable anonymous_enable is optional.
The default settings in vsftpd.conf are restricted just for anonymous user that can download from /home/ftp, are chrooted there and can't upload nor create directories. Virtual users are treated as anonymous users by vsftpd. We have disabled anonymous logins, enabled local_users (virtual users in this case, authenticated by the PAM file we will create) and enabled guests (local users - guests - will be virtual users).
# Enable (only) guests.
# This is not needed, it's the default. Just here for clarity.
# Where the guests (virtual) usernames are set.
The rest of the options are the default ones, so nobody can upload and because we set guest_enable=YES, if a username exists and have an empty username file, it will be treated as an anonymous user ("ftp" user). We added the TLS/SSL/FTPS so no cleartext passwords are used in the connections.
Now you will override the vsftpd.conf settings for each username individually with files in the directory /etc/vsftpd/vusers wich was set in "user_config_dir=" option. Lets continue.
Create the new file /etc/pam.d/ftp for the new authentication system:
And add the following content:
sudo nano /etc/pam.d/ftp
Create a file with the virtual usernames and passwords that can login (one line for username, one line for password and so on for all the users) and call it "logins.txt":
auth required /lib/security/pam_userdb.so db=/etc/vsftpd/vsftpd_login
account required /lib/security/pam_userdb.so db=/etc/vsftpd/vsftpd_login
Install libdb3-util, create the login database with the file logins.txt and restrict permissions to the database:
Create a file for the workers settings (mike and sarah on logins.txt):
sudo apt-get install libdb3-util
sudo db3_load -T -t hash -f logins.txt /etc/vsftpd/vsftpd_login.db
sudo chmod 600 /etc/vsftpd/vsftpd_login.db
# This is not safe, you should delete this file.
sudo chmod 600 logins.txt
Add the new definitions for this users (remember that virtual users are treated as anonymous users by default on vsftpd, default anonymous settings are set on /etc/vsftpd.conf):
sudo nano /etc/vsftpd/workers
Link this file to the workers usernames in /etc/vsftpd/vusers/, so that any change made at /etc/vsftpd/workers is applied to all workers (after you restart vsftpd).
If this was suppose to be for web development, you would add this directory in apache, make it an available site and enable it as an enabled website.
sudo ln -s /etc/vsftpd/workers /etc/vsftpd/vusers/mike
sudo ln -s /etc/vsftpd/workers /etc/vsftpd/vusers/sarah
System users as a virtual user with non-system password
The next example file for one user, like a system user. Add his username and a password - not the system one please, just to be a little bit safer - in logins.txt and repeat the db3_load command. Create a file named after his username inside /etc/vsftpd/vusers/:
And save the following in it:
sudo nano /etc/vsftpd/vusers/user
As you can see, guest_username is important because it will be the user that owns the uploaded files on the directories owned by the guest_username and only files owned by this guest_username can be deleted by him (if you allow it). If you don't set a guest_username, then the "ftp" user will be the used (default in /etc/vsftpd.conf). If you create an empty file of a username present in /etc/vsftpd/vsftpd_login.db (logins.txt), this user will only have the permissions set to anonymous users in /etc/vsftpd.conf, his default home directory will be /home/ftp/ and the owner of the files he uploads (if you allow him and the directory is owned by ftp) will be "ftp".
# change /home/user to the actual user home directory.
Only usernames in both /etc/vsftpd/vsftpd_login.db (logins.txt) AND with a file in /etc/vsftpd/vusers/ can login. So, the username can't login if:
- If a file exist in /etc/vsftpd/vusers/ but the username is not in /etc/vsftpd/vsftpd_login.db (logins.txt) - you can add filenames that aren't on the database, no harm done.Restart vsftpd.
- If the username is in /etc/vsftpd/vsftpd_login.db (logins.txt) but do not exist in /etc/vsftpd/vusers/ - you can disable logins, just (re)move/rename the file(s) and/or link(s).
EDIT1: removed SFTP reference in TLS/SSL/FTPS section
EDIT2: added virtual users configuration.
EDIT3: added allow/deny userlist.