Debian FTP Server (vsftpd) Permission Setup Guide

This guide provides a step-by-step approach to configuring permissions for vsftpd (Very Secure FTP Daemon) on Debian, covering user management, directory permissions, and security hardening.

1. Install vsftpd

First, update your package list and install vsftpd:

sudo apt update && sudo apt install vsftpd

2. Configure vsftpd

Edit the main configuration file (/etc/vsftpd.conf) to set core permissions:

sudo nano /etc/vsftpd.conf

Key settings to enable (modify as needed):

• Allow local users: local_enable=YES
• Enable file uploads: write_enable=YES
• Restrict users to home directories (security best practice): chroot_local_user=YES
• Allow writes in chroot (required if users need to upload): allow_writeable_chroot=YES
• Use TCP wrappers for access control: tcp_wrappers=YES

Disable anonymous access for security:

anonymous_enable=NO

Save changes and exit the editor.

3. Create FTP Users

Create a dedicated FTP user (e.g., ftpuser) and set a strong password:

sudo adduser ftpuser

Optionally, modify the user’s home directory (if not using the default /home/ftpuser):

sudo usermod -d /path/to/custom/directory ftpuser

Prevent shell login for the FTP user (enhances security):

sudo usermod -s /sbin/nologin ftpuser

4. Set Directory Permissions

Ensure the FTP user’s home directory has correct ownership and permissions:

sudo chown ftpuser:ftpuser /home/ftpuser  # Set owner/group to the FTP user
sudo chmod 755 /home/ftpuser            # Allow read/execute for others (required for FTP access)

For subdirectories where users need to upload files, retain 755 permissions (or use 775 for group write access if collaborating):

sudo chmod -R 755 /home/ftpuser/subdir  # Replace with your subdirectory path

5. Control User Access (Optional but Recommended)

Use a User List for Fine-Grained Access

1. Add allowed users to /etc/vsftpd.user_list (one per line):

   echo "ftpuser" | sudo tee -a /etc/vsftpd.user_list
   

2. Enable the user list in vsftpd.conf:

   userlist_enable=YES
   userlist_file=/etc/vsftpd.user_list
   userlist_deny=NO  # Only users in the list can log in
   

Deny Specific Users

To deny specific users, set userlist_deny=YES and add their usernames to /etc/vsftpd.user_list.

6. Configure Firewall

Allow FTP traffic (port 21) and passive mode ports (default range: 40000–50000) using UFW:

sudo ufw allow 21/tcp
sudo ufw allow 40000:50000/tcp
sudo ufw reload

7. Restart vsftpd

Apply all changes by restarting the service:

sudo systemctl restart vsftpd

Enable automatic startup on boot:

sudo systemctl enable vsftpd

8. Test the Configuration

Use an FTP client (e.g., FileZilla) to connect to your server:

• Host: Your server’s IP address
• Username/Password: The FTP user credentials
• Port: 21 (or the custom port you configured)

Verify that you can:

• Log in successfully.
• Upload/download files to/from the home directory.
• Access only the allowed directories (if using user lists).

Troubleshooting Tips

• Check logs: If issues occur, review /var/log/vsftpd.log for errors.
• Permission issues: Ensure the home directory is owned by the FTP user and has 755 permissions.
• Firewall blocks: Confirm UFW allows FTP ports and passive mode ranges.

By following these steps, you’ll have a secure and functional vsftpd setup with proper permission controls for your Debian server.