Ubuntu FTP Server Configuration Guide

This guide provides a step-by-step approach to setting up a secure FTP server on Ubuntu using vsftpd (Very Secure FTP Daemon)—the most widely used FTP server software for Linux due to its balance of security, performance, and ease of configuration.

1. Prerequisites

Before starting, ensure your Ubuntu system is up-to-date and has basic tools installed:

sudo apt update && sudo apt upgrade -y

2. Install vsftpd

Install vsftpd using the package manager:

sudo apt install vsftpd -y

The installation includes default configuration files and starts the service automatically.

3. Configure vsftpd

The main configuration file is located at /etc/vsftpd.conf. Back up the original file before making changes:

sudo cp /etc/vsftpd.conf /etc/vsftpd.conf.bak

Edit the file using a text editor (e.g., nano):

sudo nano /etc/vsftpd.conf

Modify the following key parameters to enable secure local user access and restrict privileges:

• Disable Anonymous Access: Prevent unauthorized users from logging in.

  anonymous_enable=NO
  

• Allow Local Users: Enable login for system users (e.g., the FTP user you’ll create).

  local_enable=YES
  

• Enable File Uploads: Allow users to upload files to their directories.

  write_enable=YES
  

• Restrict Users to Home Directories: Enhance security by confining users to their home folders.

  chroot_local_user=YES
  

• Allow Writable Chroot: If users need to write to their home directories (e.g., upload files), enable this option.

  allow_writeable_chroot=YES
  

• Optional: Disable ASCII Mangling: Preserve file permissions during transfers (recommended for compatibility).

  ascii_upload_enable=YES
  ascii_download_enable=YES
  

Save changes (Ctrl+O, Enter, Ctrl+X) and exit the editor.

4. Restart vsftpd

Apply configuration changes by restarting the service:

sudo systemctl restart vsftpd

To ensure the service starts automatically on boot:

sudo systemctl enable vsftpd

5. Create a Dedicated FTP User

For security, avoid using the root account for FTP. Create a dedicated user (e.g., ftpuser) and set a strong password:

sudo adduser ftpuser

Follow the prompts to set a password and optional user details.

Set the User’s Home Directory as the FTP Root:
By default, the user’s home directory (e.g., /home/ftpuser) is their FTP root. Verify the directory exists:

ls -ld /home/ftpuser

If it doesn’t exist, create it and assign ownership to the user:

sudo mkdir -p /home/ftpuser
sudo chown ftpuser:ftpuser /home/ftpuser

6. Configure the Firewall

If you’re using UFW (Uncomplicated Firewall), allow FTP traffic (ports 20/21 for active mode and a range for passive mode):

sudo ufw allow 20/tcp    # Active mode data connection
sudo ufw allow 21/tcp    # FTP control connection
sudo ufw allow 40000:50000/tcp  # Passive mode port range (adjust as needed)
sudo ufw enable          # Enable the firewall

Check the firewall status to confirm rules are applied:

sudo ufw status

7. (Optional) Enable SSL/TLS Encryption

To encrypt FTP traffic and protect credentials, configure SSL/TLS:

Generate a Self-Signed Certificate

Create a certificate and private key for vsftpd:

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
    -keyout /etc/ssl/private/vsftpd.key \
    -out /etc/ssl/private/vsftpd.crt

Update vsftpd.conf for SSL

Add the following lines to /etc/vsftpd.conf:

ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
rsa_cert_file=/etc/ssl/private/vsftpd.crt
rsa_private_key_file=/etc/ssl/private/vsftpd.key

Restart vsftpd to apply SSL settings:

sudo systemctl restart vsftpd

8. Test the FTP Server

Use an FTP client (e.g., FileZilla) to verify connectivity:

• Host: Your server’s public IP address.
• Username: The FTP user you created (e.g., ftpuser).
• Password: The password for the FTP user.
• Port: 21 (default) or the custom port you configured.
• Encryption: Select “FTP - File Transfer Protocol” (or “FTPES” if SSL is enabled).

Alternative Command-Line Test: Use the ftp command from a terminal:

ftp your_server_ip

Enter the username and password when prompted.

9. Troubleshooting Common Issues

• 500 OOPS: vsftpd: refusing to run with writable root inside chroot():
  This error occurs when the user’s home directory is writable and chroot_local_user=YES is enabled. Fix it by either:
  • Removing write permissions from the home directory:

    sudo chmod a-w /home/ftpuser
    

  • Enabling allow_writeable_chroot=YES in /etc/vsftpd.conf (recommended for user convenience).
• Passive Mode Connection Failures:
  Ensure the passive mode port range (e.g., 40000:50000) is open in your firewall and correctly configured in /etc/vsftpd.conf:

  pasv_enable=YES
  pasv_min_port=40000
  pasv_max_port=50000
  

• Cannot Connect to Port 21:
  Verify that vsftpd is running (sudo systemctl status vsftpd) and that UFW/iptables allows traffic on port 21.

10. Optional Advanced Configurations

• Virtual Users: Create user-specific configurations (e.g., different home directories or permissions) by editing /etc/vsftpd.user_conf and referencing it in /etc/vsftpd.conf with user_config_dir=/etc/vsftpd.user_conf.
• Bandwidth Limiting: Restrict upload/download speeds for users by adding local_max_rate=102400 (100 KB/s) to /etc/vsftpd.conf.
• Idle Timeout: Disconnect inactive users after a set time (e.g., 300 seconds) with idle_session_timeout=300.

By following these steps, you’ll have a secure, functional FTP server on Ubuntu that meets most basic needs. Adjust configurations (e.g., SSL, passive mode ports) based on your specific requirements.