Introduction
Sometimes you want to allow a third party access to your server to upload files, such as a website, but you do not want to provide them with SSH access, which would allow them to act as a user. However, plain old FTP transfers, although easy to set up, are not encrypted, which may be a worry for you. Here is how to set your Ubuntu 12.04 LTS server up to work with FTP over SSL, using Filezilla as your example client.
Steps
- Filezilla requries ssl_ciphers=HIGH in vsftpd.conf
- Setting both the minimum and the maximum port to the same number is mandatory for those of us who have a firewall set up. This will ensure that all ftp connections will go over the same port, instead of going over a range of ports and having a huge gap in your firewall. Setting just one or the other will not work.
Add a user to your ubuntu system with a corresponding home directory. We will grant them access to their home directory from FTP. (If you need to allow them to get to /var/www/YOUR-SITE then just place a symlink in their home directory to there).
sudo useradd -d /home/$USERNAME -m $USERNAME
sudo passwd $USERNAME
sudo passwd $USERNAME
Install vsftp:
sudo apt-get update && sudo apt-get install vsftpd -y
Copy the following into your vsftpd config file at /etc/vsftpd.conf
listen=YES anonymous_enable=NO local_enable=YES write_enable=YES dirmessage_enable=YES use_localtime=YES xferlog_enable=YES connect_from_port_20=YES #chroot_local_user=YES secure_chroot_dir=/var/run/vsftpd/empty pam_service_name=vsftpd rsa_cert_file=/etc/ssl/private/vsftpd.pem # If you want ftp over ssl (recommended) you will need the following lines. rsa_cert_file=/etc/ssl/private/vsftpd.pem # You will probably want to use this loc (vsftpd needs to be able to read the loc) # This is required for filezilla to work ssl_ciphers=HIGH ssl_tlsv1=YES #ssl_sslv2=YES #ssl_sslv3=YES # This is required for filezilla to work require_ssl_reuse=No ssl_enable=Yes force_local_data_ssl=YES force_local_logins_ssl=YES # Make sure to run ufw allow 60000/tcp to open this port, everything will go over that pasv_min_port=60000 pasv_max_port=60000
Now to set up a new RSA key:
/usr/bin/openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/vsftpd.pem -out /etc/vsftpd.pem
Note that you can change the 2048 to 4096 for a much stronger encrytion, although 2048 should be fine for quite a while. You can even add -days $YOUR-NUM-DAYS-HERE
in order to have your key expire in that number of days.
Restart your vsftpd service
sudo service vsftpd restart
Set up your firewall, allowing the following ports (I use ufw):
21/tcp
60000/tcp (or whatever port you specified in your min/max of your vsftpd.conf file)
Make sure to now allow your SSH port to prevent SSH access using the same ftp username/password details. If you still need access to ssh yourself, you can just add your IP (which will grant you access to everything).
60000/tcp (or whatever port you specified in your min/max of your vsftpd.conf file)
Try to connect to your service in filezilla. Make sure you use the same username and password and set to use explicit FTP over TLS:
finally figured out I was missing the pasv port stuff... now my ftp is finally working with ufw. thanks lots
ReplyDeleteGlad I could be of some help :)
DeleteBy the way, if you are interested in more tutorials like this, be sure to keep an eye on http://blog.programster.org which all future updates are posted to.