Easy FTP with vsftpd I like vsftpd. It's very very simple to configure.

Now let's get to the point.

Installation
Code: sudo apt-get install vsftpd This installs ssl-cert, openssl and vsftpd, only with anonymous login and just for downloads from a jailed /home/ftp/.

Configuration
Make a copy of the original configuration file. It is very well commented. Keep a copy to have the original settings and comments, just in case. Code: sudo cp /etc/vsftpd.conf /etc/vsftpd.conf.original Now edit the file /etc/vsftpd.conf and change it's settings as follows.

Basic Setup
To disable anonymous login and to enable local users login and give them write permissions: Code: # No anonymous login anonymous_enable=NO # Let local users login # If you connect from the internet with local users, you should enable TLS/SSL/FTPS local_enable=YES # Write permissions write_enable=YES NOTE: It is not advisable to use FTP without TLS/SSL/FTPS over the internet because the FTP protocol does not encrypt passwords. If you do need to transfer files over FTP, consider the use of virtual users (same system users but with non system passwords) or TLS/SSL/FTPS (see below).

To chroot users
To jail/chroot users (not the vsftpd service), there are three choices. Search for "chroot_local_users" on the file and consider one of the following: Code: # 1. All users are jailed by default: chroot_local_user=YES chroot_list_enable=NO

# 2. Just some users are jailed: chroot_local_user=NO chroot_list_enable=YES # Create the file /etc/vsftpd.chroot_list with a list of the jailed users. # 3. Just some users are "free": chroot_local_user=YES chroot_list_enable=YES # Create the file /etc/vsftpd.chroot_list with a list of the "free" users.

To deny (or allow) just some users to login

To deny some users to login, add the following options in the end of the file: Code: userlist_deny=YES userlist_file=/etc/vsftpd.denied_users In the file /etc/vsftpd.denied_users add the username of the users that can't login. One username per line. To allow just some users to login: Code: userlist_deny=NO userlist_enable=YES userlist_file=/etc/vsftpd.allowed_users In the file /etc/vsftpd.allowed_users add the username of the users that can login. The not allowed users will get an error that they can't login before they type their password.

TLS/SSL/FTPS
NOTE: you definitely have to use this if you connect from the Internet. To use vsftpd with encryption (it's safer), change or add the following options (some options aren't on the original config file, so add them): Code: ssl_enable=YES allow_anon_ssl=NO force_local_data_ssl=YES force_local_logins_ssl=YES ssl_tlsv1=YES ssl_sslv2=YES ssl_sslv3=YES # Filezilla uses port 21 if you don't set any port # in Servertype "FTPES - FTP over explicit TLS/SSL" # Port 990 is the default used for FTPS protocol. # Uncomment it if you want/have to use port 990.

#listen_port=990 No need to create a certificate. vstfpd uses the certificate Ubuntu creates upon it's installation, the "snake-oil" certificate (openssl package, installed by default). Please don't be afraid of it's name! Install Filezilla (on the repositories), and use the Servertype "FTPES - FTP over explicit TLS/SSL" option to connect to the server with TLS/SSL/FTPS.

Additional Options
Here are some other available options. The values are examples: Code: # Show hidden files and the "." and ".." folders. # Useful to not write over hidden files: force_dot_files=YES # Hide the info about the owner (user and group) of the files. hide_ids=YES # Connection limit for each IP: max_per_ip=2 # Maximum number of clients: max_clients=20

Apply new configuration settings

Don't forget that to apply new configurations, you must restart the vsftpd service. Code: sudo /etc/init.d/vsftpd restart

Webmin Module
For those who use webadmin, there is a module for VSFTPD here http://www.webmin.com/third.html.

Firewall Problems
If you find problems when connecting, set pasv_min_port and pasv_max_port in /etc/vsftpd.conf and allow outbound connections in the ports you set in your firewall. Code: pasv_min_port=12000 pasv_max_port=12100

Virtual users with TLS/SSL/FTPS and a common upload directory Complicated vsftpd

Virtual users are users that do not exist on the system - they are not in /etc/passwd, do not have a home directory on the system, can not login but in vsftpd - or if they do exist, they can login in vsftpd with a non system password - security. You can set different definitions to each virtual user, granting to each of these users different permissions. If TLS/SSL/FTPS and virtual users are enabled, the level of security of your vsftpd server is increased: encrypted passwords, with passwords that are not used on the system, and users that can't access directly to their home directory (if you want). The following example is based and adapted on the example for virtual users in vsftpd site, on documentation and the very good examples in this forum that can be found here andhere. From the FAQ in vsftpd site: Quote:

Note - currently there is a restriction that with guest_enable enabled, local users also get mapped to guest_username.
This is a polite way to say that if the default vsftpd PAM file is used, the system users will be guests too. To avoid confusions change the PAM file used by vsftpd to authenticate only virtual users, make all vsftpd users as virtual users and set their passwords, home and permissions based on this example.

The workshop
This is an example for a work directory where various virtual users can save (upload) their work - in this case it will be /home/work, that must be owned by the guest_username (workers). Create the system user (workers) and the work directory (/home/work) to be used by the virtual users in vsftpd where they will upload their work in it: Code: # Don't use -m (--create-home) option. This avoids creating a home # directory based on /etc/skel (.bash* and .profile files). sudo useradd -d /home/work workers sudo mkdir /home/work sudo chown workers /home/work Create directories to save the virtual users definitions. Code: sudo mkdir /etc/vsftpd sudo mkdir /etc/vsftpd/vusers Change the PAM authentication in vsftpd.conf and create a new PAM file that uses the pam_userdb module to provide authentication for the virtual users. If you still didn't do it, make a backup copy of your vsftpd.conf or make a backup copy of the default one (it is a very good starting point and it is very well commented, as I previously wrote). Edit the default /etc/vsftpd.conf: Code:

sudo nano /etc/vsftpd.conf Change the line anonymous=YES, uncomment local_enable=YES and change pam_service_name=vsftpd: Code: # Disable anonymous_enable is optional. anonymous_enable=NO ... local_enable=YES ... pam_service_name=ftp Then add the TLS/SSL/FTPS definitions (from above) in the end of the file and after it also add: Code: # Enable (only) guests. guest_enable=YES # This is not needed, it's the default. Just here for clarity. guest_username=ftp # Where the guests (virtual) usernames are set. user_config_dir=/etc/vsftpd/vusers The default settings in vsftpd.conf are restricted just for anonymous user that can download from /home/ftp, are chrooted there and can't upload nor create directories. Virtual users are treated as anonymous users by vsftpd. We have disabled anonymous logins, enabled local_users (virtual users in this case, authenticated by the PAM file we will create) and enabled guests (local users - guests will be virtual users). The rest of the options are the default ones, so nobody can upload and because we set guest_enable=YES, if a username exists and have an empty username file, it will be treated as an anonymous user ("ftp" user). We added the TLS/SSL/FTPS so no cleartext passwords are used in the connections. Now you will override the vsftpd.conf settings for each username individually with files in the directory /etc/vsftpd/vusers wich was set in "user_config_dir=" option. Lets continue. Create the new file /etc/pam.d/ftp for the new authentication system: Code: sudo nano /etc/pam.d/ftp And add the following content: Code: auth required /lib/security/pam_userdb.so db=/etc/vsftpd/vsftpd_login account required /lib/security/pam_userdb.so db=/etc/vsftpd/vsftpd_login Create a file with the virtual usernames and passwords that can login (one line for username, one line for password and so on for all the users) and call it "logins.txt": Code: mike password1 sarah

password2 Install libdb3-util, create the login database with the file logins.txt and restrict permissions to the database: Code: sudo apt-get install libdb3-util sudo db3_load -T -t hash -f logins.txt /etc/vsftpd/vsftpd_login.db sudo chmod 600 /etc/vsftpd/vsftpd_login.db # This is not safe, you should delete this file. sudo chmod 600 logins.txt Create a file for the workers settings (mike and sarah on logins.txt): Code: sudo nano /etc/vsftpd/workers Add the new definitions for this users (remember that virtual users are treated as anonymous users by default on vsftpd, default anonymous settings are set on /etc/vsftpd.conf): Code: write_enable=YES anon_mkdir_write_enable=YES anon_other_write_enable=YES anon_upload_enable=YES local_root=/home/work chroot_local_user=YES dirlist_enable=YES download_enable=YES guest_username=workers Link this file to the workers usernames in /etc/vsftpd/vusers/, so that any change made at /etc/vsftpd/workers is applied to all workers (after you restart vsftpd). Code: sudo ln -s /etc/vsftpd/workers /etc/vsftpd/vusers/mike sudo ln -s /etc/vsftpd/workers /etc/vsftpd/vusers/sarah If this was suppose to be for web development, you would add this directory in apache, make it an available site and enable it as an enabled website. Restart vsftpd.

System users as a virtual user with non-system password

The next example file for one user, like a system user. Add his username and a password - not the system one please, just to be a little bit safer - in logins.txt and repeat the db3_load command. Create a file named after his username inside /etc/vsftpd/vusers/: Code: sudo nano /etc/vsftpd/vusers/user And save the following in it: Code:

write_enable=YES anon_mkdir_write_enable=YES anon_other_write_enable=YES anon_upload_enable=YES chroot_local_user=YES # change /home/user to the actual user home directory. local_root=/home/user dirlist_enable=YES download_enable=YES guest_username=user As you can see, guest_username is important because it will be the user that owns the uploaded files on the directories owned by the guest_username and only files owned by this guest_username can be deleted by him (if you allow it). If you don't set a guest_username, then the "ftp" user will be the used (default in /etc/vsftpd.conf). If you create an empty file of a username present in /etc/vsftpd/vsftpd_login.db (logins.txt), this user will only have the permissions set to anonymous users in /etc/vsftpd.conf, his default home directory will be /home/ftp/ and the owner of the files he uploads (if you allow him and the directory is owned by ftp) will be "ftp". Only usernames in both /etc/vsftpd/vsftpd_login.db (logins.txt) AND with a file in /etc/vsftpd/vusers/ can login. So, the username can't login if: - If a file exist in /etc/vsftpd/vusers/ but the username is not in /etc/vsftpd/vsftpd_login.db (logins.txt) - you can add filenames that aren't on the database, no harm done. - If the username is in /etc/vsftpd/vsftpd_login.db (logins.txt) but do not exist in /etc/vsftpd/vusers/ - you can disable logins, just (re)move/rename the file(s) and/or link(s). Restart vsftpd. EDIT1: removed SFTP reference in TLS/SSL/FTPS section EDIT2: added virtual users configuration. EDIT3: added allow/deny userlist.

I'd like to share these folders: /media/hda1/HL /media/sda1/#MP3 How can I do this?
Hi ungluun, I suppose you want a "mp3" user for this. If it is, the simplest way to do it is to create a user which its home folder in /media/sda1/MP3: Code: sudo groupadd mp3 sudo useradd -c "FTP mp3" -d /media/sda1/MP3 -g mp3 mp3 Set his password:

Code: sudo passwd mp3 And restart vsftpd: Code: sudo /etc/init.d/vsftpd restart If you have all users chrooted, it will work with no more changes. That should be simple to do. You should enable write permissions to users (all) with: Code: write_enable=YES but disable write permission to anonymous with: Code: anon_upload_enable=NO NOTE: if you DO enable anonymous to write/upload files, you should change the default owner of those files (for security reasons) with: Code: chown_upload=YES chown_username=some_username_with_write_permission_on_the_directory Another note: If you want to add certain setting to individual users, create a directory that will have the settings of those users: Code: sudo mkdir /etc/vsftpd_user_conf Edit vsftp configuration file to read that directory: Code: sudo nano /etc/vsftpd.conf and set the user_config_dir variable (non-existent in the default configuration file) to read that directory: Code: user_config_dir=/etc/vsftpd_user_conf

Inside the /etc/vsftpd_user_conf directory, create a file named with the username of the "exception" user and set the variables/options that you want him/them to have as exceptions to the default configuration. For various users, various files, each one with different settings if you want. Don't forget to restart vsftp each time you change its configuration Code: sudo /etc/init.d/vsftpd restart Hello, I have followed this tutorial and managed to get vsftpd up and running using FTP over explicit TLS/SSL, however, the third party connecting to it have demanded we use implicit! I cannot find any howtos on the Internet. Could someone please advise? Thank you did you try Code: listen_port=990 Allowing FTP Access to Files Outside the Home Directory Chroot JUL 27TH, 2006 | COMMENTS When we setup an FTP server software (regardless if this is proftpd, vsftpd, etc.) we might face a dilemma: we want to restrict the access that ftp users will have (limited access to files normally in their own home directory) but also we want to allow them access to another folder that is normally in a different location (like development files for whatever work they are doing). The problem is that if we configure the chroot restriction for the ftp users we will notice that as expected they will be locked in the chrooted folder (lets say their home directory). If we try to create a symlink to the other folder they need access, this will just not allow them to change into that folder (break out the chroot) and this is very normal. To exemplify this lets consider that I am using vsftpd and one user ftp_user. Chroot restriction is enabled on ftp accounts and his home is in /home/ftp_user. But I need to provide him access for another folder /var/www/dev/. Even though I am using here vsftpd the same concept applies to any other ftp server software. The configurations for vsftpd are basic ones (but I will include them at the end of the post for reference). The important one here is: chroot_local_user=YES Of course that one solution to overcome this limitation is to disable chroot and allow the ftp users full access to all the system files. This is not at all recommended and this little tip will show you how you can achieve this with chroot enabled. The solution to this little problem is to mount the needed directory using the bind parameter from the man page of mount: bind Remount a subtree somewhere else (so that its contents are available in both places) . So we might do something like: mkdir /home/ftp_user/www_dev mount --bind /var/www/dev/ /home/ftp_user/www_dev After this the ftp user will be able to see the needed files in his home directory and use them in his ftp client as if they were local files. If you need to make this configuration permanent you can either add the mount command in some startup script or you can just include a line in /etc/fstab: /var/www/dev /home/ftp_user/www_dev none bind 0 0 I hope that you have found this tip useful in case you have a similar issue Just for the reference here is the vsftpd configuration used (the important parameter is only the one noted abovechroot_local_users): /etc/vsftpd.conf

listen=YES anonymous_enable=NO local_enable=YES write_enable=YES dirmessage_enable=YES xferlog_enable=YES connect_from_port_20=YES chroot_local_user=YES secure_chroot_dir=/var/run/vsftpd pam_service_name=vsftpd rsa_cert_file=/etc/ssl/certs/vsftpd.pem