VSFTP

Very Secure FTP - FTP Server software

What is vsFTP

vsFTPd, which stands for “Very Secure FTP daemon,” is an open-source FTP server software designed with a strong emphasis on security, stability, and performance. Developed for Unix-like operating systems, vsFTPd is renowned for its lightweight nature and efficient use of system resources, making it a popular choice for hosting FTP services on servers ranging from personal systems to large-scale enterprise environments. One of its primary goals is to provide a secure environment for FTP file transfers, achieved through a combination of robust security features and adherence to best practices.

One of the key features of vsFTPd is its focus on security. It offers a range of security options, including support for both IPv4 and IPv6, encryption via SSL/TLS for secure connections, and extensive configuration options to enforce access restrictions and user permissions. By default, vsFTPd is configured to limit user access rights to their respective home directories, reducing the risk of unauthorized access to sensitive system files or directories. Additionally, vsFTPd has a reputation for its proactive approach to security, with frequent updates and a responsive development team dedicated to addressing any reported vulnerabilities promptly.

In addition to its robust security features, vsFTPd is known for its high performance and scalability. It is optimized for efficiency, with minimal overhead and low memory usage, ensuring smooth operation even under heavy load. vsFTPd’s scalability makes it suitable for deployment in a variety of environments, from small personal servers to large enterprise networks serving thousands of concurrent users. Its performance benefits are further enhanced by support for features such as asynchronous I/O, which maximizes throughput and minimizes latency during file transfers. Overall, vsFTPd’s combination of security, performance, and scalability makes it a top choice for organizations seeking a reliable and secure FTP server solution.

How to Install vsftpd

(You actually need more than just vsftpd package in order to install vsftpd properly)

a) Make sure before installing that your system is up to date with packages
sudo apt update && apt upgrade -y
b) And reboot the server
sudo systemctl reboot

These are the recommended packages
vsftpd: is the ftp server
ftp: is the protocol
ufw: is the firewall

c) Install the package
sudo apt install vsftpd ftp ufw
d 1) Verify vsftpd is is installed
vsftpd -v
or
d 2) man vsftpd

e) Start the vsftpd service
sudo systemctl start vsftpd

CONFIGURE – The ufw firewall

Make sure to configure firewall correct. These port depends depends on using active/passive mode. This tutorial is using a failsafe setting

a) Port 20 – The data port
sudo ufw allow 20/tcp

b) Port 21 – The control port
sudo ufw allow 21/tcp

c) Port 990 – FTPS (FTP Secure)(NOT officially reserved by IANA)
sudo ufw allow 990/tcp

d) Port 40000-50000 Range of port when ftp server is configured in passive mode
sudo ufw allow 40000:50000/tcp

e) Make theese rules apply by
sudo ufw disable && sudo ufw enable

f) Check the status on ufw
systemctl status ufw

f 1) If not running start it
systemctl start ufw

CONFIGURE – Set up a ftp user

Note: vsftp actually uses the same user account as the Linux, e.i the one that a user can log in

User needs to set up so they can connect to a ftp server. We will create a user named daniel
a) Create a user (the -m parameter creates a home directory for that user)
sudo useradd -m daniel

b) Set the password for user daniel
sudo passwd daniel

c) Create a ftp folder for that user
sudo mkdir /home/daniel/ftp

d) Change ownership of folder /home/daniel/ftp
sudo chown nobody:nogroup /home/daniel/ftp

e) Change permission of folder /home/daniel/ftp. Remove write permissions for all users
sudo chmod a-w /home/daniel/ftp

f) Create a folder for file uploads
sudo mkdir /home/daniel/ftp/files

g) Change ownership of folder /home/daniel/ftp/files
sudo chown daniel:daniel /home/daniel/ftp/files

h)Create a test file to verify it there when we connect
echo "Hello World. This is a dummy text for testing purposes only" | sudo tee /home/daniel/ftp/files/testfoo.txt

CONFIGURE – vsftp server

We need to configure this up. Many variation here but is one for passive mode
Note: Make a bakup of the vsftpd.conf is note a bad idea
a) Open the main configuration file – /etc/vsftpd.conf
sudo nano /etc/vsftpd.conf

b) Make sure these setting are setup. You will need to comment/uncomment or even add settings

# Permitting anonymous ftp logins
anonymous_enable=NO 

# Allowing local system users to log in, IMPORTANT
local_enable=YES 

# Allowing write permissions (usually need to uncomment this line)
write_enable=YES 

# Restrict users to their home directories (usually need to uncomment this line, )
chroot_local_user=YES 

#Following lines add to the bottom of the file
# Dynamically setting the user's home directory
user_sub_token=$USER 

# Set the FTP root directory for each user (usually need to uncomment this line, .)
local_root=/home/$USER/ftp 

# Minimum port for passive mode (Should match the range set up in ufw)
pasv_min_port=40000 

# Maximum port for passive mode( Should match the range set up in ufw)
pasv_max_port=50000 

# Enable the userlist feature
userlist_enable=YES 

# Define the file that contains the list of allowed/denied users
userlist_file=/etc/vsftpd.userlist 

# Control whether users in the userlist are allowed or denied access
userlist_deny=NO

c) Create the user list file if not present (as specified in the vsftpd.conf file) add adds user daniel to that file
echo "daniel" | sudo tee -a /etc/vsftpd.userlist

d) Restart the vsftpd server
sudo systemctl restart vsftpd

Note 1: You could check the currently logged in user with command whoami
Note 2: ALL user on the system could be viewed in file /etc/passwd first column

Termomonlogy and Concept

Basic Terminology

  1. FTP (File Transfer Protocol): A standard network protocol used to transfer files from one host to another over a TCP-based network, such as the Internet.
  2. vsftpd (Very Secure FTP Daemon): An FTP server for Unix-like systems, known for its security, performance, and configurability.
  3. Control Connection: The connection established between the client and the server on port 21 used for sending commands and responses.
  4. Data Connection: The connection used for transferring actual data (files) between the client and the server, which can be established on various ports depending on the mode (Active or Passive).

Modes of Operation

  1. Active Mode: An FTP mode where the server initiates the data connection back to the client from its port 20 to the client’s specified port.
  2. Passive Mode: An FTP mode where the client initiates both the control and data connections. The server opens a random port (from a configured range) for the data connection.

Configuration Concepts

  1. Configuration File (vsftpd.conf): The main configuration file for vsftpd, typically located at /etc/vsftpd/vsftpd.conf, where various settings and parameters are defined.
  2. Anonymous FTP: A configuration allowing users to log in to the FTP server without a user account, often used for public file distribution.
  3. Chroot Jail: A security feature that confines users to a specific directory, preventing them from accessing the rest of the filesystem.
  4. Local User: An FTP user that has a corresponding account on the server system, with credentials stored in /etc/passwd.

Security Features

  1. TLS/SSL Encryption: Security protocols (Transport Layer Security / Secure Sockets Layer) used to encrypt data transferred over FTP, often implemented in FTP over SSL/TLS (FTPS).
  2. Firewall Configuration: The process of configuring the server and network firewalls to allow FTP traffic, including opening the appropriate control and data ports.
  3. User Authentication: The process of verifying user credentials before allowing access to the FTP server.
  4. Access Controls: Rules and settings in vsftpd.conf that define which users or groups can access the server and what permissions they have.

Performance and Optimization

  1. Concurrent Connections: The number of simultaneous connections the FTP server can handle. Configurable to optimize server performance.
  2. Transfer Rates: Settings to limit or control the data transfer speeds for uploads and downloads.

Commands and Utilities

  1. FTP Commands: Standard commands used in FTP interactions, such as USER, PASS, STOR, RETR, LIST, and QUIT.
  2. vsftpd Utilities: Tools and scripts that come with vsftpd for managing and monitoring the FTP server, such as ftpusers and ftpaccess.

Log Files and Monitoring

  1. Log Files: Files where vsftpd logs its activity, typically found in /var/log/vsftpd.log. Used for monitoring and troubleshooting.
  2. System Logging: Integration with system logging services (e.g., syslog) to record FTP server events.

Advanced Features

  1. Virtual Users: Users that are not defined in the system’s /etc/passwd file but in a separate database, allowing for more flexible and secure user management.
  2. User Isolation: Ensuring each user can only access their own directories and files, often implemented through chroot jails.
  3. Bandwidth Throttling: Limiting the data transfer rates for users to ensure fair usage and server performance.
  4. IP-Based Restrictions: Configurations to allow or deny access based on client IP addresses.
  5. Banner Messages: Custom messages displayed to users upon connection or login, defined in vsftpd.conf.

Passive vs Active Port

Active Mode FTP

In Active Mode FTP, the client opens a random, unprivileged port (N > 1023) and sends the FTP command PORT N to the server. This command tells the server which client-side port it should connect to for data transfer. Here’s how it works:

  1. Control Connection: The client connects to the server’s command port (21) from a random port on the client (N1).
  2. Data Connection: When data transfer is required, the client opens a random port (N2) and sends the PORT N2 command to the server. The server then initiates the data connection from its data port (20) to the client’s specified port (N2).

Example of Active Mode:

  • Client: Initiates connection from port 1025 to server’s port 21.
  • Client: Sends PORT 1026 command to server.
  • Server: Establishes a data connection from port 20 to client’s port 1026.

Passive Mode FTP

In Passive Mode FTP, the roles for initiating the data connection are reversed. The client initiates both the control and data connections. This mode is often used to overcome issues with client-side firewalls that block incoming connections. Here’s the process:

  1. Control Connection: The client connects to the server’s command port (21) from a random port on the client (N1).
  2. PASV Command: The client sends a PASV command to the server, which causes the server to open a random, unprivileged port (P > 1023) and send the 227 Entering Passive Mode (h1,h2,h3,h4,p1,p2) response. This response contains the server’s IP address and the port number (P) it has opened for data transfer.
  3. Data Connection: The client then connects from another random port (N2) to the server’s specified port (P) for data transfer.

Example of Passive Mode:

  • Client: Initiates connection from port 1025 to server’s port 21.
  • Client: Sends PASV command.
  • Server: Opens port 2024 and responds with 227 Entering Passive Mode (192,168,1,2,7,228) (port 2024 is represented by the values 7 and 228).
  • Client: Connects from port 1026 to server’s port 2024.

Differences and Application:

  • Active Mode:
    • Server initiates the data connection to the client.
    • Requires the client to accept connections from the server, which can be problematic with firewalls and NAT.
    • Uses server port 20 for data transfer.
  • Passive Mode:
    • Client initiates both the control and data connections.
    • Works better with client-side firewalls and NAT since it doesn’t require the client to accept incoming connections.
    • Uses a random port on the server for data transfer.

Choosing the Mode:

  • Active Mode is suitable when the client has a public IP address and there are no firewall restrictions on incoming connections.
  • Passive Mode is more suitable for clients behind firewalls or NAT, as it minimizes connection issues by ensuring the client initiates all connections.

Firewall Configuration for FTP:

  • For Active Mode:
    • Open port 21 on the server for control connections.
    • Open port 20 on the server for data connections (if the server initiates them).
    • Ensure the client’s firewall allows incoming connections to the specified data port (N).
  • For Passive Mode:
    • Open port 21 on the server for control connections.
    • Open a range of ports on the server for passive data connections.
    • Ensure the client’s firewall allows outgoing connections to the server’s data port range.

By understanding these modes and their implications, you can better configure your FTP server and client to work efficiently within your network setup.

Folder/files structure and configuration

folder-structure

To set up vsftpd (Very Secure FTP daemon), you primarily need the main configuration file vsftpd.conf. However, depending on your specific requirements and configuration, you might also need additional files or directories. Here’s a list of the main configuration files and directories typically used when setting up vsftpd:

  1. Main Configuration File:
    • /etc/vsftpd.conf or /etc/vsftpd/vsftpd.conf: This file contains the main configuration options for vsftpd. It controls various aspects of the FTP server’s behavior, including security settings, user access, logging, and more.
  2. User Configuration File:
    • /etc/vsftpd/user_list: This optional file lists users that are allowed or denied access to the FTP server. Users listed in this file can be allowed (allow) or denied (deny) access based on the server’s configuration.
  3. Virtual Users Configuration Directory:
    • /etc/vsftpd/virtual_users/: This directory is used when configuring virtual users for vsftpd. Virtual users are users that do not have an entry in the system’s /etc/passwd file and are managed separately. Configuration files for virtual users are typically stored within this directory.
  4. SSL/TLS Certificate and Key Files:
    • /etc/ssl/private/vsftpd.pem: If you’re using SSL/TLS encryption for secure FTP connections, you’ll need SSL certificate and key files. These files contain the server’s SSL certificate and private key used for encrypting communication between the FTP client and server.
  5. Chroot Directory (Optional):
    • /srv/ftp/ or /home/ftp/: This directory is often used as the root directory for FTP users, especially if you want to restrict users to their home directories (chroot jail). You might need to create this directory if it doesn’t already exist.

These are the main configuration files and directories commonly used when setting up vsftpd. Depending on your specific setup and requirements, you may not need all of them, but they cover the essential components for configuring and managing vsftpd.

FAQ

vsftpd vs vsftp

The main difference between vsftpd and vsftpd (with the extra ‘d’) lies in the terminology:

  1. vsftpd: This stands for Very Secure File Transfer Protocol Daemon. It is the actual FTP server software used to transfer files over a network. The “d” at the end of vsftpd stands for “daemon,” which is a type of program that runs in the background and waits for requests from clients. So, vsftpd is the software package name that you install to set up an FTP server.
  2. vsftp: This term without the “d” isn’t typically used in practice and may be a typo. The correct and official name for the software is vsftpd. If you’re seeing vsftp in documentation or a command, it may just be a shorthand or an accidental omission of the “d” from vsftpd.
Links and documentation