Last active
April 22, 2020 14:50
-
-
Save linuxdevhub/ce9bbc01ada1d7ce3fff28c7dfd8ee7f to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# | |
# In this tutorial, we’ll be installing vsftpd (Very Secure Ftp Daemon). It is a stable, secure and fast FTP server. | |
#Install vsftpd | |
sudo apt install vsftpd | |
sudo systemctl start vsftpd | |
sudo systemctl enable vsftpd | |
# view status | |
sudo systemctl status vsftpd | |
# backup original config file (optional) | |
sudo cp /etc/vsftpd.conf /etc/vsftpd.conf.orig | |
# allow ufw firewall open ports 20 and 21 for FTP, port 990 for when we enable TLS, and ports 40000-50000 for the range of passive ports | |
sudo ufw allow 20/tcp | |
sudo ufw allow 21/tcp | |
sudo ufw allow 990/tcp | |
sudo ufw allow 40000:50000/tcp | |
sudo ufw status | |
#Create a Linux User | |
sudo adduser ftpusr1 | |
# Create the ftp folder: | |
sudo mkdir /home/ftpusr1/ftp | |
# Set its ownership: | |
sudo chown nobody:nogroup /home/ftpusr1/ftp | |
# Remove write permissions: | |
sudo chmod a-w /home/ftpusr1/ftp | |
#Verify the permissions: | |
sudo ls -la /home/ftpusr1/ftp | |
# let’s create the directory for file uploads and assign ownership to the user: | |
sudo mkdir /home/ftpusr1/ftp/files | |
sudo chown ftpusr1:ftpusr1 /home/ftpusr1/ftp/files | |
sudo ls -la /home/ftpusr1/ftp | |
# let’s add a test.txt file to use when we test: | |
echo "vsftpd test file text contents" | sudo tee /home/ftpusr1/ftp/files/test.txt | |
############## Configuring FTP Access START ############## | |
sudo nano /etc/vsftpd.conf | |
# edit that file | |
# Allow anonymous FTP? (Disabled by default). | |
anonymous_enable=NO | |
# Uncomment this to allow local users to log in. | |
local_enable=YES | |
write_enable=YES | |
# uncomment the chroot to prevent the FTP-connected user from accessing any files or commands outside the directory tree | |
chroot_local_user=YES | |
user_sub_token=$USER | |
local_root=/home/$USER/ftp | |
#users have access only when they are explicitly added to a list, rather than by default | |
userlist_enable=YES | |
userlist_file=/etc/vsftpd.userlist | |
userlist_deny=NO | |
#When you’re done making the changes, save the file and exit the editor. | |
############## Configuring FTP Access END ############## | |
# Add our user to /etc/vsftpd.userlist. Use the -a flag to append to the file: | |
echo "ftpusr1" | sudo tee -a /etc/vsftpd.userlist | |
# Check that it was added as you expected: | |
cat /etc/vsftpd.userlist | |
# Restart the daemon to load the configuration changes: | |
sudo systemctl restart vsftpd | |
######################################################### | |
#Test vsFTPd. Be sure to replace 192.168.0.100 with your server’s public IP address: | |
ftp -p 192.168.0.100 | |
#Type "bye" | |
ftp> bye | |
################# Secure FTP ########################### | |
#Setup Security with SSL/TLS | |
#Create a Security Certificate | |
sudo mkdir /etc/certs | |
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem | |
#Open the vsftpd.conf File | |
sudo nano /etc/vsftpd.conf | |
#Add the Following Lines to the File | |
rsa_cert_file=/etc/ssl/private/vsftpd.pem | |
rsa_private_key_file=/etc/ssl/private/vsftpd.pem | |
ssl_enable=YES | |
allow_anon_ssl=NO | |
force_local_data_ssl=YES | |
force_local_logins_ssl=YES | |
ssl_tlsv1=YES | |
ssl_sslv2=NO | |
ssl_sslv3=NO | |
require_ssl_reuse=NO | |
ssl_ciphers=HIGH | |
# When you’re done, save and close the file. | |
# Restart the server for the changes to take effect: | |
sudo systemctl restart vsftpd | |
# At this point, we will no longer be able to connect with an insecure command-line client. | |
# We need filezilla or similar ftp client | |
# on fileZilla select encryption type "Require explicit FTP over TLS" | |
# Check details on youtube video | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment