This is a quick post describing some issues that you may face while installing/running vsftpd in Ubuntu host. I will quickly walk through steps, beginning with installation and then configuration for general purpose FTP access.
1. Install and run vsftpd without login shell
Most obvious thing while running a ftp server is to run it under non login shell. This is quite easy in Redhat based distro but here in Ubuntu, you need to do something extra also to enable users accessing ftp running under non login shell.
Install vsftpd server and start it:
$ apt-get install vsftpd $ /etc/init.d/vsftpd start
Add user who needs ftp access without shell access:
$ useradd -s /usr/sbin/nologin ftpuser
Make sure that /usr/sbin/nologin is listed in /etc/shells file otherwise while trying to access ftp, you may encounter following issue:
$ ftp ftpuser@serverip Connected to serverip. 220 (vsFTPd 2.2.2) 331 Please specify the password. Password: 530 Login incorrect. ftp: Login failed
Do not misinterpret the message here that the password is wrong or something, its actually due to shell.
Add /usr/sbin/nologin into /etc/shells file:
$ vim /etc/shells /usr/sbin/nologin
Now try to access ftp server again and you should be able to do it smoothly.
2. Allow user to upload/overwrite files using ftp
Next thing to remember is that the default behavior of vsftpd under Ubuntu is to deny write operation. If you try to upload/overwrite files, you may encounter follow error:
Requested action not taken (e.g., file or directory not found, no access).
You need to specify explicitly that local users should be able to use ftp and upload/overwrite files by updating configuration:
$ vim /etc/vsftpd.conf ## uncomment local_umask option, it should look like below local_umask=022 ## uncomment write_enable option, it should look like below write_enable=YES
Save and close the config file and restart vsftpd service to apply changes.
$ /etc/init.d/vsftpd restart vsftpd start/running, process 13340
You should be able to use ftp service smoothly now.
3. Allow only secure access to ftp or allow only sftp
FTP is inheriently insecure as it transfer data using plain text. To make sure that user can only access ftp service through a secure channel, replace shell in /etc/passwd to /usr/lib/openssh/sftp-server for the user.
let’s say you want to make sure that the user ‘ftpuser’ can only access ftp through secure channel, then update its entry in /etc/passwd file to look like below:
$ grep ftpuser /etc/passwd ftpuser:x:1000:1000::/var/path/to/work:/usr/lib/openssh/sftp-server
Do you have any good tips/tricks for ftp users? Please share in comments.
Other related and helpful article you may like to read:
* 5 Steps to secure your Linux Server
* 5 highly recommended books for aspiring Linux Admins
* FTP error – could not write to socket broken pipe
* FTP error – 500 oops vsf_sysutil_recv_peek while connecting to vsftpd
* How to install and configure ftp server in Amazon EC2 instance