Install and Configure FTP Server in Amazon EC2 instance

by jagbir on June 26, 2008

For many users, running FTP Sever in Amazon EC2 instance is headache at the first time. You need to experiment before being able to transfer data. The main problems are Ingress firewall in Amazon environment and NAT traversal.

Here I’m using vsftp (vsfptd) Server, which is one of the most popular and easy to configure. The instance is running from base Fedora 4 AMI but the setup should be identical to other Red Hat based distros.

Install vsftpd FTP server, if not installed earlier:

$ yum install vsftpd

Its upto you which FTP method i.e. Active or Passive you want to use. The problem with active mode is that your computer is sending a request out of port 21 when all of a sudden, the server attempts to initiate a request with your computer on port 20. Since communication on port 21 does not imply communication on port 20, it appears as if some unauthorized host has attempted to initiate a new connection with your computer. Kind of sounds like a hack right? Your firewall may think so too (or your NAT router may have no idea to which computer to route the request). Active mode is not used as default method of ftp transfer in many clients these days.

On the other hand, as the Ingress firewall is running in AWS, from the firewall’s standpoint, to support passive mode FTP the following communication channels need to be opened:

FTP server’s port 21 from anywhere (Client initiates connection).
FTP server’s port 21 to ports > 1023 (Server responds to client’s control port).
FTP server’s ports > 1023 from anywhere (Client initiates data connection to random port specified by server).
FTP server’s ports > 1023 to remote ports > 1023 (Server sends ACKs (and data) to client’s data port).

That second part is the problem: FTP server listens on a random port and hands that back to the client, so the client initiates a connection to a random server port, which you must allow.

Opening up all ports > 1023 isn’t so good for security. But what you can do is allow the ports through the distributed firewall and then setup your own filtering inside your instance. Instead, you would better open a fixed number of ports (such as 1024 to 1048) and configure your FTP Server to only use that ports.

Check whether required ports are open or not in your EC2 security group. (if you are unaware about security group, it should be ‘defaul’ unless you created a new one).

$ ec2-describe-group

This command will print all ports which are currently open. If you dont find port 20,21,1024-1048 then you need to open these ports but if you dont find the command itself i.e.

$ ec2-describe-group
-bash: ec2-describe-group: command not found

You need to install ec2 command line tools. You can find them here and the instructions to setup/configure can be found here.

Open the ports now:

$ ec2-authorize default -p 20-21
$ ec2-authorize default -p 1024-1048

Here, ‘default’ is the name of security group. You can also open ports for specific IPs. For ease of use, you better install ElasticFox, a firefox extension to manage EC2 stuff. you can find more about it here.

At this moment, you can start your FTP server and if you try to connect it, the process will get failed. By checking logs, you should find something like:

Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is current directory.
Command: TYPE A
Response: 200 Type set to A
Command: PASV
Response: 227 Entering Passive Mode (216,182,238,73,129,75).
Command: LIST
Error: Transfer channel can't be opened. Reason: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
Error: Could not retrieve directory listing

Time to configure vsftpd.conf file:

$ vi /etc/vsftpd/vsftpd.conf
#<em>---Add following lines at the end of file---</em>
	pasv_enable=YES
	pasv_min_port=1024
	pasv_max_port=1048
	pasv_address=<Public IP of your instance>

Put public IP of your EC2 instance and then Save the file. Now restart the server:

$ /etc/init.d/vsftpd restart

One another thing I noticed recently in some instances is that even after configured properly, ftp client is not able to connect. You can find the description and solution of that problem in this post on this blog.

You may also like to read:
* 5 steps to secure your Linux Server
* How to setup multiple mysql servers in a single Linux machine.
* Setup Mysql Cluster in Amazon EC2.
* Download, install and configure perlbal loadbalancer.
* How to find out clients of your Mysql server.
* Fix and optimize Mysql server running slow without any load.
* Script to sync files between web servers.
* Install and configure HAProxy loadbalancer.
* Quick web based php script to check replication status of multiple MySQL Servers

  • sushilver

    useful information… i like it

  • =Bill.Barnhill

    Very useful article, one typo though: it’s ec2-describe-group not ec2-describe-groups

  • http://www.jagbir.info jagbir

    @Bill,

    thanks buddy for pointing out typo, I’ve fixed it.

  • George

    Thanks for this. Was having a bugger of a time finding the right combo to make passive mode work properly with the security groups.

  • Jimmy

    Hey! Thanks for posting this! It was a great helping in getting my ftp server setup! Keep up the good work!

  • mukul

    great help!! thanks a lot, keep up the good stuff.

  • http://rich-niche.info/cookie/img/smilies/happy.gif http://rich-niche.info/cookie/img/smilies/happy.gif

    nice!

  • http://cceshop.com Weber

    This is very useful. I’m trying find a way to autmate this piece. Is there a way to use a perl script to configure the web server.

  • jason

    Thanks! this worked great!

  • devon

    small typo,

    # yum install vsfptd

    should be

    # yum install vsftpd

    correct?

    • http://www.jagbir.info jagbir

      correct :) thanks for pointing out. fixed.

  • http://www.santabanta.com Amarjit

    I have some problem regarding on the fetching data from the amazon server. “Login” pages do not load on http://www.tenlegs.com when running under SSL. The brief root cause of this is as follows:
    (1) http://www.general.com is configured with an SSL certificate issued for this domain name
    (2) Our static content (images, css) are stored on Amazon S3. When any of our website’s web pages make reference to these images under ssl (eg: https://www.general.com/index.php generates html that refers to https://sample.general.com/images/logo.jpg), the web browser finds that sample.general.com is actually s3.amazonaws.com, and the certificate for s3.amazonaws.com does not match the sample.general.com domain name. The net effect is that the static content is blocked from displaying in the browser, leading to a messy looking page.

  • Mike

    Hi, I install and config like this, but my FTP client returns:
    “Response: 200 Switching to Binary mode.
    Command: PASV
    Response: 500 OOPS: child died
    Command: PORT 222,212,103,247,18,106
    Error: Connection closed by server
    Error: Failed to retrieve directory listing”
    Do you have any suggestion? Thanks.

    • http://www.jagbir.info jagbir

      Hi Mike, are you sure all mentioned ports are open? did you tried restarting ftp server?

  • Mike

    @jagbir
    Hi, Jagbir:
    I use 10000/10024 port, and use Amazon AWS Management Console to config Security Groups as:
    ———————-
    Connection Method
    -
    Protocol
    tcp
    From Port
    10000
    To Port
    10024
    Source (IP or group)
    0.0.0.0/0
    —————-
    And you can see my problem post at Amazon forum here:
    https://developer.amazonwebservices.com/connect/thread.jspa?threadID=41962&tstart=0.
    But still no answer….

  • http://www.blog.hostedftp.com Rich

    You may want to take a look at our blog regarding FTP and Amazon AWS EC2.
    Thanks

  • http://astore.amazon.com/cheap.petzl.myo.tools-20 Dick Delarme

    Nice website. Thank you.,

  • Pingback: Quora

  • Ad34

    Hello,

    what is the “CERT”

    I get this error

    Required option ‘-C, –cert CERT’ missing (-h for usage)

    The only thing i generated with my instance is a xxx.pem file…

  • http://shakas.com joe

    Hello,

    I am using EC2 and want to send text files to the FTP using a machine that has the option of sending manually or through a scheduler. The manual push works to a charm, but the scheduled push bounces and I am unable to receive the files.

    What do I need to do to receive scheduled push?

  • http://www.moneytized.com Angel

    Thank you for the article. Saved us quite some time!
    Angel

    • http://linuxadminzone.com jagbir

      Thanks Angel for comment, glad to know that you find it helpful.

  • Pingback: Cloud Computing with Amazon ams – Free :) « Technube

  • http://celebmoviebuzz.blogspot.com Celebrities

    hot can i install it to my Celebrities blog

  • Mkn

    Thanks, this was very helpful :)

  • http://www.linkdir.eu Renea Jimenez

    Good write-up, I am regular visitor of one’s website, maintain up the excellent operate, and It is going to be a regular visitor for a lengthy time.

    • http://linuxadminzone.com jagbir

      Thank you Renea for your comment.

  • preyo999

    Thanks! Saved our time :)

  • Wayne

    Thanks – the VSFTPD setup was exactly what I needed, I really appreciate your taking time to write it up so clearly! FWIW, I stumbled a bit until I realized I needed to ‘associate’ the elastic IP with the instance (and that doing that would disconnect my existing SSH setup).

  • Pingback: NodeJS, Websockets and EC2 | Mike Newell

  • Pingback: κυτταρίτιδα

  • http://notup Dunks

    tried this and didn’t work, I can get as far as listing anonymous FTP, but can’t get user accounts working properly. FTP client returns
    530: Permission Denied error

  • Pingback: get firefox

  • Pingback: AWS:EC2:: Could not connect FTP client?

  • Teodor B

    Thanks a lot for this article. Only after I’ve added
    pasv_enable=YES
    pasv_address=
    to vsftpd.conf I was able to connect in passive mode.

  • http://unitedstatescollection.blogspot.com/ United States

    It may seem like a silly question, but how does Amazon stock a gazillion items? It’s unlikely that they would have an enormous warehouse containing everything. In thinking that they have partnerships with many retailers, how is that when it is shipped to me that the box is an Amazon box?

    THanks!

  • Pingback: code de la route gratuit

  • ken

    Thanks I was about to rage quit until I read this post. Had it working in minutes.

  • Emmanuel

    I am new to EC2 and i have followed your instruction to setup an ftp server. But i have no clue what the username and password to user to login into my account

  • Pingback: Amazon Web Services

  • Pingback: Amazon to non-Amazon Data transfer - Just just easy answers

Previous post:

Next post: