1. Install and run vsftpd without login shell

Most obvious thing while running a ftp server is to run it under non login shell. This is quite easy in Redhat based distro but here in Ubuntu, you need to do something extra also to enable users accessing ftp running under non login shell.

Install vsftpd server and start it:

$ apt-get install vsftpd
$ /etc/init.d/vsftpd start

Add user who needs ftp access without shell access:

$ useradd -s /usr/sbin/nologin ftpuser

Make sure that /usr/sbin/nologin is listed in /etc/shells file otherwise while trying to access ftp, you may encounter following issue:

$ ftp ftpuser@serverip
Connected to serverip.
220 (vsFTPd 2.2.2)
331 Please specify the password.
Password: 
530 Login incorrect.
ftp: Login failed

Do not misinterpret the message here that the password is wrong or something, its actually due to shell.

Add /usr/sbin/nologin into /etc/shells file:

$ vim /etc/shells
/usr/sbin/nologin

Now try to access ftp server again and you should be able to do it smoothly.

2. Allow user to upload/overwrite files using ftp

Next thing to remember is that the default behavior of vsftpd under Ubuntu is to deny write operation. If you try to upload/overwrite files, you may encounter follow error:

Requested action not taken (e.g., file or directory not found, no access).

You need to specify explicitly that local users should be able to use ftp and upload/overwrite files by updating configuration:

$ vim /etc/vsftpd.conf
## uncomment local_umask option, it should look like below
local_umask=022
 
## uncomment write_enable option, it should look like below
write_enable=YES

Save and close the config file and restart vsftpd service to apply changes.

$ /etc/init.d/vsftpd restart
vsftpd start/running, process 13340

You should be able to use ftp service smoothly now.

3. Allow only secure access to ftp or allow only sftp

FTP is inheriently insecure as it transfer data using plain text. To make sure that user can only access ftp service through a secure channel, replace shell in /etc/passwd to /usr/lib/openssh/sftp-server for the user.

let’s say you want to make sure that the user ‘ftpuser’ can only access ftp through secure channel, then update its entry in /etc/passwd file to look like below:

$ grep ftpuser /etc/passwd
ftpuser:x:1000:1000::/var/path/to/work:/usr/lib/openssh/sftp-server

Do you have any good tips/tricks for ftp users? Please share in comments.

Other related and helpful article you may like to read:
* 5 Steps to secure your Linux Server
* 5 highly recommended books for aspiring Linux Admins
* FTP error – could not write to socket broken pipe
* FTP error – 500 oops vsf_sysutil_recv_peek while connecting to vsftpd
* How to install and configure ftp server in Amazon EC2 instance

Error: Could not write to socket: Broken pipe
Unable to download file xxxx

In first, I checked the config of vsftpd, and restarted it. It’s working fine. Then got the clue from “unable to download file” messages which indicates that ftp server is not able to write/download file. When I checked the space:

[root@domU-x-x-x-00-x-E2:/etc/vsftpd] df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/sda1             9.9G  9.4G     0 100% /
/dev/sda2             147G  188M  140G   1% /mnt

You can see, 100% space full in / partition. Problem disappeared after cleaning up the space. This server was one of few servers, which were not covered by our nagios implementation then, though this incident accelerated the process.

You may also like to read:
* 5 steps to secure your Linux Server
* Ensuring secure access to production Linux Servers
* Bash script to backup essential log files in Linux
* Quickly change your ssh port from defualt 22 to something higher
* SSH port forwarding from remote to local machine
* Save root or user history to check later
* Install and configure denyhost to prevent brute force attacks

Here I’m using vsftp (vsfptd) Server, which is one of the most popular and easy to configure. The instance is running from base Fedora 4 AMI but the setup should be identical to other Red Hat based distros.

Install vsftpd FTP server, if not installed earlier:

$ yum install vsftpd

Its upto you which FTP method i.e. Active or Passive you want to use. The problem with active mode is that your computer is sending a request out of port 21 when all of a sudden, the server attempts to initiate a request with your computer on port 20. Since communication on port 21 does not imply communication on port 20, it appears as if some unauthorized host has attempted to initiate a new connection with your computer. Kind of sounds like a hack right? Your firewall may think so too (or your NAT router may have no idea to which computer to route the request). Active mode is not used as default method of ftp transfer in many clients these days.

On the other hand, as the Ingress firewall is running in AWS, from the firewall’s standpoint, to support passive mode FTP the following communication channels need to be opened:

FTP server’s port 21 from anywhere (Client initiates connection).
FTP server’s port 21 to ports > 1023 (Server responds to client’s control port).
FTP server’s ports > 1023 from anywhere (Client initiates data connection to random port specified by server).
FTP server’s ports > 1023 to remote ports > 1023 (Server sends ACKs (and data) to client’s data port).

That second part is the problem: FTP server listens on a random port and hands that back to the client, so the client initiates a connection to a random server port, which you must allow.

Opening up all ports > 1023 isn’t so good for security. But what you can do is allow the ports through the distributed firewall and then setup your own filtering inside your instance. Instead, you would better open a fixed number of ports (such as 1024 to 1048) and configure your FTP Server to only use that ports.

Check whether required ports are open or not in your EC2 security group. (if you are unaware about security group, it should be ‘defaul’ unless you created a new one).

$ ec2-describe-group

This command will print all ports which are currently open. If you dont find port 20,21,1024-1048 then you need to open these ports but if you dont find the command itself i.e.

$ ec2-describe-group
-bash: ec2-describe-group: command not found

You need to install ec2 command line tools. You can find them here and the instructions to setup/configure can be found here.

Open the ports now:

$ ec2-authorize default -p 20-21
$ ec2-authorize default -p 1024-1048

Here, ‘default’ is the name of security group. You can also open ports for specific IPs. For ease of use, you better install ElasticFox, a firefox extension to manage EC2 stuff. you can find more about it here.

At this moment, you can start your FTP server and if you try to connect it, the process will get failed. By checking logs, you should find something like:

Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is current directory.
Command: TYPE A
Response: 200 Type set to A
Command: PASV
Response: 227 Entering Passive Mode (216,182,238,73,129,75).
Command: LIST
Error: Transfer channel can't be opened. Reason: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
Error: Could not retrieve directory listing

Time to configure vsftpd.conf file:

$ vi /etc/vsftpd/vsftpd.conf
#<em>---Add following lines at the end of file---</em>
	pasv_enable=YES
	pasv_min_port=1024
	pasv_max_port=1048
	pasv_address=<Public IP of your instance>

Put public IP of your EC2 instance and then Save the file. Now restart the server:

$ /etc/init.d/vsftpd restart

One another thing I noticed recently in some instances is that even after configured properly, ftp client is not able to connect. You can find the description and solution of that problem in this post on this blog.

You may also like to read:
* 5 steps to secure your Linux Server
* How to setup multiple mysql servers in a single Linux machine.
* Setup Mysql Cluster in Amazon EC2.
* Download, install and configure perlbal loadbalancer.
* How to find out clients of your Mysql server.
* Fix and optimize Mysql server running slow without any load.
* Script to sync files between web servers.
* Install and configure HAProxy loadbalancer.
* Quick web based php script to check replication status of multiple MySQL Servers