Cybersecurity Updates & Tools

Set Up an FTP Server on Ubuntu 18.04 with vsftpd and SSL

FTP (File Transfer Protocol) is a standard network protocol for transferring files between a local client and a remote server. It is simple and widely supported by GUI clients like FileZilla, but by default it sends data without encryption.

vsftpd (Very Secure FTP Daemon) is a fast, stable, and actively maintained FTP server available in Ubuntu’s default repositories. This guide shows you how to set up an FTP server on Ubuntu 18.04 with vsftpd, configure a chroot jail to lock users to their home directories, encrypt transfers with SSL/TLS, and restrict which accounts can log in via FTP.

<strong>Note:</strong>&nbsp;For most use cases, SFTP or SCP are more secure alternatives to FTP since they run over SSH and encrypt transfers without extra configuration.
<strong>Prerequisite:</strong>&nbsp;You need sudo access.

Install and Configure vsftpd FTP Server on Ubuntu

Update the package list and install vsftpd:

bashsudo apt updatesudo apt install vsftpd

The service starts automatically. Confirm it is running:

bashsudo systemctl status vsftpd

Look for Active: active (running) in the output.

Open the vsftpd configuration file:

bashsudo nano /etc/vsftpd.conf

Apply the following configuration changes:

Disable anonymous access and allow local users to log in:

anonymous_enable=NOlocal_enable=YESwrite_enable=YES

Enable chroot jail to prevent users from browsing outside their home directory:

chroot_local_user=YES

With chroot enabled, vsftpd blocks uploads to writable chroot directories by default. Create a dedicated upload folder inside the chroot to work around this:

user_sub_token=$USERlocal_root=/home/$USER/ftp

Set the passive port range for firewall control:

pasv_min_port=30000pasv_max_port=31000

Allow only specific users to log in:

userlist_enable=YESuserlist_file=/etc/vsftpd.user_listuserlist_deny=NO

When userlist_deny=NO is set, only usernames listed in /etc/vsftpd.user_list can connect. Everyone else is denied at login.

Secure the FTP Server with SSL/TLS and Open Firewall Ports

Generate a self-signed SSL certificate to encrypt FTP transfers:

bashsudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 \  -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem

Add the SSL directives to /etc/vsftpd.conf:

rsa_cert_file=/etc/ssl/private/vsftpd.pemrsa_private_key_file=/etc/ssl/private/vsftpd.pemssl_enable=YES

Save the file and restart vsftpd:

bashsudo systemctl restart vsftpd

Open the required ports with UFW:

bashsudo ufw allow 20:21/tcpsudo ufw allow 30000:31000/tcpsudo ufw allow OpenSSHsudo ufw disable &amp;&amp; sudo ufw enable

Port 21 is the FTP command port. Port 20 is the data port. Ports 30000-31000 are the passive range you set in the config. Always allow OpenSSH before reloading UFW to avoid locking yourself out of the server.

Create an FTP User and Restrict Shell Access

Create a new user for FTP access:

bashsudo adduser newftpuser

Add the user to the allowed FTP login list:

bashecho "newftpuser" | sudo tee -a /etc/vsftpd.user_list

Create the FTP directory structure with the correct permissions:

bashsudo mkdir -p /home/newftpuser/ftp/uploadsudo chmod 550 /home/newftpuser/ftpsudo chmod 750 /home/newftpuser/ftp/uploadsudo chown -R newftpuser: /home/newftpuser/ftp

The ftp directory is read-only (a chroot requirement). The upload directory inside it is where the user can write files.

By default, new Linux users have SSH access to the server. To limit this FTP user to FTP only, create a restricted shell:

bashecho -e '#!/bin/sh\necho "This account is limited to FTP access only."' | sudo tee -a /bin/ftponlysudo chmod a+x /bin/ftponlyecho "/bin/ftponly" | sudo tee -a /etc/shellssudo usermod newftpuser -s /bin/ftponly

The user can now connect via FTP but cannot open an SSH session. Use any FTP client that supports TLS encryption, such as FileZilla, to connect.

The FTP server is now set up and secured on your Ubuntu 18.04 system. Visit the vsftpd documentation to explore additional configuration options. Leave a comment below if you run into any issues.