Pentarock Technologies

SHARING KNOWLEDGE

How To Install and Configure FTP Server with VSFTPD on Debian 11 Bullseye

How To Install and Configure FTP Server with VSFTPD on Debian 11 Bullseye

 In this tutorial we will see how to install and configure ftp server with vsftpd  on Debian 11 Bullseye. “vsftpd” is an open source and free FTP Server for Linux Operating Systems. It is one of the most robust, secure and popular FTP Server tool. The vsftpd FTP Server is one of the most trusted applications among the Linux professionals. The official website of vsftpd FTP Server claims that the security, stability and performance is the key points due to which it has gained much popularity among the Linux users.

As claimed by the community of developers of vsftpd ftp server, some of the features of vsftpd Server include.

  1. bandwidth throttling
  2. per user configuration
  3. virtual users
  4. Standalone or inetd operation,   

FTP is a short form for file transfer protocol. In the past normally insecure files transfers using FTP were used for transfer of files and documents between servers and clients. But in the modern days the old FTP is changed to more secure, stable and faster FTP applications like vsftpd, scp etc. In my opinion vsftpd is the best choice for transferring important files and data between clients and server systems. Currently there are number of Linux distribution that includes vsftpd as the default FTP Server in their Linux distribution.

Prerequisites for installation of vsftpd on Debian 11 Bullseye

Following are the prerequisites for installing vsftpd on Debian 11 Bullseye operating system.

  1. First, we will require a Desktop or a laptop computer with pre-installed Debian 11 Bullseye operating system. If you need to install Debian 11 Bullseye on your system then you can follow our guide to installing Debian 11 Bullseye. The link to the tutorial is given below.
How to Install Debian 11 Bullseye Step by Step With Screenshots
  1. We will also require a non root user with sudo privileges with passwords for the installation of the application.
  2. Additionally, we will need a stable and fast internet connection for downloading and installing the vsftpd ftp application on our computer.

Installation of vsftpd FTP Server on Debian 11 Bullseye

First update your system before the start of the installation. To update your system open the terminal window and issue the following command as given below.

sudo apt-get update
sudo apt-get upgrade

The vsftpd FTP Server package is already available in the default package repository of the Debian 11 Bullseye operating system. Therefore use the apt command of the Debian 11 Bullseye to install the vsftpd FTP Server. To install the application issue the following command in the terminal window.

sudo apt-get install vsftpd

The above command will prompt to start the installation of the application. On the affirmative response the installation will start and will complete in very short time. During the installation the vsftpd Server creates a initial configuration file. The location of this configuration file “vsftpd.conf” is the /etc folder.

Before making any changes, the backup of the original configuration file of vsftpd should be taken. To do this copy the original configuration file with a new name. To do this issue the following command in the terminal window.

sudo cp /etc/vsftpd.conf /etc/vsftpd.conf.backup

Configure the Firewall on Debian 11 Bullseye for vsftpd FTP Server

Now we have to configure the firewall so that the FTP traffic can pass through the firewall. First check whether ufw firewall is installed and started on your system. Issue the following command in the terminal windows.

sudo ufw status

If the output of the above command shows that ufw firewall is installed but is currently disabled as shown below.

sudo ufw status

The output of the above command will be similar to the given below figure.

Status: inactive

Then issue the following command in the terminal window.

sudo ufw enable
sudo service ufw restart

To allow OpenSSH and FTP traffic through the firewall issue the following command in the terminal window in the given order.

sudo ufw allow OpenSSH
sudo ufw allow 20/tcp
sudo ufw allow 21/tcp
sudo ufw allow 990/tcp
sudo ufw allow 10000:20000/tcp

Now again issue the ufw status command in the terminal window as shown below.

sudo ufw status

The output of the above command will be similar as given below.

sudo ufw status
Status: active

To                         Action      From

—                         ——      —-

OpenSSH                    ALLOW       Anywhere                

20/tcp                     ALLOW       Anywhere                

21/tcp                     ALLOW       Anywhere                

990/tcp                    ALLOW       Anywhere                

10000:20000/tcp            ALLOW       Anywhere                

OpenSSH (v6)               ALLOW       Anywhere (v6)           

20/tcp (v6)                ALLOW       Anywhere (v6)           

21/tcp (v6)                ALLOW       Anywhere (v6)           

990/tcp (v6)               ALLOW       Anywhere (v6)           

10000:20000/tcp (v6)       ALLOW       Anywhere (v6)  

Configuring FTP Directory and FTP User in vsftpd Server

If you have your website hosted on your web server and you want to upload and download files from the website folder. Then you have to configure this directory in vsftpd server. In addition to this you should also create a separate ftp user for file transfer job. Now we will see how to create out FTP directory and FTP user.

First we will create our FTP User with the name ftpuser and give FTP access to it. To create a new FTP user issue the following command in the terminal windows as shown below.

sudo adduser ftpuser

The output of the above command will be similar to the figure given below.

sudo adduser ftpuser
Adding user `ftpuser’ …

Adding new group `ftpuser’ (1001) …

Adding new user `ftpuser’ (1001) with group `ftpuser’ …

Creating home directory `/home/ftpuser’ …

Copying files from `/etc/skel’ …

New password:

Retype new password:

passwd: password updated successfully

Changing the user information for ftpuser

Enter the new value, or press ENTER for the default

Full Name []: FTP User

Room Number []:

Work Phone []:

Home Phone []:

Other []:

Is the information correct? [Y/n] Y

As shown in the above figure enter and confirm the password and necessary information as you like and create the new ftpuser.

Now we will setup a directory structure on the server for transferring files and provide the ftpuser access to the directory. Let us create this folder with the name of ftp inside the /home/ftpuser folder. We will also give ownership to ftpuser on this directory.  To create a new FTP directory and provide the ownership to the ftpuser issue the following command in the terminal window in the given sequence.

sudo mkdir /home/ftpuser/ftp
sudo chown nobody:nogroup /home/ftpuser/ftp
sudo chmod a-w /home/ftpuser/ftp

Now we will create a folder where the files can be uploaded and we will also provide ownership to our ftpuser on this folder. To do this issue the following command in the terminal windows as shown below in the given sequence.

sudo mkdir /home/ftpuser/ftp/ftpdocs
sudo chown ftpuser:ftpuser /home/ftpuser/ftp/ftpdocs

Now we have successfully created the FTP directory structure and our ftp user. Also we have given the necessary permissions to our ftp user for transfer of files in this directory.

Configure vsftpd Server

Now we will make the necessary changes in the configuration file vsftpd.conf to configure our vsftpd FTP server. To do this open the vsftpd.conf file in your favorite text editor. We are using nano editor. Issue the following command in the terminal window.

sudo nano /etc/vsftpd.conf

Make the following changes as given below in the vsftpd.conf file.

listen=NO
listen_ipv6=YES

anonymous_enable=NO

local_enable=YES

write_enable=YES

local_umask=022

dirmessage_enable=YES

use_localtime=YES

xferlog_enable=YES

connect_from_port_20=YES

chroot_local_user=YES

secure_chroot_dir=/var/run/vsftpd/empty

pam_service_name=vsftpd

pasv_enable=Yes

pasv_min_port=10000

pasv_max_port=11000

user_sub_token=$USER

local_root=/home/$USER/ftp/ftpdocs

userlist_enable=YES

userlist_file=/etc/ vsftpd.userlist

userlist_deny=NO

allow_writeable_chroot=YES

Make the changes in the configuration file as shown in the figure above and save and exit the text editor.

Now create a userlist file as mentioned in the configuration file above and add our ftp user in the userlist file. When the userlist_deny is set to NO in the configuration file then the users in the list are allowed and when it is set to YES then the users in the userlist are denied FTP permission. Now to create userlist file and add out ftpuser in the userlist file, issue the following command in the terminal window.

sudo echo "ftpuser" | sudo tee -a /etc/vsftpd.userlist

To verify that the file is created and user is added in the userlist file issue the following command in the terminal window.

sudo cat /etc/vsftpd.userlist

The output of the above command will be similar to the given below.

root@pentarock:~# sudo cat /etc/vsftpd.userlist

ftpuser

Now restart the vsftpd FTP Server so that the configuration changes may take effect. To restart the vsftpd service issue the following command in the terminal window.

sudo systemctl restart vsftpd

Now we have successfully installed and configured vsftpd server. Now we can test our vsftpd server by connecting to it from out ftpuser.

Verify the FTP Connection

To test our vsftpd FTP Server we have created a test file “ftptest.txt” in the ftpdocs folder. Now we will transfer the same file to a Windows 10 computer using the ftp command in the command window of Windows 10 Operating System. Issued the ftp command and the output of the command are shown below.

C:\Users\Pentarock>ftp 192.168.1.25
Connected to 192.168.1.25.

220 (vsFTPd 3.0.3)

200 Always in UTF8 mode.

User (192.168.1.25:(none)): ftpuser

331 Please specify the password.

Password:

230 Login successful.

ftp> cd ftpdocs

250 Directory successfully changed.

ftp> dir

200 PORT command successful. Consider using PASV.

150 Here comes the directory listing.

-rw-r–r–    1 0        0              74 Sep 05 11:00 ftptest.txt

226 Directory send OK.

ftp: 72 bytes received in 0.00Seconds 36.00Kbytes/sec.

ftp> get ftptest.txt

200 PORT command successful. Consider using PASV.

150 Opening BINARY mode data connection for ftptest.txt (74 bytes).

226 Transfer complete.

ftp: 74 bytes received in 0.00Seconds 74000.00Kbytes/sec.

ftp>

The above output shows that our vsftpd server is installed correctly and we are now able to transfer files from our server.

The above file transfers are insecure. In the insecure FTP Servers decrypted data is transferred. Therefore now we will secure our vsftpd server. To provide the encryption we will enable TLS/SSL on our vsftpd FTP Server. However, we will use openssl to create SSL certificate. Additionally we will create a certificate with the validity of 90 days. We will also add a private 2048 bit RSA key. To create the SSL certificate issue the following command in the terminal window.

sudo openssl req -x509 -nodes -days 90 -newkey rsa:2048 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem

The output of the above command will be similar to the shown below.

sudo openssl req -x509 -nodes -days 90 -newkey rsa:2048 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem
Generating a RSA private key

………………………………..+++++

………………………..+++++

writing new private key to ‘/etc/ssl/private/vsftpd.pem’

—–

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.’, the field will be left blank.

—–

Country Name (2 letter code) [AU]:IN

State or Province Name (full name) [Some-State]:UP

Locality Name (eg, city) []:GZB

Organization Name (eg, company) [Internet Widgits Pty Ltd]:Pentarock

Organizational Unit Name (eg, section) []:Blog

Common Name (e.g. server FQDN or YOUR name) []:

Email Address []:contact@pentarock.in

There are many fields to enter during the creation of the certificate but you can leave some of them blank if you wish so.

Now open the vsftpd configuration file again in your favorite text editor. Issue the following command to open the file in the nano text editor.

sudo nano /etc/vsftpd.conf

Scroll down to the end of the configuration file. There you will see the following lines.

rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key

Comment out these lines and add two new lines below these lines as shown in the figure below.

# rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem

# rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key

rsa_cert_file=/etc/ssl/private/vsftpd.pem

rsa_private_key_file=/etc/ssl/private/vsftpd.pem

Now add the following lines in the vsftpd FTP Server configuration file as given below.

ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=NO
ssl_ciphers=HIGH

Now restart the vsftpd Server by issuing the following command in the terminal window.

sudo systemctl restart vsftpd

Furthermore, if we will try to connect to our server in insecure mode the output of the command will be similar to the shown below.

C:\Users\Pentarock>ftp 192.168.1.25
Connected to 192.168.1.25.
220 (vsFTPd 3.0.3)

200 Always in UTF8 mode.

User (192.168.1.25:(none)): ftpuser

530 Non-anonymous sessions must use encryption.

Connection closed by remote host.

Test TLS Connection using Filezilla client Installed on a Windows 10 Computer

Now we will test our vsftp server using Filezilla client which supports and uses TLS encryption. You can do so with any other ftp client application that supports TLS/SSL encryption. There are many FTP client applications are available that support TLS/SSL encryption.

Now open FileZilla Client and Create a new connection to the server as shown in the image below.

How To Install and Configure FTP Server with VSFTPD on Debian 11 Bullseye

Now create a new connection as shown below. We have created new connection “New Site” with the option “Require Explicit FTP Over TLS” selected.

How To Install and Configure FTP Server with VSFTPD on Debian 11 Bullseye

Now connect to the server as shown in the figure below.

How To Install and Configure FTP Server with VSFTPD on Debian 11 Bullseye

Now as shown in the above figure that we have successfully installed and configured the vsftpd FTP Server on Debian 11 Bullseye operating system. Enjoy!

Leave a Reply

Your email address will not be published. Required fields are marked *


The reCAPTCHA verification period has expired. Please reload the page.