The most used FTP servers within Linux are PureFTPd, ProFTPD and vsftpd. An overview of the differences can be found on this website. ProFTPD is less well maintained, so we recommend PureFTPd or vsftpd.
Using an FTP server is a relatively easy method to upload files to your VPS. This is useful, for example, with a web server for posting updates to websites on your VPS, or with a Plex server for uploading media to your VPS.
Do you prefer SFTP? Consult this manual.
Installing and configuring the FTP server
Install vsftpd with the command:
yum -y install vsftpd
Before you start your FTP server, make some adjustments to the vsftpd configuration, with the aim of adjusting access to your FTP server more specifically.
Open the configuration file:
Adjust / add the following settings if they do not yet exist. The operation of these options is further explained in the explanatory notes to the options.
anonymous_enable=NO chroot_local_user=YES allow_writeable_chroot=YES userlist_enable=YES userlist_file=/etc/vsftpd.userlist userlist_deny=NO
- Explanation code
- anonymous_enable=NO: Prevents unidentified users from logging in to your FTP server.
- chroot_local_user=YES: Places FTP users in their own home directory (i.e. a chroot jail) after logging in to your FTP server.
- allow_writeable_chroot=YES: Allows FTP users to make changes to the chroot directory (i.e. their own home directory).
- userlist_enable=YES: Enables the vsftpd user list, with which you can give users permission or prohibit access to your FTP server.
- userlist_file=/etc/vsftpd.userlist: The location of the user list described above.
- userlist_deny=NO: Only the user accounts in the user list file may log in to your FTP server. If you set the option to 'YES', the user list does not give permission, but it prohibits access to your FTP server.
Save the changes and close the file using the key combination ctrl + x > y > enter.
Out-of-the-box, Debian 9 comes with Firewalld, in which all ports are closed by default. Open port 21 with the commands:
firewall-cmd --zone=public --permanent --add-port=21/tcp firewall-cmd --reload
vsftpd does not automatically start after the installation and after a reboot. You start vsftpd and enable automatic starting with:
systemctl start vsftpd systemctl enable vsftpd
Creating users and giving access to your FTP server
In the previous steps, you have enabled the vsftpd user list option, together with the additional option that only user accounts in the user list file have access to your FTP server. In this part, you (optionally) create a new user and add the user to the user list.
FTP users are created in the same way as normal users on your VPS. Do you want to use an existing user account? Then continue with step 2.
Do you use FTP to upload websites? Then we recommend using the name of your domain as the username, for example, the username example.com, for the domain example.com.
useradd -m -c "transip ftp demo" username passwd username
- Code explanation
- -m: creates a home directory for the user. This is optional and only required if you actually want to give the user a home directory on your VPS in /home/username. Are you giving the user a home directory that is not in /home in the 'Customizing user home directories' section? Then you can omit -m.
- -c: is also optional and adds a comment to the user. This is especially useful for creating a note for yourself explaining what an account serves for.
- username: the actual username
- passwd username: gives the user a password
Open the user list file with:
Add the user's name to the file. Each username is added on a new line, for example:
transip admin username
Tip: Alternatively, you can also add the username to the file with one command:
Save the changes and close nano with ctrl + c > y > enter.
Customizing users' home directories
Thanks to the earlier configuration, FTP users are directed to their home directory by default. In this section, we show you how to set up specific directories. This is useful, for example, if you want to direct users to a specific directory in which their website is located (for web servers), or, for example, a specific folder (e.g. Big Storage) on a Plex server.
Do you want to use an existing folder? Then continue with step 3. Does the folder not yet exist? First, create it and remove all write permissions for all users (replace user name with the user’s name).
/ftp chown nobody:nobody /home/gebruikersnaam
/ftp chmod a-w /home/gebruikersnaam
Create the directory in which the user may place files and only give that user full rights to the directory (replace username with the user's name):
/ftp/fileschmod 0700 /home/gebruikersnaam/ftp/files
The reason why you remove access to the FTP folder and do give access to the files folder is for security reasons: this way, you prevent that any further access to the underlying folders can be obtained.
You are now going to set the home directory of your users. Open the VSFTP configuration file again:
Add the following two lines at the bottom of the file:
- user_sub_token=$USER: the name of the user who connects to your FTP server is used for the variable $USER
- local_root: the directory in which your FTP users end up. In this example, it is the FTP folder in the home directory.
- For example, if you have linked Big Storage to your VPS and want to use it (e.g. for a Plex server), then you use local_root=/mnt/bigstorage/ (replace /mnt/bigstorage/ with the actual folder in which your Big Storage is mounted), where, for example, you remove the rights from /bigstorage/ and create a folder /mnt/bigstorage/plex to which you do grant users rights.
- Do you host websites (in /var/www/html/) and did you use your domain as a user name in the previous section? Then, you would set local_root=/var/www/html/$USER here, where you do not give permissions in that folder, but, for example, do give permissions to /var/www/html/$USER/public_html
Save the changes and close the file with the key combination ctrl + x > y > enter.
Finally, restart vsftpd to apply the new configuration. It can sometimes take a few minutes for you to see such a configuration change when you connect via your FTP client.
systemctl restart vsftpd
Securing your FTP server
The FTP protocol does not encrypt data and is therefore unsafe. In practice, SFTP or FTPS is therefore usually always used (see this article for an explanation of the differences). In this part of the manual, you protect your FTP server with FTPS.
As SSL(TLS) certificate, we use a Let's Encrypt certificate. If you have not yet installed Let's Encrypt, install it first with the command:
apt -y install certbot
In this step, you generate a standalone certificate that is not dependent on an existing web server. It is important for this that ports 80 and 443 are open in your firewall (in Debian 9, this is UFW by default). If they are not yet open, use the commands:
ufw allow 80/tcp
Generate a certificate with the command below. Replace server.example.com here with your hostname (check with the command hostnamectl).
You will be asked for an email address and permission for the terms and conditions, and for sharing your email address with the Electronic Frontier Foundation (optional).
certbot certonly --standalone -d server.example.com
Your Let's Encrypt certificate and keyfile are stored in /etc/letsencrypt/live/<hostname>/ (the exact location is in the output of the command in step 3).
You then adjust the vsftpd configuration to indeed use the Let's Encrypt certificates and reject unsafe connections. Open /etc/vsftpd/vsftpd.conf again:
Add the following configuration at the bottom of the file, replacing server.example.com with your hostname.
ssl_enable=YES allow_anon_ssl=NO force_local_data_ssl=YES force_local_logins_ssl=YESssl_tlsv1_1=YES ssl_tlsv1_2=YES
ssl_tlsv1=NO ssl_sslv2=NO ssl_sslv3=NO require_ssl_reuse=NO ssl_ciphers=HIGH pasv_min_port=50100 pasv_max_port=51100 rsa_cert_file=/etc/letsencrypt/live/server.voorbeeld.nl/fullchain.pem rsa_private_key_file=/etc/letsencrypt/live/server.voorbeeld.nl/privkey.pem
- These steps have been tested in FileZilla. Older FTP clients may need the ssl_tlsv1=YES option. Please note that it is safer to use a newer FTP client.
- Is your connection often lost? Then try require_ssl_reuse=NO
- Take care when copying that you do not put a space after one of the lines. One space too much is sufficient to prevent vsftpd from starting.
A good reason to opt for Let's Encrypt instead of OpenSSL is the simple auto-renew option of Let's Encrypt, so you don't have to worry about the possible expiration of your certificate. For this, you create a cronjob with the command:
Crontab works practically the same as vi. It opens in command mode and you switch to insert mode with the 'i' key. Then, add the content below.
SHELL=/bin/bash HOME=/ @monthly certbot -q renew >> /var/log/le.log
- The cronjob is performed every month at 0:00.
- -q ensures that no output is generated, except for errors.
- renew renews all Let's Encrypt certificates that expire within 30 days. Let's Encrypt certificates are valid for 90 days, so a new certificate is generated every two months.
- >> /var/log/le.log sends the output to the le.log file
After adding the code, switch back to command mode with 'Esc'. Then, save your changes and close crontab with the key combination :wq!
In step 5 you have, among other things, configured a passive port range. This port is not automatically open in your firewall and you open it manually with:
ufw allow 50100:51100/tcp
You now only need to restart vsftpd with the command:
systemctl restart vsftpd
That concludes this tutorial and you have set up a secure FTP(S) server! You can now test your FTP server and transfer files to your VPS.
Should you have any questions left regarding this article, do not hesitate to contact our support department. You can reach them via the ‘ContactUs’ button at the bottom of this page.
If you want to discuss this article with other users, please leave a message under 'Comments'.