Code Done Right!

FTP server

FTP server is a service that allows exchange of files in a very simple form. It enables you to drop massive amount of files fairly quickly. You set up a server that can serve and accept files. We are setting up an FTP server so that YOU can upload and download files, but only on the local network.

Why local network only? Mainly because FTP is insecure. It sends the password in the clear. Like 100% clear. Any data spoofing software can just yank your password and your server is now completely vulnerable. Worst case scenario would be that all your data is now compromised. If you do not have any spyware on your PC then you can utilize FTP on local network without any worry. Keep your antivirus on that Windows machine up to date!

If you want to share files with others it is best to put them on your website directly, which is simpler and users have access only to the files you have shared on the website. Seriously Later I will show you how to just drop files in a public folder so anyone can access them if that is what you need. Do not use FTP to share files. We are not in the ’90 anymore. You can set up a server open to everybody, but again – why bother with a dedicated service if we can utilize HTTP protocol?

Setting up an FTP server

Setting up a basic FTP server if a fairly simple task via a package called vsftpd (or Very Secure FTP Daemon). I will show you how to set up the service so that your administrative account will be able to rummage around the server.

Required

Creating an FTP folder

Even if you are the sole user of your FTP it is still a good idea to have one specific folder where you can dump your files, but not required. If on the other hand you are planning on making your files public (do not do that via FTP, see above why), then you just have to have a specific folder for them.

Run the following code to create a directory for your files

sudo mkdir /var/ftp

As with custom logs from previous tutorial about security, you can specify a folder wherever you want it to be – /var/ is a good choice.

By default the owner of the folder will be root. As we do not use root account, files would have to be copied to the folder using sudo command, let us claim the folder for the administrative user account we created previously (if you have followed previous tutorials you are using it now) by running the chown command

sudo chown -R $USER:$USER /var/ftp/

Just remember to substitute $USER with your username.

We should also adjust permissions so that we can read and write with this user while allowing other users to only download files. That is Linux administration 101 – look, but do not touch. Run the following

sudo chmod -R 755 /var/ftp/

This way the administrative user will have full control over the folder, but if we decide to make an account for another user, said user will only be able to download files from this folder. Execute rights are in place so that the directory can be listed.

Installing vsftpd

Installation is simple, run the following command

sudo apt install vsftpd

Daemon will be configured using the default configuration file located here

/etc/vsftpd.conf

and, by default, vsftpd will be started immediately and every time your server boots up the FTP service will start on its own as well.

It is a good idea to make a backup of the config file so that purging and reinstalling will not be necessary in case we screw up the config too much. Run the following command

sudo cp /etc/vsftpd.conf /etc/vsftpd.conf_OLD

If you want to remove the modified config and restore the original run the following two commands

sudo rm /etc/vsftpd.conf
sudo cp /etc/vsftpd.conf_OLD /etc/vsftpd.conf

Backup of our config will remain as _OLD in case you screw up again.

vsftpd configuration

Everything is done via the configuration file mentioned above. If you want a more in-depth explanation of expressions used in the configuration file, follow this link. For now we will just configure the server so that you can download and upload files, while being able to navigate the whole filesystem.

CAUTION default values of the vsftpd.conf change between version, default config is pretty strict though

CAUTION some of the lines I am instructing you to put in the file are already there. Make sure the lines you are adding are not already present in the file. If they are, you can modify them directly or comment them out by putting # sign at the beginning of the line and adding all your custom lines in one place

Open the configuration file by running

sudo nano /etc/vsftpd.conf

First, we want to tell vsftpd to open connections on ports specified by us in the security part of the tutorial, add the following to the config

pasv_min_port=$PASSIVE_MIN
pasv_max_port=$PASSIVE_MAX

If you do not remember which range you have opened run the following

sudo ufw status numbered

Or go here for a refresher about UFW

Next, we want to make sure that anonymous users cannot log in, but local users can, local meaning users with accounts on your server. We also want to be able to upload files as well. Add the following three lines to the config

anonymous_enable=NO
local_enable=YES
write_enable=YES

You can specify the folder we created previously to be opened upon logging in by adding

local_root=/var/ftp/

Now let up reload the config file by running the following command

sudo service vsftpd reload

That is basically it, you should be able to connect to your server now.

Connecting to your FTP server

With browser

You can test the FTP with your browser. Type the local IP address of your server in the address bar, in the following manner

ftp://your.local.ip.address

put your credentials (user and password), and it should display the contents of the /var/ftp/ folder

You will not be able to upload files with your browser.

With FileZilla

FileZilla is a great and free FTP client which will help us to upload and download from our server. Grab it from here.

Once you open the FileZilla client, take a look at the top of your screen. You should be able to find the following

FileZilla FTP client connection panel
FileZilla connection panel

In the Host field put your server IP, fill out the username and password fields as well and click Quickconnect

FileZilla should take you to your /var/ftp/ folder. You can download and upload files as you wish. If you cannot upload files check if vsftpd.conf file has write_enabled=YES directive and that the user you are logged in as has permission to write to that folder (see chmod command to rectify that).

Securing your FTP server connection with a certificate

Once you have a certificate, you can use it with FTP as well. In order to enable the certificate, go back to vsftpd.conf file and change the following three lines

#rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
#rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
ssl_enable=NO

To those

/etc/letsencrypt/live/example.com/fullchain.pem
/etc/letsencrypt/live/example.com/privkey.pem
ssl_enable=YES

Substitute example.com with the FQDN of your website. Certbot will tell you where exactly is your certificate, you can copy file paths to a local file for ease of use. Jut keep them private, even the links. This information certifies that your website is actually what it seems to be.

After enabling the certificate you have lost the ability to connect to your FTP server with a browser, as they are unable to provide a SSL connection over FTP. It is just the way it is.

FileZilla on the other hand, upon your first connection, will display a window informing you about the certificate of your server. It will look something like this

SSL certificate on our FTP connection

Image credit digicert.com

For convenience you can tick the box at the bottom and FileZilla will remember your certificate upon future secure connections.

Since it is only you who will use the FTP server, you can skip certificate part entirely. Seriously, do not connect via FTP to your server from outside your local network.

Enabling and disabling FTP server

If you are not actively using FTP you might as well disable the service. Why constantly run something that is not in use? Enable it only when you need to upload something, and then disable it again.

To disable the service run the following command

sudo service vsftpd stop

If you want to enable the service run the following

sudo service vsftpd start

Any FTP connection will be impossible with vsftpd service stopped, that should be obvious. Remember that when you are scratching your head and trying to figure out why you cannot connect to upload your photos any more.

To check if FTP is running type the following

sudo service vsftpd status

If you want to start, stop or check other services just substitute vsftpd with the service name.

Conclusion

FTP is not the best way of serving files to users, but it is an invaluable tool for us to upload to our server. If you want to upload dozens of pictures for your WordPress site you can do it in a jiffy rather than use the WordPress Media tab and upload one by one.

Just make sure that you do not open the server to everybody in the whole world.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.