Original link: https://help.ubuntu.com/lts/serverguide/ftp-server.html
FTP server
FTP, File Transfer Protocol, File Transfer Protocol is downloading files between computers for TCP protocol. FTP protocol is also used to upload before, but because the agreement does not use encryption, plaintext credentials and user data can be easily intercepted. If you want to find a way to upload secure download files, you can see the remote management OpenSSH section.
FTP to the 客户端/服务端
mode of operation. Server component is called FTP daemon (FTP daemon), it will continue to monitor FTP requests from clients. Upon request, it validates the login and connection settings. During the conversation, it will execute any commands sent by the FTP client.
You can set two ways to access the FTP server:
- anonymous
- Authenticate
In anonymous mode, clients can use named anonymous
or ftp
default account to access the FTP server, using the e-mail address as your password. In the authentication mode, the user must have an account and password. The actual authentication mode is not safe (credentials and data transmitted in clear text), unless special circumstances, or should not be used. If you want to transfer files securely, you can see the OpenSSH-Server in SFTP. User account permissions depending on the login has access to the FTP server directories and files. Typically, FTP daemon will hide the root directory of the FTP server and instead use FTP home directory. This will hide the rest of the file system in a remote session.
vsftpd - FTP Server Installation
Ubuntu is commonly used vsftpd FTP daemon, it is easy to install, set up and maintain. To install vsftpd, you can run the following command:
sudo apt install vsftpd
Anonymous FTP configuration
By default, vsftpd configured to not allow anonymous download. If you want to enable anonymous download, you can edit /etc/vsftpd.conf
:
anonymous_enable=Yes
In the vsftpd installation process creates a named ftp
user, and the user's home directory is /srv/ftp
, this is the default FTP directory.
If you want to modify the default FTP directory, for instance change /srv/files/ftp
, you only need to create this directory and change the ftp user's home directory:
sudo mkdir /srv/files/ftp
sudo usermod -d /srv/files/ftp ftp
After modifying the configuration to take effect restart vsftpd:
sudo systemctl restart vsftpd.service
Now, you can put any file or files you want to share the folder copied to the user's home directory, ftp, little friends can be visited by anonymous FTP.
FTP Authentication Configuration
By default, vsftpd is configured to only authenticated users can download the file. If you want users to be able to upload a file, you can edit /etc/vsftpd.conf
:
write_enable=YES
Need to restart vsftpd configuration to take effect:
sudo systemctl restart vsftpd.service
Now, when users log in to FTP, you can do in their home directory, download, upload, create directories and other operations.
By default, vsftpd does not allow anonymous users to upload files to FTP server. To modify this setting, you should uncomment the following line in the configuration file, and restart vsftpd:
anon_upload_enable=YES
Allow Anonymous FTP upload will be a great security risk. If the server can be accessed directly from the Internet, it is best not to enable anonymous uploads.
The configuration file contains a lot of configuration parameters. Information about each of the parameters in the configuration file has a description. Page can also check man, man 5 vsftpd.conf
, for details of each parameter.
Secure FTP
/etc/vsftpd.conf
There are some options in the configuration file can make vsftpd more secure. For example, you can restrict users by uncommenting the following line can only access the home directory:
chroot_local_user=YES
You can also limit a specific list of users can only access their home directories:
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list
After the withdrawal of the two lines of comment, create a /etc/vsftpd.chroot_list
file, write a user name per line, and restart vsftpd:
sudo systemctl restart vsftpd.service
In addition, /etc/ftpusers
files can be recorded in the list of users allowed to access FTP. The default list includes root
, daemon
, nobody
and so on. To disable FTP access for other users, simply add them to the list.
FTP can also be encrypted using FTPS. With different SFTP, FTPS FTP based Secure Sockets Layer (SSL, Secure Socket Layer) is. FTP SFTP referred to as a connection based on an encrypted SSH session. One major difference is that SFTP users need to have a shell account on the system, rather than nologin shell. It may not be the ideal choice to provide some shell environment to all users (such as shared Web hosts). However, such accounts can still be restricted to only SFTP and disable interactive shell. For more information, see the OpenSSH-Server.
To configure FTPS, you can edit /etc/vsftpd.conf
, add at the end:
ssl_enable=Yes
Also you need to add the certificate and key related options:
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
By default, these options will be set for the certificate and key provided by the ssl-cert package. In a production environment, these certificates should be replaced with the generated key and certificate for a particular host. For more information about certificates, you can see the certificate .
Now restart vsftpd, non-anonymous users will be forced to use FTPS:
sudo systemctl restart vsftpd.service
To have allowed /usr/sbin/nologin
users shell access FTP, but does not allow access shell, you can edit /etc/shells
add nologin shell:
# /etc/shells: valid login shells
/bin/csh
/bin/sh
/usr/bin/es
/usr/bin/ksh
/bin/ksh
/usr/bin/rc
/usr/bin/tcsh
/bin/tcsh
/usr/bin/esh
/bin/dash
/bin/bash
/bin/rbash
/usr/bin/screen
/usr/sbin/nologin
This is necessary because by default, vsftpd uses PAM for authentication and /etc/pam.d/vsftpd
configuration file contains:
auth required pam_shells.so
shells PAM module restrictions on /etc/shell
access to the file listed in the shell.
Most popular FTP clients can be configured to use FTPS connections. lftp command line FTP client can use FTPS.
Quote
- For more detailed information, see the vsftpd website .
- For more detailed /etc/vsftpd.conf option, you can see vsftpd.conf man Page .