File Transfer Protocol (FTP) is a network protocol used to transfer files between computers, one act as a client, the other act as a server, in this post we will talk about FTP server in Linux systems, specifically Very Secure FTP Daemon (vsftpd).
The vsftpd program is a very popular FTP server that is being used by many servers today.
Our main points are:
How FTP Server Works
FTP server works with the client server architecture to communicate and transfer files.
FTP is a stateful protocol, meaning that connections between clients and servers are created and kept open during an FTP session.
To send or receive files from an FTP server you use FTP commands, these commands are executed consecutively. It is like a queue, one by one.
There are two types of FTP connections initiated,
- Control connection also called a command connection
- Data connection.
When you establish an FTP connection a single control connection is established by default using the TCP port 21. This connection is used for the authentication process.
A data connection is established only when a file needs to be transferred.
There are two types of data connection:
- Passive mode
- Active mode
Active connections are initiated by the remote server, and the client listens for the connection.
Passive connections use the PASV command; the client initiates the connection to the remote server, and the server listens for the data connections.
When the FTP client starts a transfer, it tells the server what type of connection it wants to make.
In active mode, the client connects from a random source port in the ephemeral port range to the FTP control port 21.
You can check your ephemeral port range using this command
$ cat /proc/sys/net/ipv4/ip_local_port_range
When you actually want to transfer a file, the remote FTP server will initiate a connection from the FTP data port 20 on the server system back to a destination port in the ephemeral port range on the client
Active mode connections often have issues with firewalls, also you need to have the TCP ports 20 and 21 open on your firewall.
Because of these problems with firewalls of active mode, the passive mode was introduced.
If you are using iptables firewall I recommend you to review Linux iptables firewall post to know how to allow ports
In passive mode, the client initiates the control connection from a random ephemeral port on the client to the destination port of 21 on the remote server. When it needs to make a data connection, the client will issue the PASV FTP command. The server will respond by opening a random ephemeral port on the server and pass this port number back to the client via the control connection.
The client will then open a random ephemeral source port on the client and initiate a connection between that port and the destination remote port provided by the FTP server.
That’s why they said the FTP is connection-hungry because every time you make a data connection (like transfer a file) the server will do the above process and this is done will all clients connected to the server.
In passive mode, the client initiates both the control and data connections. Thus, firewalls see the outgoing FTP data connection as part of an established connection.
You need to have ephemeral ports open on the server and client side of the connection, but firewalls would be to disallow connections that originate from the Internet that is destined for ephemeral ports.
Many firewalls implement application level proxies (means look deeply into packets for analysis) for FTP, which keeps track of FTP requests and open up those high ports when needed to receive data from a remote site.
Vsftpd FTP Server Features
There are several FTP servers available for you to use, commercial and open source.
Vsftpd has some security features which makes it on the top like:
- Can run as a non-privileged user with privilege separation
- Supports SSL/TLS FTP connections
- Can chroot users into their home directories.
- Can limit the FTP commands that a user can execute.
- Reduces the risk of DoS attacks with connection limits.
FTP Server Setup
Some Linux distros shipped with vsftpd, anyway, if you want to install it on Red Hat based systems, you can use the following command
$ sudo dnf -y vsftpd
On Debian based distros like Ubuntu, you can use the following command
$ sudo apt-get install vsftpd
Once you’ve installed the package, you can run the service and enable it to run at boot time.
$ systemctl start vsftpd
$ systemctl enable vsftpd
The configuration file for vsftpd FTP server is /etc/vsftpd/vsftpd.conf file or in Debian based distros you can find it at /etc/vsftpd.conf .
Actually, the FTP server in Linux is one of the easiest servers that you can work with.
There are two types of accessing the FTP server
- Anonymous FTP access: anyone can login with the username anonymous without a password.
- Local user login: all valid users on /etc/passwd are allowed to access FTP server using their usernames and passwords.
You can allow or prevent anonymous access to FTP server from the configuration, in /etc/vsftpd/vsftpd.conf and enable anonymous_enable=YES if it is not enabled and reload your service.
Now you can try to connect to the FTP server using any FTP client, I will use the simple FTP command.
You can install it if it is not on your system
$ dnf -y install ftp
Now you can access your FTP server like this
$ ftp localhost
Then type the username anonymous and with no password, just press enter.
You will be presented with the FTP prompt
And now you can type any FTP command to interact with the FTP server.
Connect as Local User
Since there is an option on the setting for allowing local users to access FTP server which is local_enable=YES, now let’s try to access the FTP server using a local user
$ ftp localhost
Then type your local username and the password for that user and you will see Login successful message.
Setup FTP Server as Anonymous Only
This type of FTP server is useful for large sites that have files that should be available to the public via FTP without any passwords or login.
You need to configure vsftpd to allow anonymous user only.
Open /etc/vsftpd/vsftpd.conf file, and change the following options with the corresponding values.
Then we need to create a non-privileged system account and is used especially for anonymous FTP-type access.
$ useradd -c " FTP User" -d /var/ftp -r -s /sbin/nologin ftp
This user has not privileges on the system so it is safer to use it when accessing FTP server.
Don’t forget to restart your FTP server after you modify the configuration file.
You can access the FTP server from the browser, just type ftp://youdomain/
FTP Server Security
We can configure vsftpd to use TLS, so the transferred files over the network a bit more secure.
First we generate a certificate request using openssl command
$ openssl genrsa -des3 -out FTP.key
Then we generate a certificate request
$ openssl req -new -key FTP.key -out certificate.csr
Now we remove the password associated with the key file.
$ cp FTP.key FTP.key.orig
$ openssl rsa -in FTP.key.orig -out ftp.key
Finally, we generate our certificate
$ openssl x509 -req -days 365 -in certificate.csr -signkey ftp.key -out mycertificate.crt
Now we copy both the key and the certificate file to /etc/pki/tls/certs .
$ cp ftp.key /etc/pki/tls/certs/
$ cp mycertificate.crt /etc/pki/tls/certs
Now, all we need to do is to configure vsftpd to support secure connections.
Open / etc/vsftpd/vsftpd.conf file and add the following lines.
Restart your service to reflect these changes.
And that’s it.
Try to connect to your FTP server from any client on any system like windows and choose the secured connection or FTPS, and you will successfully see your folders.
SFTP vs. FTPS
In the last example, we’ve seen the FTP over SSL layer (FTPS) and we’ve successfully connected to the FTP server, however, with the tightly secured firewall, it is difficult to manage this kind of connection since FTPS uses multiple port numbers.
The best solution, in this case, is to use SFTP (FTP over SSH).SFTP only needs a single port number which is port 22.
This port is used for all connections during FTP sessions.
Briefly, SFTP and FTPS are both very secure but SFTP is much easier to port through firewalls.
Jailing FTP Users
You can secure your FTP server by jailing your FTP users in their homes directories and allow only specific users to access the service.
Open /etc/vsftpd/vsftpd.conf and uncomment the following options
The file /etc/vsftpd.chroot_list contains the list of jailed users one per line.
Save the files and restart your service.
$ systemctl restart vsftpd
Linux FTP Server Commands
You can use any GUI client to upload and download your files, but you need to know some FTP server commands also.
Type pwd to print the current working directory, you will see your user home folder.
You can list files using ls command
ftp> cd /
Also, you can use cd command to change the working directory
If you want to exit your FTP session use bye command
lcd command is used to display the local folder, not the FTP folder.
ftp> lcd /home
You can change the local directory using lcd.
ftp> get myfile
You can download a file using get command.
ftp> mget file1 file2
Also, you can download multiple files using mget command.
ftp> delete filename
Use delete command to delete a file from the server.
ftp> put filename
Use put command to upload a file to the server.
ftp> mput file1 file2
To upload multiple files, use mput command.
ftp> mkdir dirName
You can create a directory using mkdir command.
ftp> rmdir dirName
Or you can delete a directory from the server using rmdir command.
There are two modes for file transfer when using FTP server, ASCII mode, and binary mode, you can change the like this:
FTP server is one of the easiest servers in Linux to configure and work with.
I hope you find the post useful and interesting.