FTP, short for File Transfer Protocol, is a network protocol that was once widely used for moving files between a client and server. It has since been replaced by faster, more secure, and more convenient ways of delivering files. Many casual Internet users expect to download directly from their web browser with
httpsand command-line users are more likely to use secure protocols such as the
FTP is often used to support legacy applications and workflows with very specific needs. If you have a choice of what protocol to use, consider exploring the more modern options. When you do need FTP, though, vsftp is an excellent choice. Optimized for security, performance and stability, vsftp offers strong protection against many security problems found in other FTP servers and is the default for many Linux distributions.
In this tutorial, we'll show you how to set up vsftp for an anonymous FTP download site intended to widely distribute public files. Rather than using FTP to manage the files, local users with
sudoprivileges are expected to use
sFTP, or any other secure protocol of their choice to transfer and maintain files.
PrerequisitesTo follow along with this tutorial you will need:
- An Ubuntu 16.04 server with a non-root user with
Step 1 — Installing vsftpWe'll start by updating our package list and installing the
When the installation is complete, we'll copy the configuration file so we can start with a blank configuration, saving the original as a backup.
- sudo apt update
- sudo apt install vsftpd
With a backup of the configuration in place, we're ready to configure the firewall.
- sudo cp /etc/vsftpd.conf /etc/vsftpd.conf.orig
Step 2 — Opening the FirewallFirst, let’s check the firewall status to see if it’s enabled and if so, to see what's currently permitted so that when it comes time to test the configuration, you won’t run into firewall rules blocking you.
In our case, we see the following:
- sudo ufw status
OutputOutput Status: active To Action From -- ------ ---- OpenSSH ALLOW Anywhere OpenSSH (v6) ALLOW Anywhere (v6)
You may have other rules in place or no firewall rules at all. In this example, only
sshtraffic is permitted, so we’ll need to add rules for FTP traffic.
With many applications, you can use
sudo ufw app listand enable them by name, but FTP is not one of those. Because ufw also checks /etc/services for the port and protocol of a service, we can still add FTP by name. We need both
ftp-dataon port 20 and
ftp(for commands) on port 21:
Now our firewall rules looks like:
- sudo ufw allow ftp-data
- sudo ufw allow ftp
- sudo ufw status
OutputStatus: active To Action From -- ------ ---- OpenSSH ALLOW Anywhere 21/tcp ALLOW Anywhere 20/tcp ALLOW Anywhere OpenSSH (v6) ALLOW Anywhere (v6) 21/tcp (v6)ALLOW Anywhere (v6) 20/tcp (v6)ALLOW Anywhere (v6)
vsftpinstalled and the necessary ports open, we're ready to proceed.
Step 3 — Preparing Space for Files
First, we'll create the directory where we plan to host the files, using the
-pflag to create the intermediate directory. The directory structure will allow you to keep all the FTP directories together and later add other folders that require authentication:
Next, we'll set the directory permissions to
- sudo mkdir -p /var/ftp/pub
nobody:nogroup. Later, we'll configure the FTP server to show all files as being owned by the ftp user and group.
Finally, we'll make a file in the directory for testing later.
- sudo chown nobody:nogroup /var/ftp/pub
With this sample file in place, we're ready to configure the vsftp daemon.
- echo "vsftp test file" | sudo tee /var/ftp/pub/test.txt
Step 4 — Configuring Anonymous AccessWe're setting up for users with
sudoprivileges to maintain files for wide distribution to the public. To do this, we'll configure
vsftpto allow anonymous downloading. We'll expect the file administrators to use
sftpor any other secure method to maintain files, so we will not enable uploading files via FTP.
The configuration file contains some of the many configuration options for vsftp.
We'll start by changing ones that are already set:
Find the following values and edit them so they match the values below:
- sudo nano /etc/vsftpd.conf
. . . # Allow anonymous FTP? (Disabled by default). anonymous_enable=YES # We’ll set the local_enable setting to “NO” because we’re not going
to allow users with local accounts to upload files via FTP.
The comment in the configuration file can be a little confusing, too,
In addition to changing existing settings, we're going to add some additional configuration.
because the line is uncommented by default. # Uncomment this to allow local users to log in. local_enable=NO . . .
Note: You can learn about the full range of options with the
Add these settings to the configuration file. They are not dependent on the order, so you can place them anywhere in the file.
# # Point users at the directory we created earlier. anon_root=/var/ftp/ # # Stop prompting for a password on the command line. no_anon_password=YES # # Show the user and group as ftp:ftp, regardless of the owner. hide_ids=YES # # Limit the range of ports that can be used for passive FTP pasv_min_port=40000 pasv_max_port=50000
Note: If you are using UFW, these settings work as-is. If you're using Iptables, you may need to add rules to open the ports you specify between
Once those are added, save and close the file. Then, restart the daemon with the following command:
- sudo systemctl restart vsftpd
systemctldoesn't display the outcome of all service management commands, so if you want to be sure you've succeeded, use the following command:
If the final line says look like the following, you've succeeded:
- sudo systemctl status vsftpd
OutputAug 17 17:49:10 vsftp systemd: Starting vsftpd FTP server... Aug 17 17:49:10 vsftp systemd: Started vsftpd FTP server.
Now we're ready to test our work.
Step 5 — Testing Anonymous AccessFrom a web browser enter ftp:// followed by the IP address of your server.
If everything is working as expected, you should see the
You should also be able to click into
test.txt, then right-click to save the file.
You can also test from the command-line, which will give much more feedback about your configuration. We’ll ftp to the server in passive mode, which is the
-pflag on many command-line clients. Passive mode allows users to avoid changing local firewall configurations to permit the server and client to connect.
Note: The native Windows command-line FTP client,
ftp.exe, does not support passive mode at all. Windows users may want to look into another Windows FTP client such as WinSCP.
When prompted for a username, you can enter either "ftp" or "anonymous". They’re equivalent, so we’ll use the shorter "ftp":
- ftp -p 203.0.113.0
Connected to 203.0.113.0. 220 (vsftpd 3.0.3) Name (203.0.113.0:21:sammy): ftp
After pressing enter, you should receive the following:
Output230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp>
Ensure that passive mode is working as expected:
As the anonymous user, you should be able to transfer the file to your local machine with the
Output227 Entering Passive Mode (45,55,187,171,156,74). 150 Here comes the directory listing. drwxr-xr-x 2 ftp ftp 4096 Aug 17 19:30 pub 226 Directory send OK.
- cd pub
- get test.txt
This output tells you that you've succeeded at downloading the file, and you can take a peek to see that it’s on your local file system if you like.
Outputftp> get test.txt 227 Entering Passive Mode (45,55,187,171,156,73). 150 Opening BINARY mode data connection for test.txt (14 bytes). 226 Transfer complete. 16 bytes received in 0.0121 seconds (1325 bytes/s)
We also want to be sure anonymous users won’t be filling our file system, so to test, we will turn right around and try to put the same file back on the server, but with a new name.:
- put test.txt upload.txt
Output227 Entering Passive Mode (104,236,10,192,168,254). 550 Permission denied.
Now that we’ve confirmed this, we’ll exit the monitor in preparation for the next step:
Now that we've confirmed the anonymous connection is working as expected, we'll turn our attention to what happens when user tries to connect.
Step 6 — Trying to Connect as a User
You might also want to be sure that you cannot connect as a user with a local account since this set up does not encrypt their login credentials. Instead of entering "ftp" or "anonymous" when you're prompted to log in, try using your sudo user:
- ftp -p 203.0.113.0
OutputConnected to 203.0.113.0:21. 220 (vsFTPd 3.0.3) Name (203.0.113.0:21:your_user) 530 This FTP server is anonymous only. ftp: Login failed. ftp>
These tests confirm that you set up the system for anonymous downloading only.
In this tutorial we covered how to configure vsftp for anonymous downloads only. This allows us to support legacy applications unable to use more modern protocols or widely-published FTP urls that would be difficult to update.