It is easy to configure. I needed it to work with Amazon EC2. Here's how.
I took this guide: http://blog.liwen.name/configure-vsftpd-on-amazon-ec2/148
Configure vsftpd on Amazon EC2
There are quite a few FTP server options available for Debian: ProFTPD, Pure-FTPd and wu-ftpd to name a few. Here we opt forvsftpd (very secure FTP daemon), the default FTP server included in Ubuntu, CentOS, Fedora and some other Linux distributions.
Install
apt-get update apt-get install vsftpd
Configure vsftpd
The configuration file
/etc/vsftpd.conf
of vsftpd is very well commented. Read it through if you want to, otherwise here are a few changes need to be made in order to get it to work with Amazon EC2. The explanation of these changes are mostly quoted from manpages of vsftpd configure package.nano /etc/vfstpd.conf
First let’s disable anonymous logins:
anonymous_enable=NO
Enable local logins to allow local users to connect via FTP, this must be enabled for any non-anonymous login to work.
local_enable=YES
Give FTP users write permission:
write_enable=YES
Disnable PORT style data connections with port 20. It makes vsftpd run with slightly less privilege.
connect_from_port_20=NO
Restrict local users (all FTP users) in chroot jails (their home directory):
chroot_local_user=YES
To set proper permissions for files(644) and directories(755):
local_unmask=022
Specify a range of ports for vsftpd to run PASV connections
pasv_max_port=12100 pasv_min_port=12000
After setting up the port range, go to your EC2 console and open the ports specified above, also don’t forget to open the default ftp port 21.
It turns out that vsftpd advises the incomming PASV command the internal IP of EC2 instance, which FTP clients would not be able to resolve. To solve this problem, we explicitly tell vsftp to use our public IP address instead of asking the server for it. If you don’t have an Elastic IP associated with the instance, you will need to enable
pasv_addr_resolve
and provide your public DNS.pasv_address=your.public.ip.address
That is all we have to do with
vsftpd.conf
for now. Next let’s setup our first FTP user.Setup FTP users
To enable group-based FTP access and also make things more organised, create a dedicated FTP user group.
addgroup ftpusers
Next create our first FTP user:
useradd -d /home/web/your/root/ftp/dir/for/the/user -s /usr/sbin/nologin -g ftpusers devuser
Here we added a new user
devuser
with home directory /home/web/your/root/ftp/dir/for/the/user
, we obviously do not want FTP users to have shell access, -s
option sets user’s shell to nologin
. Note: don’t forget to add nologin
into/etc/shells
, otherwise FTP users may not be able to login via FTP clients.echo "/usr/sbin/nologin" >> /etc/shells
Set a password for the user:
passwd devuser
To allow FTP users to read and write files in their chroot jails (home directories), we need to let FTP users take ownership of their home directories and give them proper permission.
chown -R devuser /home/web/your/root/ftp/dir/for/the/user chmod 775 /home/web/your/root/ftp/dir/for/the/user
Create a userlist for vsftpd and add all FTP users into the list – one user per line:
touch /etc/vsftpd.userlist nano /etc/vsftpd.userlist
The userlist file should look like this:
devuser
user2
user3
Save
/etc/vsftpd.userlist
, reopen /etc/vsftpd.conf
and add the following lines to the end of the file:userlist_enable=YES userlist_file=/etc/vsftpd.userlist
If you only want to allow the users in the userlist to login and deny anyone else, you can also set:
userlist_deny=NO
Now save the file, restart the vsftpd service.
/etc/init.d/vsftpd restart
Phew, that’s it, now you have successfully configured vsftpd on Amazon EC2 instance.
thanks a lot for this post; I followed the instructions but, when I try to connect with Filezilla, I get this error:
ReplyDeleteError: Disconnected: No supported authentication methods available (server sent: publickey)
I guess you have to enable username/password in your box configuration.
ReplyDeleteMaybe this helps:
To disable password authentication, look for the following line in your sshd_config file:
#PasswordAuthentication yes
replace it with a line that looks like this:
PasswordAuthentication no
taken from: https://help.ubuntu.com/community/SSH/OpenSSH/Configuring
but you have to enable it, obviously
DeleteMy PasswordAuthentication is already on yes...
ReplyDeleteDo I have to create some sort of key for the new users?
the keys are only necessary if users are going to log in without username/password
ReplyDeleteIt's maybe a Filezilla issue and -if on a linux box- ftp to your own server and see what happens.
When I followed those instructions I was able to setup my vsftp server, but I use WinSCP to connect to it (recommendation), if not I wouldn't have posted the instructions.