From

---

Current revision as of 19:41, 7 February 2012

Contents 1 FTP tips 1.1 Vsftpd (FTP server) 1.1.1 Using two separate user accounts for vsftpd 1.1.2 Securing vsftpd 1.1.3 Encrypting transfers with FTPS 1.1.3.1 Troubleshooting vsftpd 1.2 Proftpd (FTP server) 1.2.1 Configure proFTPd users to be "jailed" (chrooted) into their home directories 1.2.2 Configure the proFTPd Server to allow anonymous FTP users to only have "read only" access 1.2.3 Configure the proFTPd Server to allow anonymous FTP users to have "read/write" access 1.2.4 Map the anonymous FTP user to a folder other than /home/ftp/ 1.2.5 Change the default port number for the proFTPd Server 1.2.6 FTP to a remote (K)Ubuntu host from a Windows client 1.2.7 FTP to a remote Windows host from a (K)Ubuntu client 1.2.8 Configure the NAT/router/gateway/firewall for an FTP server 1.3 FTP troubleshooting 1.4 Google Android FTP clients 1.5 SFTP 1.5.1 SFTP clients 1.6 SFTP server

FTP tips

FTP (File Transfer Protocol) is a standard network protocol used to transfer files from one host to another host over a TCP-based network, such as a LAN or the Internet. FTP servers are very lightweight and efficient (and require little system overhead to run).

FTP has been used for several decades and is ubiquitous, with clients for every OS and platform. FileZilla, for example, is one of the easiest and most powerful.

sudo apt-get install filezilla

Almost all current FTP servers allow settings to enable FTPS (TLS/SSL encrypted transfers). This is distinct from the practice of FTP through an SSH connection (known as SFTP) which can only be done by users that already have complete user shells (with SSH capabilities enabled) on the host computer (not a common scenario with shared web host servers, for security reasons). The FileZilla client is compatible with all of the available security implementations.

Vsftpd (FTP server)

• vsftpd is an FTP server available in (K)Ubuntu. For configuration information, see the official Ubuntu documentation. Install:

sudo apt-get install vsftpd

• Edit the configuration file /etc/vsftpd.conf (use gedit instead of kate if using Ubuntu instead of Kubuntu):

sudo kate /etc/vsftpd.conf

• After changing the desired configuration settings, restart vsftpd:

sudo /etc/init.d/vsftpd restart

Using two separate user accounts for vsftpd

This is an example setup in which two authenticated user accounts (each with its own password) are used for FTP files. One user account (ftprestricted) will be used for restricted files, and one user account (ftpguest) will be used for less restricted files. The rationale for such a setup is so that the two password-protected accounts will be created with folders in the /home folder, with relative privilege separation from each other and from the rest of the system. (In one commonly used setup, the /home folder is kept is own isolated partition, thereby easing and securing file maintenance during system upgrades (and other transitions). This example method maintains a FTP structure that is in keeping with such a setup).

• While logged in as a system administrator, create two news user accounts named ftprestricted and ftpuser.

Menu -> System -> System Settings -> Advanced: User Management -> User Accounts

-> New... -> Details -> Status: Enabled -> Login Name: ftprestricted -> Privileges and Groups

-> Privileges: (untick all) -> Groups: (untick all) -> Password/Security -> Password: Valid Until: Always (ticked) -> OK

-> New... -> Details -> Status: Enabled -> Login Name: ftpguest -> Privileges and Groups

-> Privileges: (untick all) -> Groups: (untick all) -> Password/Security -> Password: Valid Until: Always (ticked) -> OK

• Log out, then log in once as ftprestricted. When prompted, enter a password (such as ftpsecretpw) that will be used for all ftprestricted functions (including FTP access). This will set up a complete shell / folder structure for ftprestricted. Log out, then log in once as ftpguest. When prompted, enter a password (such as ftpopenpw) that will be used for all ftpguest functions (including FTP access). This will set up a complete shell/folder structure for ftpguest. finally, logout and then log in once again as a system administrator.

• Disable the ability of the two new user accounts (ftprestricted and ftpguest) to log into the system:

Menu -> System -> System Settings -> Advanced: Login Manager -> Users -> Excluded users: ftprestricted (ticked) -> ftpguest (tocked) -> OK

• Using a File Manager with root-level privileges (sudo dolphin or sudo nautilus), delete any undesirable folders (such as /Desktop, /Templates, /Maildir, etc.) from the /home/ftprestricted and /home/ftpguest folders. (This will create a cleaner FTP folder structure.)

• Edit the vsftpd configuration file to allow authenticated access (but not anonymous access). Allow read/write privileges (but not for anonymous users). (Use gedit instead of kate if using Ubuntu instead of Kubuntu.) :

sudo kate /etc/vsftpd.conf

and make sure the following settings are included:

#
#anonymous_enable=YES
anonymous_enable=NO
#
#local_enable=NO 
local_enable=YES
#
write_enable=YES
#
#anon_upload_enable=YES
anon_upload_enable=NO
#

Also set any other desired parameters. (With this setup, it is not necessary to chroot "jail" a user nor to use a separate "ftpsecure" account.)

• Save then restart vsftpd:

sudo /etc/init.d/vsftpd restart

• Now there will be two FTP accounts that can be used with the FTP server, each with its own password and its own isolated set of folders (in the /home/ftprestricted and /home/ftpguest directories). Naturally, any number of user accounts used strictly for FTP could be created in a similar manner. An FTP client could then connect to the server using Logontype: Normal and either the User: ftprestricted with Password: ftpsecretpw or the User: ftpguest with Password: ftpopenpw.

Securing vsftpd

• User account password sniffing and cracking is all too easy and common these days. For greater security I only allow specific user accounts, set up strictly for FTP, to be accessed through FTP. There is a big security risk, IMO, in allowing regular user accounts to be accessed by FTP. I therefore add all regular user accounts to the "no FTP" list found at /etc/ftpusers (which, in a naming paradox, is a list of system user accounts forbidden from using FTP).

sudo kate /etc/ftpusers

To this list I add all user accounts, except those designated solely for FTP (e.g. ftprestricted and ftpguest created in the example of the preceding section).

• Another method of restricting FTP user accounts is detailed in the official Ubuntu documentation.

Encrypting transfers with FTPS

FTP can be encrypted using FTPS, which is FTP over Secure Socket Layer (TLS/SSL). The discussion below is for explicit FTPS (FTPES).

• To configure FTPS, edit /etc/vsftpd.conf (use gedit instead of kate if using Ubuntu instead of Kubuntu):

sudo kate /etc/vsftpd.conf

and at the bottom add:

ssl_enable=Yes

It is also possible to add the "pseudo-" certificate and key that are often pre-installed (or can be installed using the ssl-cert package -- sudo apt-get install ssl-cert) on a (K)Ubuntu system by adding the lines:

#rsa_cert_file=/etc/ssl/certs/vsftpd.pem
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key

In a production environment, however, these should be replaced with a certificate and key generated for the specific host. For more information on certificates see the official Ubuntu documentation.

• Restart vsftpd, and non-anonymous users will be forced to use explicit FTPS:

sudo /etc/init.d/vsftpd restart

• When connecting (using the FileZilla client, for example), now use Servertype: FTP over explicit TLS/SSL. A prompt will appear to accept the (snakeoil) certificate.

Troubleshooting vsftpd

• When using regular FTP behind a firewall, vsftpd uses port 21 as the control port and port 20 as the data port (in both active and passive mode). Make sure ports 20-21 are open in the outgoing firewall of the FTP client, the incoming firewall of the vsftpd server, and that the router forwards ports 20-21 to the LAN IP address used by the computer with the vsftpd server.

• When using explicit FTPES behind a firewall, port 21 is still used as the control port, but a port range (other than port 20) to be used for data (in both passive and active modes) must be designated in the /etc/vsftpd.conf file, and opened/forwarded accordingly. For example, edit /etc/vsftpd.conf (use gedit instead of kate if using Ubuntu instead of Kubuntu):

sudo kate /etc/vsftpd.conf

and specify a port range (for example 36020-36030) to use:

pasv_min_port=36020
pasv_max_port=36030

Restart vsftpd:

sudo /etc/init.d/vsftpd restart

Then make sure ports 21 and 36020-36030 are open in the outgoing firewall of the FTP client, the incoming firewall of the vsftpd server, and that the router forwards ports 21 and 36020-36030 to the LAN IP address used by the computer with the vsftpd server.

Also make sure the FTP client specifies the port range for transfers. For example, in the FileZilla client, these are set:

FileZilla -> Edit -> Settings ... -> FTP -> Transfer Mode: Passive (ticked)

-> Allow fall back to other transfer mode on failure (ticked) -- (this is optional)

-> Active Mode -> Limit local ports used by FileZilla (ticked)

-> Lowest available port: 36020 -> Highest available port: 36030

-> Passive mode -> Use the server's external IP address instead (ticked)

If this is not done correctly, this error will be displayed in the FTP client when trying to connect (and there will be a failure to list the FTP directories):

"Server sent reply with unroutable address. Using server address instead."

Proftpd (FTP server)

Note: These Proftpd instructions were originally written for the Feisty version of Ubuntuguide.

• Proftpd is an FTP server available in (K)Ubuntu that can be used with either the MySQL or PostgreSQL database. Also see the Ubuntu Community documentation. Install:

sudo apt-get install proftpd

Configure proFTPd users to be "jailed" (chrooted) into their home directories

• Edit the proftpd configuration file (making a backup first). (Use kate instead of gedit if using Kubuntu instead of Ubuntu.):

sudo cp /etc/proftpd/proftpd.conf /etc/proftpd/proftpd.conf_backup
sudo gedit /etc/proftpd/proftpd.conf

• Find this section

...
DenyFilter           \*.*/
...

and add this line below it:

DefaultRoot           ~

• Save the edited file then restart proftpd:

sudo /etc/init.d/proftpd restart

Configure the proFTPd Server to allow anonymous FTP users to only have "read only" access

• Also see the UbuntuGeek ProftpD Server Setup in Ubuntu Tutorial

• Edit the proftpd configuration file (making a backup first). (Use kate instead of gedit if using Kubuntu instead of Ubuntu.):

sudo cp /etc/proftpd/proftpd.conf /etc/proftpd/proftpd.conf_backup
sudo gedit /etc/proftpd/proftpd.conf

• Append the following lines at the end of file

<Anonymous ~ftp>
 User            ftp
 Group            nogroup
 UserAlias          anonymous ftp
 DirFakeUser on ftp
 DirFakeGroup on ftp
 RequireValidShell      off
 MaxClients         10
 DisplayLogin        welcome.msg
 DisplayFirstChdir      .message
 <Directory *>
  <Limit WRITE>
   DenyAll
  </Limit>
 </Directory>
</Anonymous>

• Save the edited file then restart proftpd:

sudo /etc/init.d/proftpd restart

Configure the proFTPd Server to allow anonymous FTP users to have "read/write" access

• Edit the proftpd configuration file (making a backup first). (Use kate instead of gedit if using Kubuntu instead of Ubuntu.):

sudo cp /etc/proftpd/proftpd.conf /etc/proftpd/proftpd.conf_backup
sudo gedit /etc/proftpd/proftpd.conf

• Append the following lines at the end of file

<Anonymous ~ftp>
 User            ftp
 Group            nogroup
 UserAlias          anonymous ftp
 DirFakeUser on ftp
 DirFakeGroup on ftp
 RequireValidShell      off
 MaxClients         10
 DisplayLogin        welcome.msg
 DisplayFirstChdir      .message
</Anonymous>

• Save the edited file then restart proftpd:

sudo /etc/init.d/proftpd restart

Map the anonymous FTP user to a folder other than /home/ftp/

• Edit the proftpd configuration file (making a backup first). (Use kate instead of gedit if using Kubuntu instead of Ubuntu.):

sudo cp /etc/proftpd/proftpd.conf /etc/proftpd/proftpd.conf_backup
sudo gedit /etc/proftpd/proftpd.conf

• Append the following lines at the end of file

<Anonymous /location_of_folder/>
 User            ftp
 Group            nogroup
 UserAlias          anonymous ftp
 DirFakeUser on ftp
 DirFakeGroup on ftp
 RequireValidShell      off
 MaxClients         10
 DisplayLogin        welcome.msg
 DisplayFirstChdir      .message
 <Directory *>
  <Limit WRITE>
   DenyAll
  </Limit>
 </Directory>
</Anonymous>

• Save the edited file then restart proftpd:

sudo /etc/init.d/proftpd restart

Change the default port number for the proFTPd Server

• For this example the new port number will be 77. Edit the proftpd configuration file (making a backup first). (Use kate instead of gedit if using Kubuntu instead of Ubuntu.):

sudo cp /etc/proftpd/proftpd.conf /etc/proftpd/proftpd.conf_backup
sudo gedit /etc/proftpd/proftpd.conf

• Find this line:

Port              21

• Replace with the following line:

Port              77

• Restart the FTP server:

sudo /etc/init.d/proftpd restart

FTP to a remote (K)Ubuntu host from a Windows client

• Warning: An unsecured FTP server is a security risk. FTP servers should be used either within a firewall-protected LAN only or over the Internet in conjunction with TLS/SSL (FTPS), SSH (SFTP), or using a VPN connection.
• The remote (K)Ubuntu host machine must have an FTP Server service running.

• Download and install FileZilla for Windows here.

• FTP addresses take the form:

ftp://[username]:[password]@[hostname].[domain].[tld]:[portnumber]/[directory]/

Note: The username and password are optional. If they are not given (and the server is not configured for anonymous access) they will be requested.

FTP to a remote Windows host from a (K)Ubuntu client

• Warning: An unsecured FTP server is a security risk. FTP servers should be used either within a firewall-protected LAN only or over the Internet in conjunction with TLS/SSL (FTPS), SSH (SFTP), or using a VPN connection.

• Install an FTP Server on your main file host. You can use FileZilla Server for Windows or CrossFTP Server (which requires Java) for all platforms (see this CrossFTP Server tutorial).

• Install an FTP client on your local client machine. Again, you can use FileZilla or CrossFTP.

• FileZilla is available as a package:

sudo apt-get install filezilla

• The FTP address normally has the form:

ftp://[username]:[password]@[hostname]:[port]

Configure the NAT/router/gateway/firewall for an FTP server

• The host machine must be running an FTP Server.

• Configure your FTP server with a limited passive port range so that the same limited TCP port range can be opened in the "incoming" firewall settings.

• For proftpd, edit the /etc/proftpd/proftpd.conf configuration file (use kate instead of gedit if using Kubuntu instead of Ubuntu):

sudo gedit /etc/proftpd/proftpd.conf

and edit this line to indicate the desired port range to be used for FTP transfers:

PassivePorts xx-yy

• For security, it's a good idea to operate the server on a non-standard port. See changing the default port number for the FTP server. For proftpd, edit this line in /etc/proftpd/proftpd.conf:

Port x

where x is the port over which you wish FTP traffic to be transmitted.

• The NAT/router/gateway/firewall devices or software must be configured to allow the configured incoming TCP ports (port x in the example) to be forwarded to your host on the LAN.

FTP troubleshooting

• If a connection is not allowed or is "refused," make sure the "outgoing" firewall settings on the client allow the correct FTP ports to be open. The default FTP ports are normally 20-21, unless non-standard ports have been designated and are being used. In that case, the same "incoming" ports that are in use by the FTP server must be allowed as "outgoing" ports by the firewall of the computer with the FTP client as well.
• If files do not transfer correctly (or appear to transfer from the client to the server but then are not saved on the server), make sure the "Transfer mode" is correctly set. For many servers the "Transfer mode" must be "Active," not "Passive." (Note that this is a different issue from a "Passive" vs. "Active" connection.) This particular problem kept me from connecting to one particular FTP server for over a year (and no one knew the solution)! In the FileZilla FTP client, the Transfer Mode settings are found:

FileZilla -> File: Site Manager... -> My Sites: (highlight FTP server host site) -> Transfer Settings -> Transfer Mode -> Active (ticked)

Google Android FTP clients

Until Ubuntu is widely available on tablets, Google Android is the primary Linux distribution used for a majority of tablets (and other mobile devices). Fortunately, there are several FTP clients available for the Android OS that can connect to a (K)Ubuntu-based FTP server. Note that as with all Android apps (especially those with ads and access to all critical device functions), no guarantee of security can be expected and it is not recommended to use them for private or sensitive uses. Always use complete security and anonymity when enabling access from any Android device (or mobile device using any other OS, for that matter).

• AndFTP -- available for direct download here and also from the Google Android marketplace. It is free (no ads) and works quite well, with support for FTPS (both explicit and implicit), SFTP, and SCP (SSH Secure copy).
• SwiFTP -- open source and available for direct download here (free, with no ads); a server version is also available from the F-Droid repository
• FTPCafe -- available from the Amazon Android App marketplace. The free version is ad-based.
• FTPDroid -- available from the Google Android marketplace. The free version is ad-based.

SFTP

SFTP is a protocol for transferring files using SSH certificate privileges, but is not strictly FTP through an SSH connection.

• From the command line, a user would connect an OpenSSH server on a computer where 1) the user already has a shell account and 2) the user already has SSH privileges established (either with an SSH key pair or with a password (using a password is less secure)). From the command line, a connection would be established:

sftp user:password@ssh.host.org

or

sftp username@sftp.server.com

(in the latter case you will be prompted for a password).

• If you have created a public/private key pair using ssh-keygen, the private key must be stored in /home/user/.ssh on the client computer. The key should be accessible only to user

sudo chmod 600 /home/user/.ssh/identity

or

sudo chmod 600 /home/user/.ssh/id_rsa 

To login once a key pair has been established:

sftp joe.friday@remote.computer.xyz 

Note: You can run the command as a menu item, but the command must be "run in terminal."

SFTP clients

• FileZilla can create SFTP connections in a manner similar to other types of FTP.

• Most Google Android clients (including AndFTP) can also create SFTP connections in a manner similar to other types of FTP.

• Nautilus File Manager (used in Ubuntu/Gnome) can access folders using SFTP by

Nautilus -> Go -> Location

-> sftp://username:password@sftp.server.com

or

-> sftp://username@sftp.server.com (in which case you will be prompted for a password)

Replace username with your username and replace everything after the @ symbol with the server's address. You will be prompted for a password if needed. If there is no username (anonymous) omit the username and the @ symbol.

• In the Dolphin file manager (used in Kubuntu/KDE), add an entry

Dolphin -> (right-click) in the Places column -> Add entry ... -> Location:

-> sftp://username:password@sftp.server.com

or

-> sftp://username@sftp.server.com (in which case you will be prompted for a password)

SFTP server

The SFTP server is the OpenSSH server. SFTP capabilities are built into the OpenSSH server. See this section for instructions on installing and customising an OpenSSH server. If you can successfully establish an SSH connection, you will be able to successfully establish an SFTP connection. No additional configuration is required.