VSFTPD Setup
Very Secure FTP Daemon (VSFTPD) is exactly what it says on the tin.
Users
TODO: fill this in
Guest Users
TODO: fill this in
Ports
FTP requires multiple open ports, with two (non-conflicting) options. Several well-considered decisions are required here, and a firewall is highly recommended. For details on configuring a simple firewall, see the article for UFW setup.
Active Mode
For the FTP protocol, a server configured in active mode uses port 21 (configurable to, for example, 2121) to establish a connection and then shifts to using port 20 (configurable to, for example, 2020) for data transfer. (This is active because the server forms the connection back to the client.) These ports are set in /etc/vsftpd.conf with:
connect_from_port_20=YES pasv_enable=NO listen_port=2121 ftp_data_port=2020
Contrary to the name, connect_from_port_20 does not force port 20.
Correspondingly, ufw would be configured with:
ufw allow 2020/tcp ufw allow 2121/tcp
This is the recommended configuration, as the server is in control of connections.
Passive Mode
For the purposes of FTPS, a server configured in passive mode uses port 21 to establish a connection and then shifts to using a port selected from a pool for data transfer. (This is passive because the client forms the new connection to a passively-open port.) The pool of ports is set in /etc/vsftpd.conf with:
connect_from_port_20=NO pasv_enable=YES pasv_min_port=40000 pasv_max_port=42000
Correspondingly, ufw would be configured with:
ufw allow 21/tcp ufw allow 40000:42000/tcp
Changing these port numbers is not only possible, but encouraged.
Encryption
For encrypting FTP, it is possible to use a self-signed certificate. For more context, see the article for SSL setup.
su - root openssl req -x509 -nodes -days 365 -newkey rsa:2048 \ -keyout /etc/ssl/private/vsftpd.key \ -out /etc/ssl/certs/vsftpd.pem
Then configure /etc/vsftpd.conf with:
rsa_cert_file=/etc/ssl/certs/vsftpd.pem rsa_key_file=/etc/ssl/private/vsftpd.key ssl_enable=YES implicit_ssl=YES listen_port=990
Note that as the open port has changed, the firewall will need to be re-configured. For ufw specifically:
ufw disallow 21/tcp ufw allow 990/tcp
Avahi Discovery
FTP can be made discoverable on the network through Zeroconf. The service file /etc/avahi/services/ftp.service should be configured as:
<?xml version="1.0" standalone='no'?>
<!DOCTYPE service-group SYSTEM "avahi-service.dtd">
<service-group>
<name replace-wildcards="yes">FTP on %h</name>
<service>
<type>_ftp._tcp</type>
<port>21</port>
</service>
</service-group>For further details, see the article on Avahi setup.