Wednesday, September 11, 2013

Configuring FTP access on Ubuntu 12.04 LTS server

Configuring FTP on Ubuntu is fairly trivial, but securing it requires some learning. Here's what I had to do configure FTP and allow users to access it.

1. Install the FTP server

 sudo apt-get install vsftpd

2. Create a new user

You can additionally disable shell access to the ftpuser., in my case I needed shell access.
 sudo useradd ftpuser
You can skip the step 2 and use the "ftp" user that gets created when you install vsftpd. In my case I needed a new user.

3. Restrict the ftpuser's access to file system and jail them to their home dir

Edit the /etc/vsftpd.conf and make the following change
 chroot_local_user = Yes

4. Restart vsftpd 

 sudo /etc/init.d/vsftpd restart 
You should be able to access and write to ftpuser's home directory now.

Additional Details:


Change default FTP upload directory for the ftp user created by vsftpd:

 sudo mkdir /srv/file_dir/ftp
 sudo usermod -d /srv/file_dir/ftp ftp 
The -d option to usermod changes the home directory of ftp user to /srv/file_dir/ftp

Allow ftpuser to access a specific folder outside home directory when chroot is enabled.

Lets assume you need FTP access to /var/www/files, then we need to do something like this:
 mkdir /home/ftpuser/www_files
 mount --bind /var/www/files /home/ftpuser/www_files 
Now, the /var/www/files directory is bound to your /home/ftpuser/www_files and is visible in your home directory listing. In case you get permission errors , make sure the ftpuser has enough access to -/var/www/files

To make the changes permanent add the following configuration to /etc/fstab
 /var/www/files /home/ftpuser/www_files none bind 0 0

Enable Anonymous downloads

If you wish to enable anonymous downloads edit /etc/vsftpd.conf and change.
 anonymous_enable=Yes 
It is recommended to turn off this feature unless you are absolutely certain you need this.

References:

https://help.ubuntu.com/12.04/serverguide/ftp-server.html
http://www.ducea.com/2006/07/27/allowing-ftp-access-to-files-outside-the-home-directory-chroot/
http://linux.about.com/od/commands/l/blcmdl8_usermod.htm

No comments: