How to Configure FTP with TLS in Ubuntu

FTP (File Transfer Protocol) is primarily used to transfer files between computers. FTP works in client-server architecture, in which the client asks for a file from the server and the server returns the required file to the client. On the client machine, the FTP client application is used to communicate with the server. It is also possible to access the FTP server on the browser. By default, FTP communicates over an insecure channel, but it is possible to configure FTP to transfer data over a secure channel. In this tutorial, you will learn how to configure an FTP server with TLS and then use FileZilla as a client application to connect with the FTP Server.

Installing VSFTPD
VSFTPD (Very Secure FTP Daemon) is a software program used to configure FTP on a server. In this tutorial, VSFTPD will be used to configure the FTP server on the machine.

Here is steps to install:

$ sudo apt-get update -y
$ sudo apt-get install vsftpd -y

Finally, verify the installation by checking the version of vsftpd with the following command.

 vsftpd -v

FTP in Active Mode

In Active mode, the FTP client starts the session by establishing the TCP control connection from any random port on the client machine to port 21 of the Server. Then, the client starts listening on a random port X for a data connection and informs the server via TCP Control connection that the client is waiting for the data connection on port X. After this, the server establishes a data connection from its port 20 to the port X on the client machine.

A problem can arise where the client is behind a firewall and port X is blocked. In this case, the server is not able to establish a data connection with the client. To avoid this problem, the FTP server is mostly used in Passive mode, which we will discuss later in this article. By default, VSFTPD uses Passive mode, so we will have to change it to Active mode.

First, create a directory that the FTP server will use to store files.

 $ sudo mkdir $HOME/ftp

Next, open the VSFTPD configuration file.

$ sudo vim /etc/vsftpd.conf

Add the following line to the end of the file.

pasv_enable=NO
local_root=$HOME/ftp

Please change $HOME to specific path.

Also, be sure that the connect_from_port_20 option is set to ‘YES.’ This option ensures that the data connection is established on port 20 of the server.

Finally, restart the server.

$ sudo systemctl restart vsftpd

Configuring the Firewall for Active Mode

If FTP is used in Active mode, the FTP server will use two ports to communicate with the client, ports 21 and 22. Port 21 is used to pass commands to the client, and Port 20 is used to transfer data to any random port of the client. We will use ufw to configure the firewall on the server. Install ufw using the following command.

$ sudo apt-get install ufw

Now, on the server side, we will open ports 20, 21, and 22 (for the SSH connection).

$ sudo ufw allow from any to any port 20 proto tcp
$ sudo ufw allow from any to any port 21 proto tcp
$ sudo ufw allow from any to any port 22 proto tcp

Enable and check the status of ufw using the following commands.

$ sudo ufw enable
$ sudo ufw status

Installing the FTP Client
Install FileZilla using the following command.

$ sudo apt-get install filezilla -y

Open the FTP client application and enter the public IP address and other credentials of the FTP server.

When you click Quickconnect, you will connect to the FTP server and automatically be taken to the directory specified in the local_root option in the $HOME/ftp configuration file.

Problems in Active Mode
Using FTP in Active mode raises problems when the client is behind the firewall. After inputting the initial control commands, when the server creates a data connection with the client on a random port, the port may be blocked by the firewall on the client, causing the data transfer to fail. FTP can be used in Passive mode to resolve these firewall problems.

FTP in Passive Mode

Open the FTP configuration file in your favorite editor.

$ sudo vim /etc/vsftpd.conf

Set the pasv_enable option to ‘YES’ in the file so that the server can communicate with the client in Passive mode. Also, the write_enable option to ‘YES’ to allow users to upload files to the server.

The data connection between the server and the client will be established on a port between 1024 and 1048. Restart the FTP server after changing the configuration file. (Please check again these port on /etc/vsftpd.conf)

$ sudo systemctl restart vsftpd

Configuring the Firewall in Passive Mode
If we use FTP in Passive mode, the data connection will be established over any port from 1024 to 1048, so it is necessary to allow all these ports on the FTP server.

$ sudo ufw allow from any to any port 20 proto tcp
$ sudo ufw allow from any to any port 21 proto tcp
$ sudo ufw allow from any to any port 22 proto tcp
$ sudo ufw allow from any to any port 1024:1048 proto tcp

After allowing all the ports on the firewall, activate the ufw by running the following command.

$ sudo ufw enable

Configuring SSL Certificates with the FTP Server
By default, the FTP server establishes the connection between the client and the server over an unsecured channel. This type of communication should not be used if you wish to share sensitive data between the client and the server. To communicate over a secure channel, it is necessary to use SSL certificates.

Generating SSL Certificates
We will use SSL certificates to set up secure communication between the client and the server. We will generate these certificates using openssl. The following command will generate SSL certificates for your server.

$ sudo openssl req -x509 -nodes -day 365 -newkey rsa:2048 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem

When you run the above command, you will be asked some questions. After you answer these questions, the certificates will be generated. You can check for the certificates in the terminal.

$ sudo ls /etc/ssl/private/

Using Certificates in the Configuration File
Now, our certificates are ready to use. We will configure the ‘vsftpd.conf’ file to use the SSL certificates for communication. Open the configuration file with the following command.

$ sudo vim /etc/vsftpd.conf

Add the following lines to the end of the files. These changes will ensure that the FTP server uses the newly generated SSL certificates to communicate securely with the client.

ssl_enable=YES
force_local_data_ssl=NO
force_local_logins_ssl=NO
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
rsa_cert_file=/etc/ssl/private/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem

Restart the FTP server to apply these changes.

$ sudo systemctl restart vsftpd

After restarting the server, try connecting with your server using the FileZilla client application. This time, the client application will ask you whether to trust these certificates.

If you have certificates from a trusted certificates authority, then this warning should not appear. We generated our certificates using openssl, which is not a trusted certificates authority, which is why it asked for certificate authentication in our case. Now, we can communicate between the client and the server over a secure channel.

Anonymous Configuration

You can also enable anonymous login on your FTP server. With this configuration enabled, any user can log into the FTP server with any username and password. The following parameters in the configuration file will make the FTP server accessible anonymously.

Open the FTP configuration file in your favorite editor.

$ sudo vim /etc/vsftpd.conf

Add the following lines to the end of the files

anon_root=$HOME/fpt/anon
no_anon_password=YES
hide_ids=YES
anonymous_enable=YES

Note that you have yo create $HOME/fpt/anon directory.
The above configuration sets the root path for anonymous users to be $HOME/fpt/anon and it will not prompt for the password when an anonymous user logs in.

Now, restart the FTP server.

$ sudo systemctl restart vsftpd

Configure Local Access
We can also allow or block local access to the FTP server by changing the configuration file. Currently, we can access our FTP server locally without using the FTP client application, but we can block this access. To do so, we must set local_enable=NO in /etc/vsftpd.conf file.

First, restart the FTP server.

$ sudo systemctl restart vsftpd

After restarting the server, try to access the FTP server locally by using the command-line interface. Log into your remote server using SSH.

$ ssh user@ip -i

Now, issue the following command to log into the FTP server locally using the command-line interface.

$ ftp localhost

When you run the above command, it will throw a 500 error.


Conclusion
File Transfer Protocol has been used for many years to transfer files and documents over the Internet. VSFTPD is one of the packages used as an FTP server on your machine. VSFTPD contains various configurations that you can use to customize your FTP server. This tutorial showed you how to configure an FTP server with TLS for enhanced security. To learn more about FTP configurations, visit the following link.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s