Secure FTP communication with your Linux host. These instructions apply to Ubuntu 18.04 and can easily be adapted for a vast majority of Linux platforms.
Install FTP Server
Run the following commands to install FTP (vsftpd
):
sudo apt-get update
sudo apt-get install vsftpd
To enable a local user account for FTP access, make the following changes to the /etc/vsftpd.conf
file.
anonymous_enable=NO
connect_from_port_20=NO
local_enable=YES
write_enable=YES
To enable secure FTP over SSL/TLS, make the following changes to the /etc/vsftpd.conf
file.
rsa_cert_file=/etc/letsencrypt/devshell.io/fullchain.cer
rsa_private_key_file=/etc/letsencrypt/devshell.io/devshell.io.key
listen_port=990
ssl_enable=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
require_ssl_reuse=NO
ssl_ciphers=HIGH
pasv_min_port=40000
pasv_max_port=50000
Note the rsa_cert_file
and rsa_private_key_file
referencing the trusted Let's Encrypt SSL/TLS certificate/key pair generated via the Ghost platform setup. Alternatively, you can generate your own (self-signed) certificate.
Restart the vsftpd
service:
sudo service vsftpd restart
Configure Firewall
Create the following ufw
firewall profile file /etc/ufw/applications.d/vsftpd
, with the following content:
[FTP Secure]
title=FTP Secure
description=Secure FTP over SSL/TLS
ports=990,40000:50000/tcp
The values for ports
should correspond to the ones set in the /etc/vspftpd.conf
file. Enable the secure FTP ports in the firewall:
sudo ufw allow 'FTP Secure`
Check to make sure the FTP Secure
connectivity is enabled in the firewall:
sudo ufw status
You should get an output similar to:
Status: active
To Action From
-- ------ ----
FTP Secure ALLOW Anywhere
FTP Secure (v6) ALLOW Anywhere (v6)
Testing
Test the secure FTP connectivity with an FTP client (e.g. FileZilla).
Troubleshooting
You may get the following error when attempting to connect to the default FTP port (21) via a secure SSL/TLS connection.
Status: Connection established, waiting for welcome message...
Response: 220 (vsFTPd 3.0.3)
Command: AUTH TLS
Response: 502 Command not implemented.
Command: AUTH SSL
Error: Could not read from socket: ECONNRESET - Connection reset by peer
Error: Could not connect to server
This could happen in the case you tried to configure secure FTP connectivity in /etc/vsftpd
(with all the changes described above), without changing the listen_port
parameter. Hence the change of:
listen_port=990