Build an FTP server on a Linux instance - Elastic Compute Service

Very secure FTP daemon (vsftpd) is a piece of widely used, open source FTP server software. vsftpd is known for its high performance, high security, and high stability and supports a variety of FTP-related protocols, such as FTP, SFTP over SSH, and FTP over SSL/TLS. This topic describes how to install and configure vsftpd on a Linux Elastic Compute Service (ECS) instance.

Prerequisites

An ECS instance is created and has the following settings. If no ECS instance is created, create an ECS instance. For more information, see Create an instance on the Custom Launch tab.

Operating system: Alibaba Cloud Linux, CentOS 7.x 64-bit, CentOS 8.x 64-bit, or Ubuntu.
IP address: The instance is assigned a static public IP address (also known as auto-assigned or system-assigned public IP address) or is associated with an elastic IP address (EIP). For information about how to associate an EIP with an ECS instance, see Associate or disassociate an EIP.
Security group: Inbound rules are added to a security group of the instance to open ports 22, 80, and 443. For information about how to add an inbound security group rule, see Add a security group rule.

Procedure

Step 1: Install vsftpd

Connect to the Linux instance.
For more information, see Connect to a Linux instance by using a password or key.
Run the following command to install vsftpd.
Alibaba Cloud Linux, CentOS 7.x, or CentOS 8.x
Important
CentOS 8 reached end of life (EOL). In accordance with Linux community rules, all content was removed from the following CentOS 8 repository address: http://mirror.centos.org/centos/8/. If you continue to use the default CentOS 8 repository on Alibaba Cloud, an error is reported. To use specific CentOS 8 installation packages, change the CentOS 8 repository address. For more information, see Change CentOS 8 repository addresses.
```
sudo yum install -y vsftpd
```
Ubuntu
```
sudo apt update
sudo apt install -y vsftpd
```
The command output shown in the following figure indicates that vsftpd is installed.
Note
The version of vsftpd that can be installed varies based on the operating system.
Run the following commands to start the FTP service and enable the service to automatically start on system startup:
```
sudo systemctl start vsftpd
sudo systemctl enable vsftpd
```
Note
If the system returns the Job for vsftpd.service failed because the control process exited with error code error message when the preceding commands are run, check whether the following issues exist and troubleshoot the issues:
- If IPv6 addresses are not supported, change the value of the listen_ipv6 parameter in the /etc/vsftpd/vsftpd.conf configuration file from YES to NO.
- If the media access control (MAC) address that is specified in the /etc/sysconfig/network-scripts/ifcfg-xxx configuration file does not match the actual MAC address, run the ifconfig command to query the actual MAC address. Then, add HWADDR=<Actual MAC address> to the configuration file, or replace the existing HWADDR value with the actual MAC address in the configuration file.
Run the following command to query the listening port of the FTP service:
```
sudo netstat -antup | grep ftp
```
The command output shown in the following figure indicates that the FTP service is started and listens to port 21.
By default, anonymous access is enabled in vsftpd. You can log on to the FTP server without a username or password. However, you do not have the permissions to modify or upload files.

Step 2: Configure vsftpd

Create a Linux user and specify a password for the user.
FTP supports the following authentication modes:
- Anonymous user mode: In this mode, users can log on to the FTP server without a username or password. This is the least secure authentication mode. In most cases, this mode is used to save unimportant public files. We recommend that you do not use this mode to save files in a production environment.
- Local user mode: In this mode, local Linux users must be created. This mode is more secure than the anonymous user mode.
- Virtual user mode: Virtual users are dedicated users of the FTP server. Virtual users can access only the FTP service that the Linux system provides and cannot access other resources of the system. This enhances the security of the FTP server.
In this section, a local Linux user is created for the FTP service.
Alibaba Cloud Linux, CentOS 7.x, or CentOS 8.x
1. Run the following command to create a Linux user for the FTP service.
  In this example, the ftptest user is created.
  sudo adduser ftptest
2. Run the following command to change the password of the ftptest user:
  sudo passwd ftptest
  Follow the command line prompts to change the password of the user.
Ubuntu
Run the following command to create a Linux user for the FTP service.
In this example, the ftptest user is created.
```
sudo adduser ftptest
```
Enter and confirm the password as prompted.
Run the following command to create a file directory for the FTP service:
```
sudo mkdir -p /var/ftp/test
```
Run the following command to create a test file.
The test file is used when the FTP client accesses the FTP server.
```
sudo touch /var/ftp/test/testfile.txt
```
Run the following command to change the owner of the /var/ftp/test directory to ftptest:
```
sudo chown -R ftptest:ftptest /var/ftp/test
```

Modify the vsftpd.conf configuration file.

Run the following command to open the configuration file of vsftpd.
Alibaba Cloud Linux, CentOS 7.x, or CentOS 8.x
```
sudo vim /etc/vsftpd/vsftpd.conf
```
Ubuntu
```
sudo vim /etc/vsftpd.conf
```
Press the I key to enter Insert mode.

Configure the working mode of the FTP server.

The FTP server supports the following working modes:

Active mode: The FTP client sends the FTP port information to the FTP server, and the FTP server initializes a connection to the FTP client over the port.
Passive mode: The FTP server opens a port and sends the port information to the FTP client. The FTP client initializes a connection to the FTP server over the port, and the FTP server accepts the connection.

Note

Most FTP clients are located in LANs, have no independent public IP addresses, and are protected by firewalls. As a result, FTP servers in active mode cannot establish connections to the clients. If you do not have special requirements, we recommend that you use passive mode for the FTP server.

In this section, passive mode is used for the FTP server. Configure the following parameters and retain the default values of other parameters.

Important

When you modify or add information in the configuration file, take note of the format. For example, an extra space may cause the service to fail to restart.

Modify the following parameters:

#Prevent anonymous users from logging on to the FTP server. 
anonymous_enable=NO
#Allow local users to log on to the FTP server. 
local_enable=YES
#Listen on IPv4 sockets. 
listen=YES

Add a number sign (#) to the beginning of the line to comment out the following parameter and disable listening on IPv6 sockets:

#listen_ipv6=YES

Append the following parameters to the end of the configuration file. Change the value of the pasv_address parameter to the public IP address of the FTP server.

Alibaba Cloud Linux, CentOS 7.x, or CentOS 8.x

#Specify the directory of a local user after the local user logs on. 
local_root=/var/ftp/test
#Limit all users to the home directory after the users log on. 
chroot_local_user=YES
#Use a list to specify exception users. Exception users are not limited to the home directory after they log on. 
chroot_list_enable=YES
#Specify a file to store the list of exception users. 
chroot_list_file=/etc/vsftpd/chroot_list
#Enable passive mode. 
pasv_enable=YES
allow_writeable_chroot=YES
#Enter the public IP address of the FTP server. In this example, the public IP address of the Linux instance that is used. 
pasv_address=<Public IP address of the FTP server>
#Specify the minimum port number of the port range to which FTP connections are established in passive mode. 
#We recommend that you use ports from a range of high-number ports, such as 50000 to 50010. These ports provide more secure access to the FTP server. 
pasv_min_port=50000
#Specify the maximum port number of the port range to which FTP connections are established in passive mode. 
pasv_max_port=50010

Ubuntu

#Specify the directory of a local user after the local user logs on. 
local_root=/var/ftp/test
#Limit all users to the home directory after the users log on. 
chroot_local_user=YES
#Use a list to specify exception users. Exception users are not limited to the home directory after they log on. 
chroot_list_enable=YES
#Specify a file to store the list of exception users. 
chroot_list_file=/etc/vsftpd.chroot_list
#Enable passive mode. 
pasv_enable=YES
allow_writeable_chroot=YES
#Enter the public IP address of the FTP server. In this example, the public IP address of the Linux instance that is used. 
pasv_address=<Public IP address of the FTP server>
#Specify the minimum port number of the port range to which FTP connections are established in passive mode. 
#We recommend that you use ports from a range of high-number ports, such as 50000 to 50010. These ports provide more secure access to the FTP server. 
pasv_min_port=50000
#Specify the maximum port number of the port range to which FTP connections are established in passive mode. 
pasv_max_port=50010

For information about more parameters, see the vsftpd configuration file and parameters section of this topic.

Press the Esc key, enter :wq, and then press the Enter key to save and close the configuration file.

Create the chroot_list file and write the list of exception users to the file.
1. Run the following command to create the chroot_list file:
  - Alibaba Cloud Linux, CentOS 7.x, or CentOS 8.x
```
sudo vim /etc/vsftpd/chroot_list
```
  - Ubuntu
```
sudo vim /etc/vsftpd.chroot_list
```
2. Press the I key to enter Insert mode.
3. Specify exception users. Exception users are not limited to the home directory and have access to other directories.
4. Press the Esc key, enter :wq, and then press the Enter key to save and close the configuration file.
Important
If exception users do not exist, you must still create the chroot_list file. The file can be empty.
Run the following command to restart the vsftpd service:
```
sudo systemctl restart vsftpd
```

Step 3: Configure security groups

After you build the FTP site, add inbound rules to the security groups of the instance to open the following FTP ports. For information about how to add an inbound security group rule, see Add a security group rule.

Note

Most clients are located in LANs and can map private IP addresses to public IP addresses to communicate with external resources. Therefore, the IP addresses that are returned by the ipconfig or ifconfig command may not be the actual public IP addresses of the clients. If you cannot log on to the FTP server from a client, check the public IP address of the client.

In passive mode, you must allow traffic on port 21 and all ports in the port range that is specified by the pasv_min_port and pasv_max_port parameters in the /etc/vsftpd/vsftpd.conf configuration file. The following table describes how to configure inbound security group rules.

Direction

Action

Protocol type

Port range

Authorization object

Inbound

Allow

Custom TCP

21/21

The public IP addresses of all clients that want to access the FTP server. Separate the IP addresses with commas (,).

To allow all clients to access the FTP server, specify 0.0.0.0/0 as an authorization object.

Inbound

Allow

Custom TCP

pasv_min_port/pasv_max_port. Example: 50000/50010.

The public IP addresses of all clients that want to access the FTP server. Separate the IP addresses with commas (,).

To allow all clients to access the FTP server, specify 0.0.0.0/0 as an authorization object.

Step 4: Test the connectivity of the FTP server

You can use FTP clients, Windows command line tools, or browsers to check whether the FTP server is reachable. In this example, an on-premises host that runs a Windows Server 2012 R2 64-bit operating system is used as an FTP client to show how to access the FTP server.

On the on-premises host, open This PC.
In the address bar, enter ftp://<Public IP address of the FTP server>:<FTP port>. In this example, the public IP address of the Linux instance is used. Example: ftp://121.43.XX.XX:21.
In the Log on as dialog box, enter the FTP username and password that you configured, and then click Logon.
After you log on to the FTP server, you can view the files in the specified directory on the FTP server. For example, you can view the test file named testfile.txt.

vsftpd configuration file and parameters

The following section describes the files in the /etc/vsftpd directory:

/etc/vsftpd/vsftpd.conf is the core configuration file of vsftpd.
/etc/vsftpd/ftpusers is the blacklist file. Users specified in this file are not allowed to access the FTP server.
/etc/vsftpd/user_list is the whitelist file. Users specified in this file are allowed to access the FTP server.

The following tables describe the parameters that are used in the vsftpd.conf configuration file.

The following table describes the parameters for logon control.

Parameter	Description
anonymous_enable=YES	Accepts anonymous users.
no_anon_password=YES	Anonymous users do not need a password to log on to the FTP server.
anon_root= (none)	Specifies the home directory of anonymous users.
local_enable=YES	Accepts local users.
local_root= (none)	Specifies the home directory of local users.

The following table describes the parameters that are used to manage the permissions of users.

Parameter	Description
write_enable=YES	Allows all users to upload files.
local_umask=022	Grants local users permissions to upload files.
file_open_mode=0666	Uses umask to grant permissions to upload files.
anon_upload_enable=NO	Allows anonymous users to upload files.
anon_mkdir_write_enable=NO	Allows anonymous users to create directories.
anon_other_write_enable=NO	Allows anonymous users to modify and delete files.
chown_username=lightwiter	Specifies the ownership of files that are uploaded by anonymous users.

FAQ

Q1: What do I do if I am unable to download files from the FTP server when the on-premises host runs a Windows operating system?
A: Perform the following operations to enable the download permission in Internet Explorer:
1. Open Internet Explorer on your on-premises host.
2. Click the icon in the upper-right corner of the browser, and then click Internet Options.
3. In the upper part of the Internet Options dialog box, click the Security tab.
4. In the Select a zone to view or change security settings section, click Internet, and then click Custom level... in the Security level for this zone section.
5. Choose Download > File Download > Enable, and then click OK.
6. Click Apply and then click OK.

Q2: What do I do if an error is reported when I use a command-line tool or a browser to connect to the FTP server in the Windows operating system?

A: You can troubleshoot the issue based on the error message that is related to the FTP server. If the issue is difficult to troubleshoot, we recommend that you use a third-party FTP client connection tool such as FileZilla. To download the FileZilla client, visit FileZilla. In this example, FileZilla is used to connect to the FTP server in anonymous mode.

Configure vsftpd in anonymous mode.
1. Run the following command to modify the /etc/vsftpd/vsftpd.conf configuration file.
  If you installed vsftpd by running the apt install vsftpd command, the path of the configuration file is /etc/vsftpd.conf.
```
sudo vim /etc/vsftpd/vsftpd.conf
```
2. Press the I key to enter Insert mode.
3. Comment out the permissions and set the anon_upload_enable parameter to YES to allow anonymous users to upload files.
4. Press the Esc key, enter :wq, and then press the Enter key to save and close the file.
  The following figure shows a sample modified configuration file.
5. Run the following command to grant FTP users write permissions on the /var/ftp/pub directory.
  /var/ftp/pub is the default file directory of the FTP service.
```
sudo chmod o+w /var/ftp/pub/
```
6. Run the following command to reload the configuration file:
```
sudo systemctl restart vsftpd
```
Download and install FileZilla.

Use FileZilla to connect to the FTP server in anonymous mode.

Open the FileZilla client.
In the top navigation bar, choose File > Site Manager.
In the lower-left corner of the Site Manager dialog box, click New site (N).
Enter a name for the new site and configure the new site.
Note
In this example, FileZilla 3.64.0 is used. The actual interface may vary based on your FileZilla version.
Parameters:
- Name: a custom site name. Example: test-01.
- Protocol: FTP.
- Host: the public IP address of the FTP server. In this topic, the public IP address of the Linux instance is used. Example: 121.43.XX.XX.
- Port: 21.
- Logon Type: Anonymous.
  In this example, an FTP client is used to connect to the FTP server in anonymous mode. If you want to manage access to the FTP server, set the logon type to normal and configure the username and password.

Click Connect.

After you connect to the FTP server, you can upload, download, and delete files. The following figure shows a sample FileZilla interface. The following table describes the sections in the preceding interface.

Section	Description
①	Displays commands, the connection status of the FTP server, and task execution results.
②	Displays information about the on-premises host, including the directory information of the host.
③	Displays information about the remote server, including the directory information of the FTP server. In anonymous mode, the default directory is `/pub`.
④	Displays records, including the FTP task queue and logs.

Reference

You can build an FTP site on a Windows instance. For more information, see Build an FTP site on a Windows instance.