Tutorial

How To Configure vsftpd to Use SSL/TLS on an Ubuntu VPS

Published on October 26, 2013
How To Configure vsftpd to Use SSL/TLS on an Ubuntu VPS

Status: Deprecated

This article covers a version of Ubuntu that is no longer supported. If you are currently operate a server running Ubuntu 12.04, we highly recommend upgrading or migrating to a supported version of Ubuntu:

Reason: Ubuntu 12.04 reached end of life (EOL) on April 28, 2017 and no longer receives security patches or updates. This guide is no longer maintained.

See Instead: This guide might still be useful as a reference, but may not work on other Ubuntu releases. If available, we strongly recommend using a guide written for the version of Ubuntu you are using. You can use the search functionality at the top of the page to find a more recent version.

Introduction


<strong class=“highlight”>Warning: FTP is inherently insecure! Consider <a href=“https://www.digitalocean.com/community/articles/how-to-use-sftp-to-securely-transfer-files-with-a-remote-server”>using SFTP instead of FTP</a>.</strong>

FTP, or file transfer protocol, was a popular way to transfer files between local and remote computers in the past. The protocol is inherently insecure, so its usage has fallen out of favor.

If you still want to use FTP instead of a more secure alternative like SFTP, which uses the SSH protocol to implement file transfers, you can secure it somewhat by configuring FTP to use SSL.

In this guide, we will configure vsftpd to use SSL certificates on an Ubuntu 12.04 VPS.

Install vsftpd


The vsftpd server is available in Ubuntu’s default repositories. You can install it by typing:

sudo apt-get install vsftpd

We now have vsftpd on our server, but we still must configure it.

Configure Basic vsftpd Functionality


The default configuration file is at /etc/vsftpd.conf. Open it with root privileges:

sudo nano /etc/vsftpd.conf

Disable the ability for users to log in anonymously by finding the anonymous_enable parameter and changing it to read “NO”:

<pre> anonymous_enable=<span class=“highlight”>NO</span> </pre>

Next, we need to enable user logins that use the local authentication files, since we disabled anonymous access. Uncomment this line:

local_enable=YES

To enable users to make modifications to the filesystem, we will uncomment the write_enable parameter as well:

write_enable=YES

Additionally, uncomment the chroot_local_user option to restrict users to their own home directories:

chroot_local_user=YES

Save and close the file.

Create an FTP User


Because of the way vsftpd secures its chroot jails, the chroot must not be owned by the user and must not be writeable. Because of this, it is best to implement a user specifically for use with FTP.

Create the user like this:

sudo adduser ftpuser

Assign a password and feel free to press “ENTER” through the other prompts. Now, give root ownership of the ftpuser’s home directory:

sudo chown root:root /home/ftpuser

We need to create a separate directory within this home directory where files can be uploaded. Then, we need to give this directory over to our FTP user:

sudo mkdir /home/ftpuser/files
sudo chown ftpuser:ftpuser /home/ftpuser/files

Now, we should be able to log in (insecurely) as the ftpuser and upload files to the files directory.

Configure SSL with vsftpd


We need to create some SSL certificates to use with vsftpd. We can do this with the following command:

sudo openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem

This will create a certificate that will last a year. It will be placed in the /etc/ssl/private/ directory, which we can reference in our configuration file.

Add the SSL Details to the vsftpd Configuration


Open the vsftpd configuration file again with root privileges:

sudo nano /etc/vsftpd.conf

Towards the bottom of the file, you should find a line that matches the SSL certificate we just created:

rsa_cert_file=/etc/ssl/private/vsftpd.pem

We will add the additional SSL info below this.

When we created the certificate, we included both the key file and the certificate in one file, so we can also point our private key line to that:

rsa_private_key_file=/etc/ssl/private/vsftpd.pem

After that, we will add the following lines to force SSL. This will restrict clients that can’t deal with TLS, but that is what we want.

ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES

After this we configure the server to use TLS, which is actually a successor to SSL, and preferred:

ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO

Finally, we will require add some additional options to flesh out our configuration file:

require_ssl_reuse=NO
ssl_ciphers=HIGH

Save and close the file.

Now, we need to restart our server for our changes to take effect:

sudo service vsftpd restart

How To Connect to the Server with FileZilla


Most modern FTP clients can be configured to use SSL and TLS encryption. We will be demonstrating how to connect using FileZilla due to its cross platform support.

In the configuration panel, you should see a button on the far left to open “Site Manager”. Click this:

FileZilla Open Site Manager

Click on “New Site” in the bottom right corner of the window interface that appears:

FileZilla New Site

Name the new configuration. Fill out the IP address. Under the “Encryption” drop down menu, select “Require explicit FTP over TLS”.

For “Logon Type”, select “Ask for password”. Fill in the ftp user you created in the “User” field:

FileZilla Server Configuration

Click “Connect” at the bottom of the interface. You will be asked for your user’s password:

FileZilla user password

You will then be asked to accept the TLS certificate:

FileZilla Server Certificate

You should now be connected with your server with TLS/SSL encryption.

Conclusion


This setup improves the security of FTP, but it still suffers from insecurity when establishing a connection. If at all possible, it is better to switch to SFTP for these kinds of operations. However, if you do decide to go with FTP, you should make sure to use TLS/SSL whenever possible.

<div class=“author”>By Justin Ellingwood</div>

Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.

Learn more about our products

About the authors

Still looking for an answer?

Ask a questionSearch for more help

Was this helpful?
 
10 Comments


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

GnuTLS error -15: An unexpected TLS packet was received.

what it means?

Error: Received unexpected end-of-file from SFTP server Error: Could not connect to server

Enable port 22 for services security use command [ ufw allow 22/tcp ]

Hi,

I can’t do : in the console. How i can do that ? When i press the key that do ;

Thank you very much.

I can’t connect to the ftp:

Error: Authentication failed. Error: Critical error: Could not connect to server

Actually I think that I did something wrong. I don’t know what to do in the step “Add the SSL Details to the vsftpd Configuration”. This tutorial says:

Towards the bottom of the file, you should find a line that matches the SSL certificate we just created:

rsa_cert_file=/etc/ssl/private/vsftpd.pem

But I can’t find that line, instead I found this at the bottom:

# This option specifies the location of the RSA certificate to use for SSL
# encrypted connections.
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
# This option specifies the location of the RSA key to use for SSL
# encrypted connections.
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key

So I just added this at the bottom of the file:

ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=NO
ssl_ciphers=HIGH

Is there something that I’m missing?

I’m using WinSCP set to TLS explicit encryption and get:

Using TLSv1.2, cipher TLSv1/SSLv3: AES256-GCM-SHA384, 1024 bit RSA SSL3 alert write: fatal: protocol version Disconnected from server Connection failed.

Any ideas?

Hi,

I’ve a problem to connect when I use lftp on debian 7:

`ls’ at 0 [Making data connection…]

did you already get this error, and how did you fixed it? thanks.

I followed the instructions above to setup vsftpd on my ubuntu 14.04 home server. My plan is to connect from an internal client (192.168.x.x) via. Filezilla and transfer/upload files. I was able to accept the TLS certificate but get the below error? something i missed? any help to troubleshoot is greatly appreciated…

Status: Verifying certificate… Command: USER ftpuser2 Status: TLS/SSL connection established. Response: 331 Please specify the password. Command: PASS ************ Error: GnuTLS error -15: An unexpected TLS packet was received. Error: Could not connect to server

Thanks. Working great.

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

Join the Tech Talk
Success! Thank you! Please check your email for further details.

Please complete your information!

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Resources for startups and SMBs

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.