FTP Setup

If you like to provide FTP support for your customers, you can install and configure FTP server.

Currently it does not have any dependency on EHM or vice versa.

Install vsFTP

sudo su
apt update
apt install vsftpd

Configuration to Set Custom Root Directories

Backup the default configuration:

cp /etc/vsftpd.conf /etc/vsftpd.conf.bak

Edit the configuration file:

vim /etc/vsftpd.conf

Modify or add these settings:

anonymous_enable=NO

# Allow local users to log in
local_enable=YES
write_enable=YES

# Lock users in their home directories
chroot_local_user=YES
allow_writeable_chroot=YES

# Define a custom home directory for users
user_sub_token=$USER
local_root=/home/$USER/ecp/homedir

# Enable passive mode (required for some FTP clients)
pasv_enable=YES
pasv_min_port=40000
pasv_max_port=50000

Restart the FTP server:

systemctl restart vsftpd
systemctl enable vsftpd

Security setup (Optional)

To enhance the security of your vsFTP (Very Secure FTP Daemon) configuration, follow these steps:

3. Secure VSFTP Configuration

Edit the vsftpd.conf file:

sudo nano /etc/vsftpd.conf

Update or add the following settings:

Basic Security Settings

anonymous_enable=NO         # Disable anonymous login
local_enable=YES            # Allow local users to login
write_enable=YES            # Allow file uploads
chroot_local_user=YES       # Restrict users to their home directory
allow_writeable_chroot=YES  # Allow writing inside chroot

Passive Mode & Firewall Configuration

To allow Passive Mode, add:

pasv_enable=YES
pasv_min_port=40000
pasv_max_port=50000

Then, allow these ports in the firewall:

sudo ufw allow 40000:50000/tcp

Limit Number of Connections

max_clients=10       # Maximum simultaneous clients
max_per_ip=2         # Max connections per IP

Disable FTP Commands That Can Be Exploited

deny_email_enable=YES
banned_email_file=/etc/vsftpd.banned_emails

Create the banned email list:

sudo nano /etc/vsftpd.banned_emails

Add unwanted email addresses.

4. Secure with SSL/TLS

Enable encryption to prevent passwords from being sent in plain text.

Generate SSL Certificate

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem

Configure VSFTP for SSL

Add to vsftpd.conf:

ssl_enable=YES
rsa_cert_file=/etc/ssl/private/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=NO
force_local_logins_ssl=YES
force_local_data_ssl=YES

5. Restart and Enable VSFTP

sudo systemctl restart vsftpd
sudo systemctl enable vsftpd

6. Test Your FTP Server

Test using FileZilla or lftp:

lftp -u your_ftp_user ftp://your-server-ip

7. Additional Hardening (Optional)

Disable root login: Ensure root cannot use FTP.
```
echo "root" | sudo tee -a /etc/ftpusers
```
Use Fail2Ban to prevent brute force attacks:
```
sudo apt install fail2ban -y
```

Install vsFTP​

Configuration to Set Custom Root Directories​

Security setup (Optional)​

3. Secure VSFTP Configuration​

Basic Security Settings​

Passive Mode & Firewall Configuration​

Limit Number of Connections​

Disable FTP Commands That Can Be Exploited​

4. Secure with SSL/TLS​

Generate SSL Certificate​

Configure VSFTP for SSL​

5. Restart and Enable VSFTP​

6. Test Your FTP Server​

7. Additional Hardening (Optional)​

✅ Your VSFTP server is now secure!​