1. Why FTP Still Matters (and When to Use It) FTP (File Transfer Protocol) is one of the oldest ways to move files between machines. While tools like SCP, SFTP, and cloud storage are popular today, FTP is still widely used in:• Legacy systems• Shared hosting environments• Automated file uploads/downloads• Simple internal file distributionThat said, plain FTP is insecure because it sends usernames and passwords in clear text. That’s why in this guide we’ll focus on securing FTP using TLS, resulting in FTPS.We’ll use vsftpd (Very Secure FTP Daemon), which is:• Fast• Lightweight• Actively maintained• Designed with security in mind What You’ll Build by the End of This GuideBy the end, you’ll have:• A working FTP server on Ubuntu• Local users restricted to their home directories• Encrypted connections using TLS• Firewall rules properly configured• A setup suitable for production or lab use PrerequisitesBefore we start, make sure you have:• Ubuntu 20.04 / 22.04 / 24.04• A user with sudo privileges• Basic command line familiarity• Port access (especially if using a cloud VM)All commands below assume:sudo -i(or prefix commands with sudo) Installing vsftpdFirst, update your package index: apt install vsftpd -y Check that the service is running: systemctl status vsftpd You should see something like:Active: active (running) Enable it to start on boot: systemctl enable vsftpd Before editing, always back it up:cp /etc/vsftpd.conf /etc/vsftpd.conf.bakThis single file controls authentication, permissions, encryption, and behavior. 7. Basic vsftpd Configuration (Secure Defaults) Open the config file:nano /etc/vsftpd.conf Update or ensure the following settings exist:Disable anonymous FTPanonymous_enable=NO Allow local userslocal_enable=YES Enable file uploads and changeswrite_enable=YES Set default permissionslocal_umask=022 Show messages when entering directoriesdirmessage_enable=YES Log FTP activityxferlog_enable=YES What this does:• Only authenticated users can log in• Users can upload/download files• Anonymous access is disabled vsftpd does not allow writing to a chroot directory by default.To safely allow this, add: allow_writeable_chroot=YES Now users are sandboxed and can’t explore your server. It means:• Isolation: Users are confined to their home directory (the chroot jail).• Limited access: They cannot move outside that directory to browse or modify other parts of the filesystem.• Safety: Even if a user tries malicious commands, they are restricted to the sandbox and cannot harm the wider server. 9. Enabling FTPS (FTP over TLS)This is the most important part. 9.1 Create a Self Signed SSL Certificateopenssl req -x509 -nodes -days 365 \ -newkey rsa:2048 \ -keyout /etc/ssl/private/vsftpd.key \ -out /etc/ssl/certs/vsftpd.crt When prompted, enter your server details. 9.2 Configure TLS in vsftpd Add these lines to /etc/vsftpd.conf:Enable TLSssl_enable=YES Certificate filesrsa_cert_file=/etc/ssl/certs/vsftpd.crtrsa_private_key_file=/etc/ssl/private/vsftpd.key Enforce TLSforce_local_data_ssl=YESforce_local_logins_ssl=YES Disable insecure SSLssl_sslv2=NOssl_sslv3=NO Prefer strong ciphersssl_ciphers=HIGH This ensures:• Passwords are encrypted• Data transfers are encrypted• Weak SSL versions are disabled 10. Passive Mode Configuration (Very Important)Most FTP clients use passive mode, especially behind NAT or firewalls.Add this to your vsftpd.conf file :pasv_enable=YESpasv_min_port=40000pasv_max_port=40100 This limits FTP data connections to a known port range. 11. Firewall Configuration (UFW)If UFW is enabled, allow FTP traffic:ufw allow 21/tcpufw allow 40000:40100/tcp Reload firewall rules:ufw reload Check status:ufw status Check logs if something goes wrong:tail -f /var/log/vsftpd.log 13. Testing the FTP Server 13.1 Using an FTP Client (Recommended)Use FileZilla.Install FileZilla with the following commands:sudo apt updatesudo apt install filezilla -y • Protocol: FTP• Encryption: Require explicit FTP over TLS• Host: server IP / hostname• Username: ftpuser• Password: (your password)• Port: 21Accept the certificate warning (expected for self signed certs). 13.2 Testing from the Command Line For FTPS testing:openssl s_client -connect localhost:21 -starttls ftp 14. Common Problems and FixesLogin Fails• Check /etc/vsftpd.conf• Verify user exists• Check /var/log/vsftpd.log Passive Mode Not Working• Firewall ports not open• Wrong port range• NAT not forwarding ports Permission Denied on Uploadchown ftpuser:ftpuser /home/ftpuserchmod 755 /home/ftpuser 15. Best Practices for Production• Use Let’s Encrypt instead of self signed certs• Disable FTP entirely if SFTP is enough• Use separate users per application• Monitor logs regularly• Consider fail2ban for brute force protection 16. FTP vs FTPS vs SFTP (Quick Comparison)Protocol Encryption Port NotesFTP No 21 InsecureFTPS TLS 21 Secure FTPSFTP SSH 22 Preferred modern choice 17. Final Thoughtsvsftpd lives up to its name: very secure, when configured correctly.If you need compatibility with legacy systems or shared environments, FTPS with vsftpd is still a solid choice. For modern systems, consider SFTP, but it’s always valuable to understand FTP deeply. Templates let you quickly answer FAQs or store snippets for re-use. as well , this person and/or - What You’ll Build by the End of This GuideBy the end, you’ll have:• A working FTP server on Ubuntu• Local users restricted to their home directories• Encrypted connections using TLS• Firewall rules properly configured• A setup suitable for production or lab use- PrerequisitesBefore we start, make sure you have:• Ubuntu 20.04 / 22.04 / 24.04• A user with sudo privileges• Basic command line familiarity• Port access (especially if using a cloud VM)All commands below assume:sudo -i(or prefix commands with sudo)- Installing vsftpdFirst, update your package index: - Understanding the vsftpd Configuration FileThe main configuration file is:/etc/vsftpd.conf - Creating an FTP UserFor security, avoid using root or admin accounts.Create a dedicated FTP user:adduser ftpuserSet a password and follow the prompts.This user’s home directory will be:/home/ftpuserWe’ll later restrict this user so they cannot escape this directory. - Chroot Users (Critical Security Step)By default, an FTP user might browse the filesystem. This is dangerous.Enable chroot jail (locks users into their home directory):chroot_local_user=YES - Restart vsftpdApply all changes:sudo systemctl restart vsftpd