0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

How to Setup Secure FTP on AWS EC2

Last updated at Posted at 2023-12-13

images-3.jpeg

Overview

FTP (File Transfer Protocol) is used to communicate and transfer files between computers on a TCP/IP (Transmission Control Protocol/Internet Protocol) network, aka the internet. Users, who have been granted access, can receive and transfer files in the File Transfer Protocol server (also known as FTP host/site).

FTP can be used with a variety of file types, including text, images, audio, and video. It is commonly used by web developers and system administrators to manage websites, transfer files between servers, and backup data. However, due to its lack of encryption, it is not considered a secure protocol for transferring sensitive information.

Below are the basic steps to setup FTP on AWS EC2.

Step 1 – Getting Started

Login to your AWS server via Terminal. This tutorial assumes you can login as ec2-user.

sudo -i   // to access as root.
yum update -y   // to update your AWS server to latest stable release of *everything*. The -y means when it asks if you want to install you’ve already said “yes”

yum install vsftpd  // to install the ftp gubbins you will need to say yes

Step 2 – Open Ports in Security Group

You need to go to your AWS account in your browser and open up the ports required for FTP access.
This is done by as follows:

1) Login to AWS account.
2) Open up the EC2 panel from the service menu.
3) Select “security groups” from the left menu and find the relevant one.
4) Press “Edit” on the relevant security group INBOUND rules
5) Add two rules Type > Custom TCP Rules – port ranges 20-21 and 1024-1048 (all from source “anywhere” if you want to allow FTP from anywhere, otherwise secure by locking down to just your IP, assuming a) you know this and b) it won’t change!)

please check the attached images.
1)
1.png

2)
2.png

3)
3.png

4)
4.png

5)
5.png

Step 3 – Ensure vsftpd starts on server reboot

You want to make sure your new service will start when your server reboots, in future.
Enter the following into terminal

chkconfig --level 345 vsftpd on   // This makes sure that vsftpd starts when the instance reboots (note it will need starting initially, which a restart we do below will achieve!)

Step 4 – Update vsftpd.conf file

Back in your terminal window, run the following commands to update your
vsftpd.conf file using vi.

vi /etc/vsftpd/vsftpd.conf  // this uses the vi editor to edit the vsftpd.conf file. 

press the insert key or “i” to start inserting (well deleting, replacing, and whatever too) in vi, or use the other method to achieve the below:

Change

anonymous_enable=YES
to
anonymous_enable=NO   // this prevents ananymous access over FTP.

Then add the following to the bottom of the file

pasv_enable=YES
pasv_min_port=1024

pasv_max_port=1048
pasv_address=[YOURPUBLICIP]

Be SURE to replace [YOURPUBLICIP] with your public IP. Its enabling passive connections, specifiying the ports to use, and the IP.

Press escape
type
:wq
Hit enter

// :wq tells vi to “write” this file and “quit” the colon means “commands coming” and the escape key beforehand says “I’m about to say some commands, stop inserting into file”.

Now next Restart vsftpd

sudo /etc/init.d/vsftpd restart

Step 5 – Create an FTP user

Type the following into terminal to create this user / password – replace “awsftpuser” with your intended username!

adduser awsftpuser

passwd awsftpuser

Step 6 – Restrict user to home directory

You will want to prevent an FTP user getting ideas above his station, and “chroot” him or her to their directory (means they cannot go “above” their home directory and try to tinker about with (for example) server settings).
Edit the vsftpd.conf again in terminal and again using vi:

vi /etc/vsftpd/vsftpd.conf

Uncomment (remove the # in front of) the line which says:

chroot_local_user=YES

Then its save and quit as before.
// Hit escape
:wq
 then Enter
// again save your new settings by writing to vi and quitting
Restart vsftpd by entering this into terminal:

sudo /etc/init.d/vsftpd restart

Step 7 -Change / Set user’s FTP home directory & give group permissions

Enter the below command into terminal to set the user (in this case our awsftpuser user – replace this with your actual username!) home directory. In this example, I’m saying the ftp_data is the user’s root.

usermod -d /var/www/ftp_data awsftpuser

Then, make sure the awsftpuser is the part of the group which owns the files in this folder, to allow them to upload/change/delete as you wish. You might want to be careful allowing an FTP user to modify files in your server!
First for this, check the ownership status of files in your ftp_data folder, by doing the following:

cd /var/www/ftp_data/   // navigate to the folder
ls -l

// will output the permissions and ownership and group for the files in this directory. In our case we’re going to add the user to this relevant group.

usermod -a -G <your group name> awsftpuser

// the above adds the user awsftpuser to the group, which will mean this user gains the same access allowed to that group. This will help you with some permissions stuff you would otherwise experience with FTP’ing things up and down.
Finally, restart to apply everything and you should be done!

sudo /etc/init.d/vsftpd restart

That's done. Now you can access your FTP. Good Work!

Two more useful commands:

To change the default FTP upload folder
Step 1:

edit /etc/vsftpd/vsftpd.conf

Step 2: Create a new entry at the bottom of the page:

local_root=/var/www/ftp_data

To apply read, write, delete permission to the files under folder so that you can manage using a FTP device
find /var/www/ftp_data -type d -exec chmod 777 {} ;

Do you experience any trouble?

If you are facing issue while copy file to FTP server then try below solution:
Fixing Write Permissions for Chrooted FTP Users in vsftpd
The vsftpd version that comes with Ubuntu 12.04 Precise does not permit chrooted local users to write by default. By default you will have this in /etc/vsftpd.conf:

chroot_local_user=YES
write_enable=YES

In order to allow local users to write, you need to add the following parameter:

allow_writeable_chroot=YES

Ref:
Setup-FTP-SFTP-aws-ec2-instance

If you have any doubts then feel free to ask.

Thank you,

0
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?