This tutorial will guide you through how to make a secure ftp server on the Raspberry Pi, the program we will be using is vsftpd ( Very Secure File Transfer Protocol Deamon). This system is a secure version of the ftp protocol. Unlike ftp vsftpd encrypts all traffic so username and passwords aren’t sent over clear text.
The first step is to make sure all of your system is updated and upgraded. Then you need to install the program vsftpd, to do this run the install command;
sudo apt-get install vsftpd
As soon as you run this command you have set up and installed an ftp server. To make sure everything up to now has ran correctly and is all set up you can try to log in. First of all you need to download an ftp client for later on so go ahead and download it now. The client that i am going to use is FileZilla. FileZilla is a free open source program that can manage an ftp server connection.
Download a copy for your operating system – https://filezilla-project.org/
To test the server, get the program up and running try and log in using anonymous as the user and leave the pass blank
Tip: Where the ip is 192.168.0.2, enter the address of your Raspberry Pi
But because ftp isnt secure you should configure the server to run over TLS. This would encrypt all traffic that goes between your machine and the ftp server. First of all we need to edit the vsftpd config file, before you edit all config files it is always reccomended to make a backup. So we back up the config file by running this command;
sudo cp /etc/vsftpd.conf /etc/vsftpd.conf_bak
Once the file is backed up you can now edit the config file;
sudo nano /etc/vsftpd.conf
First of all you want to edit the following config file to look something like this one;
listen=YES # # Allow anonymous FTP? (Beware - allowed by default if you comment this out). anonymous_enable=NO # # Uncomment this to allow local users to log in. local_enable=YES # # Uncomment this to enable any form of FTP write command. write_enable=YES # # Activate logging of uploads/downloads. xferlog_enable=YES # # You may change the default value for timing out an idle session. idle_session_timeout=600 # #This is a welcome message responce from your server ftpd_banner=Welcome to my FTP # # SSL ssl_enable=YES #this selects the cipher type ssl_ciphers=HIGH # #choose according to your preference force_local_data_ssl=YES # #choose according to your preference force_local_logins_ssl=YES # #enable this if you enable ssl. ssl_tlsv1=YES ssl_sslv2=YES ssl_sslv3=YES # #give the correct path to your currently generated *.pem file rsa_cert_file=/etc/vsftpd/vsftpd.pem #the *.pem file contains both the key and cert rsa_private_key_file=/etc/vsftpd/vsftpd.pem # pasv_enable=YES pasv_min_port=12000 pasv_max_port=12100 # #Some mobile clients require this require_ssl_reuse=NO
Each of the lines are commented but if you need to understand this further please refer to the man page for vsftpd by typing in;
Now just before you can connect to your ftp server with tls encryption you need to create a certificate and key for your ftp server to use. First of all we need to make sure OpenSSL is installed and updated. You should already have this installed and updated if you followed my previous tutorials.
sudo apt-get install openssl
sudo apt-get install update
sudo apt-get install upgrade
After this you then want to create the certificate and key for your server.
sudo openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/vsftpd/vsftpd.pem -out /etc/vsftpd/vsftpd.pem
Once you have ran this command you should then be able to connect to your server. Dont forget that each time you edit the config file you must then restart your vsftpd service. Run these commands to restart;
sudo service vsftpd restart
If this restarts with no errors you can now connect to your server, but beware that some routers must have ports forwarded to be able to work correctly. These are the ports that i have forwarded from my router;
Make sure that you put your IP address of your raspberry Pi in the IP address section. After this you should be able to get your ftp server working.
Open the FileZilla program, go to file then site manager.
Then enter your Raspberry Pis Ip in the host section.
On the encryption box select “Require explicit FTP over TLS”
Change the logon type to normal and then enter your username and password into the boxes provided.
The screenshot doesnt show anything in Host But put your Raspberry Pi’s IP here.
When you then select connect you should get a pop up box asking if you wanted to accept the unknown certificate. Check that the credentials are the ones you entered earlier when you created the openssl certificate and key.
You should then be able to log in to your ftp server. If you would like to “jail” local users and have virtual users, keep an eye on this blog. I will be posting a part 2 soon.
If you have any comment or improvement please comment below. Also don’t be afraid to ask any question.