vsftpd Setup

Cover Image for vsftpd Setup

4 min read


So an FTP server is often one of the first things people want to setup on a new server. I recently setup two, one on my Raspberry Pi for making a 2TB USB Drive available in my home, and another somewhat more secure one on my VPS to transfer files back and forth. So anyway, lets just right in.

Like always..

sudo apt-get update
sudo apt-get install vsftpd

First we will we make an FTP Folder inside our users home directory that will serve as our default FTP Directory (or possibly only available directory via FTP, more on that later..)

sudo mkdir /home/[user]/ftp

And make sure no one can write to this folder

sudo chown nobody:nogroup /home/[user]/ftp

Then make a folder inside that one that we can actually write to

sudo mkdir /home/[user]/ftp/files

sudo chown [user]:[user] /home/[user]/ftp/files

Then open the config file

sudo nano /etc/vsftpd.conf

And make sure the follow is set and/or uncommented:

#Allow anonymous FTP? (Disabled by default).

#Uncomment this to allow local users to log in.



(this will determine whether our user is forced to stay in the above directory or not. This is the more safe route to take, and the one I set on my VPS – on my RaspPi, however, I want to be able to upload and download other files as well, so I set this to NO there.)

Now we’ll add some new options, anywhere in the file is fine. We’re going to add a user_sub_token in order to insert the username in our local_root directory path so our configuration will work for this user and any future users that might be added.




Change this port to any that you want to access your server on. Leave this line out completely if the default port 21 is fine for you. Often if you have a public IP address and are open to the internet, people will be scouring for machines with the standard ports open (including things like 22 [SSH], 21! [FTP]) so it is advisable to use a non-standard port here if your machine has a public IP.


This is another way to limit access to your FTP Server. If you have multiple users on your machine, but only want 1 or 2 or however many to be able to login via FTP add these lines and create the vsftpd.userlist file with your chosen usernames in them. A simple text file with [username] in it is sufficient i.e.

echo "[user]" | sudo tee -a /etc/vsftpd.userlist

Everything is technically setup now! You can test your connection by going to your browser or favorite ftp client and connecting to ftp://[IP Address]:[port] and then entering your credentials.

A restart of vsftpd and your good to go:

sudo systemctl restart vsftpd

Securing our FTP Server

The above will only setup a non-encrypted standard FTP server. As FTP is by default a totally unencrypted channel, I highly recommend continuing and securing your server. Otherwise all communication will be done in plaintext and will be susceptible to snooping..

So to begin we will generate an ssl key.

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem

You’ll be prompted for some info like country, state, etc. This info is all entirely optional / does not have to be accurate..

Now we’ll go back into the vsftpd config file

sudo nano /etc/vsftpd.conf

And comment out the default rsa file lines..


Now we will add our previously created ssl key:


and enable SSL



with these final two lines we are forcing all clients to use FTPES, so our FTP server will no longer be available via web browsers (as these only support standard, unencrypted FTP). If you still want the option of connecting via your credentials to a standard FTP server set these last two to NO. You can still connect via encrypted FTPES, but don’t have to..

Finally, some options to increase SSL security:


After those lines you can save and close the file again and restart vsftpd.

sudo systemctl restart vsftpd

If you set force local SSL you can now only connect via legitimate FTP clients like FileZilla via settings such as the following: