Coder Perfect

Setting up FTP on Amazon Cloud Server [closed]


I’ve tried and failed to set up FTP on Amazon Cloud Server. I looked on the internet but couldn’t find any specific instructions on how to accomplish it.

I discovered the following commands to run:

$ yum install vsftpd
$ ec2-authorize default -p 20-21
$ ec2-authorize default -p 1024-1048
$ vi /etc/vsftpd/vsftpd.conf
#<em>---Add following lines at the end of file---</em>
    pasv_address=<Public IP of your instance>
$ /etc/init.d/vsftpd restart

But I’m not sure where to put them.

Asked by SharkTheDark

Solution #1

Jaminto did a fantastic job answering the topic, however I recently went through the procedure and wanted to add to what he said.

I’m assuming you’ve already set up an Amazon EC2 instance and assigned it an Elastic IP Address.

SSH into your EC2 instance. Type:

> sudo yum install vsftpd

vsftpd should now be installed.

Then, on your EC2 server, you’ll need to open up the FTP ports. Select Security Groups from the navigation tree on the left after logging into the AWS EC2 Management Console. Choose the security group for your EC2 instance. After that, go to the Inbound tab and click Edit:

Two Custom TCP Rules with port ranges of 20-21 and 1024-1048 have been added. You can choose ‘Anywhere’ as your source. If you choose to set Source to your own IP address, keep in mind that if your IP address is allocated using DHCP, it may change.

Type the following into your vsftpd conf file:

> sudo vi /etc/vsftpd/vsftpd.conf

Change this line to disable anonymous FTP:




Then, at the bottom of the vsftpd.conf file, add the following lines:

pasv_address=<Public IP of your instance> 

Your vsftpd.conf file should look somewhat like this, with the exception that the pasv address should be replaced with your public facing IP address:

Press escape, then type:wq, then enter to save your changes.

vsftpd can be restarted by typing:

> sudo /etc/init.d/vsftpd restart

You should see something like this:

If that doesn’t work, try the following:

> sudo /sbin/service vsftpd restart

If you take a peek at /etc/vsftpd/user_list, you’ll see the following:

# vsftpd userlist
# If userlist_deny=NO, only allow users in this file
# If userlist_deny=YES (default), never allow users in this file, and
# do not even prompt for a password.
# Note that the default vsftpd pam config also checks /etc/vsftpd/ftpusers
# for users that are denied.

“Don’t give these users FTP access,” this essentially says. Any user who isn’t on this list will be granted FTP access by vsftpd.

As a result, you may need to create a new user on your server in order to create a new FTP account. (Alternatively, you can skip to the following step if you already have a user account that isn’t listed in /etc/vsftpd/user list.)

On an EC2 instance, creating a new user is rather straightforward. To create the user ‘bret,’ for example, type:

> sudo adduser bret
> sudo passwd bret

This is how it will appear:

Your FTP users are no longer limited to their home directories at this time. That’s not very secure, but it’s something we can simply solve.

Reopen your vsftpd conf file and type:

> sudo vi /etc/vsftpd/vsftpd.conf

Un-comment out the line:


When you’re finished, it should look like this:

Restart the vsftpd server by following these steps:

> sudo /etc/init.d/vsftpd restart

All done!

When your server boots, vsftpd does not start immediately. If you’re anything like me, you’ll be terrified when FTP appears to be broken after rebooting your EC2 instance – when in truth, it’s just not operating! Here’s a quick workaround for that:

> sudo chkconfig --level 345 vsftpd on

Alternatively, if you are using redhat, another way to manage your services is by using this nifty graphic user interface to control which services should automatically start:

>  sudo ntsysv

When your server boots up, vsftpd will now start automatically.

*IMPORTANT NOTE: Iman Sedighi has provided a more elegant technique for restricting users’ access to a certain directory. Please see his fantastic solution, which has been given as an answer.

You may make a user and limit their FTP access to a specified folder, such as /var/www. You’ll need to alter the user’s default home directory to accomplish this:

> sudo usermod -d /var/www/ username

Giving the user permissions to the ‘www’ group, which is commonly associated with the /var/www subdirectory, is normal in this case:

> sudo usermod -a -G www username

Answered by clone45

Solution #2

To activate passive ftp on an EC2 server, first set the ports your ftp server should use for inbound connections, then create a list of available ports for ftp client data connections.

I’m not acquainted with linux, but the scripts you provided are for installing the ftp server, configuring the ec2 firewall rules (using the AWS API), and then configuring the ftp server to use the ports you allowed on the ec2 firewall.

As a result, the ftp client is installed in this stage (VSFTP)

> install vsftpd with yum

These procedures will set up the ftp client.

> vi /etc/vsftpd/vsftpd.conf
--    Add following lines at the end of file --
     pasv_address=<Public IP of your instance> 
> /etc/init.d/vsftpd restart

However, the next two procedures can be completed more easily via the Amazon console’s EC2 Security groups. There, you must enable connections on ports 20, 21, and 1024-1048 in the security group allocated to your server.

Answered by jaminto

Solution #3

Thanks @clone45 for the nice solution. But I had just one important problem with Appendix b of his solution. Immediately after I changed the home directory to var/www/html then I couldn’t connect to server through ssh and sftp because it always shows following errors

permission denied (public key)

Alternatively, you can use FileZilla. This is the error I got:

No supported authentication methods available (server: public key)

However, I was able to connect to the site via a standard FTP connection.

If you get the same error, simply undo appendix b of @clone45’s solution by changing the user’s default home directory to:

sudo usermod -d /home/username/ username

However, if you make /var/www/http the user’s default home directory, the user will have access to many additional files. To secure your server, take the following steps:

1st, create a sftponly group. Make a group for all users to whom you wish to limit access to var/www/html to only ftp and sftp. to form a group:

sudo groupadd sftponly

2- Imprison the chroot To limit this group’s sftp access to the server, you must jail the chroot so that its members can only access the html folder inside its home directory. To do so, use sudo to open /etc/ssh/sshd.config in vim. Please comment this line at the end of the file:

Subsystem sftp /usr/libexec/openssh/sftp-server

Then, underneath that, add this line:

Subsystem sftp internal-sftp

So we replaced subsystem with internal-sftp. Then add following lines below it:

 Match Group sftponly
        ChrootDirectory /var/www
        ForceCommand internal-sftp
        AllowTcpForwarding no

I saved my changes after adding this line and then restarted the ssh service by:

sudo service sshd restart

3- Make the user a member of the sftponly group. Any user whose access you want to restrict must be a member of the sftponly group. As a result, we join sftponly by: usermod -G sftponly username sudo

4- Limit user access to var/www/html only. To limit a user’s access to the var/www/html folder, create a directory in that user’s home directory (named ‘html’) and mount /var/www to /home/username/html as follows:

sudo mkdir /home/username/html
sudo mount --bind /var/www /home/username/html

5- Configure write permissions If the user requires write access to /var/www/html, the user must be jailed at /var/www, with root:root ownership and 755 permissions. Then, by adding the following lines to /var/www/html, you must provide root:sftponly ownership and rights of 775 to /var/www/html:

sudo chmod 755 /var/www
sudo chown root:root /var/www
sudo chmod 775 /var/www/html
sudo chown root:www /var/www/html

6- Disable shell access If you want to make it more secure by restricting access to the shell, simply change the default shell to bin/false as follows:

sudo usermod -s /bin/false username

Answered by Iman Sedighi

Solution #4

Great article… Amazon Linux AMI was a snap to use.

There are two more commands that are useful:

To change the default FTP upload folder, follow these steps.

Step 1:

edit /etc/vsftpd/vsftpd.conf

Step 2: At the bottom of the page, make a new entry:


To give read, write, and delete permission to the files in a folder so you can manage them with an FTP device.

find /var/www/html -type d -exec chmod 777 {} \;

Answered by Ravi Shanker

Solution #5

If you’re using ufw, don’t forget to include ftp:

> sudo ufw allow ftp

It took me two days to realize I’d turned on ufw.

Answered by chbong

Post is based on