Problem
I’ve tried and failed to set up FTP on Amazon Cloud Server. I looked on the internet but couldn’t find any specific instructions on how to accomplish it.
I discovered the following commands to run:
$ yum install vsftpd
$ ec2-authorize default -p 20-21
$ ec2-authorize default -p 1024-1048
$ vi /etc/vsftpd/vsftpd.conf
#<em>---Add following lines at the end of file---</em>
pasv_enable=YES
pasv_min_port=1024
pasv_max_port=1048
pasv_address=<Public IP of your instance>
$ /etc/init.d/vsftpd restart
But I’m not sure where to put them.
Asked by SharkTheDark
Solution #1
Jaminto did a fantastic job answering the topic, however I recently went through the procedure and wanted to add to what he said.
I’m assuming you’ve already set up an Amazon EC2 instance and assigned it an Elastic IP Address.
SSH into your EC2 instance. Type:
> sudo yum install vsftpd
vsftpd should now be installed.
Then, on your EC2 server, you’ll need to open up the FTP ports. Select Security Groups from the navigation tree on the left after logging into the AWS EC2 Management Console. Choose the security group for your EC2 instance. After that, go to the Inbound tab and click Edit:
Two Custom TCP Rules with port ranges of 20-21 and 1024-1048 have been added. You can choose ‘Anywhere’ as your source. If you choose to set Source to your own IP address, keep in mind that if your IP address is allocated using DHCP, it may change.
Type the following into your vsftpd conf file:
> sudo vi /etc/vsftpd/vsftpd.conf
Change this line to disable anonymous FTP:
anonymous_enable=YES
to
anonymous_enable=NO
Then, at the bottom of the vsftpd.conf file, add the following lines:
pasv_enable=YES
pasv_min_port=1024
pasv_max_port=1048
pasv_address=<Public IP of your instance>
Your vsftpd.conf file should look somewhat like this, with the exception that the pasv address should be replaced with your public facing IP address:
Press escape, then type:wq, then enter to save your changes.
vsftpd can be restarted by typing:
> sudo /etc/init.d/vsftpd restart
You should see something like this:
If that doesn’t work, try the following:
> sudo /sbin/service vsftpd restart
If you take a peek at /etc/vsftpd/user_list, you’ll see the following:
# vsftpd userlist
# If userlist_deny=NO, only allow users in this file
# If userlist_deny=YES (default), never allow users in this file, and
# do not even prompt for a password.
# Note that the default vsftpd pam config also checks /etc/vsftpd/ftpusers
# for users that are denied.
root
bin
daemon
adm
lp
sync
shutdown
halt
mail
news
uucp
operator
games
nobody
“Don’t give these users FTP access,” this essentially says. Any user who isn’t on this list will be granted FTP access by vsftpd.
As a result, you may need to create a new user on your server in order to create a new FTP account. (Alternatively, you can skip to the following step if you already have a user account that isn’t listed in /etc/vsftpd/user list.)
On an EC2 instance, creating a new user is rather straightforward. To create the user ‘bret,’ for example, type:
> sudo adduser bret
> sudo passwd bret
This is how it will appear:
Your FTP users are no longer limited to their home directories at this time. That’s not very secure, but it’s something we can simply solve.
Reopen your vsftpd conf file and type:
> sudo vi /etc/vsftpd/vsftpd.conf
Un-comment out the line:
chroot_local_user=YES
When you’re finished, it should look like this:
Restart the vsftpd server by following these steps:
> sudo /etc/init.d/vsftpd restart
All done!
When your server boots, vsftpd does not start immediately. If you’re anything like me, you’ll be terrified when FTP appears to be broken after rebooting your EC2 instance – when in truth, it’s just not operating! Here’s a quick workaround for that:
> sudo chkconfig --level 345 vsftpd on
Alternatively, if you are using redhat, another way to manage your services is by using this nifty graphic user interface to control which services should automatically start:
> sudo ntsysv
When your server boots up, vsftpd will now start automatically.
*IMPORTANT NOTE: Iman Sedighi has provided a more elegant technique for restricting users’ access to a certain directory. Please see his fantastic solution, which has been given as an answer.
You may make a user and limit their FTP access to a specified folder, such as /var/www. You’ll need to alter the user’s default home directory to accomplish this:
> sudo usermod -d /var/www/ username
Giving the user permissions to the ‘www’ group, which is commonly associated with the /var/www subdirectory, is normal in this case:
> sudo usermod -a -G www username
Answered by clone45
Solution #2
To activate passive ftp on an EC2 server, first set the ports your ftp server should use for inbound connections, then create a list of available ports for ftp client data connections.
I’m not acquainted with linux, but the scripts you provided are for installing the ftp server, configuring the ec2 firewall rules (using the AWS API), and then configuring the ftp server to use the ports you allowed on the ec2 firewall.
As a result, the ftp client is installed in this stage (VSFTP)
> install vsftpd with yum
These procedures will set up the ftp client.
> vi /etc/vsftpd/vsftpd.conf
-- Add following lines at the end of file --
pasv_enable=YES
pasv_min_port=1024
pasv_max_port=1048
pasv_address=<Public IP of your instance>
> /etc/init.d/vsftpd restart
However, the next two procedures can be completed more easily via the Amazon console’s EC2 Security groups. There, you must enable connections on ports 20, 21, and 1024-1048 in the security group allocated to your server.
Answered by jaminto
Solution #3
Thanks @clone45 for the nice solution. But I had just one important problem with Appendix b of his solution. Immediately after I changed the home directory to var/www/html then I couldn’t connect to server through ssh and sftp because it always shows following errors
permission denied (public key)
Alternatively, you can use FileZilla. This is the error I got:
No supported authentication methods available (server: public key)
However, I was able to connect to the site via a standard FTP connection.
If you get the same error, simply undo appendix b of @clone45’s solution by changing the user’s default home directory to:
sudo usermod -d /home/username/ username
However, if you make /var/www/http the user’s default home directory, the user will have access to many additional files. To secure your server, take the following steps:
1st, create a sftponly group. Make a group for all users to whom you wish to limit access to var/www/html to only ftp and sftp. to form a group:
sudo groupadd sftponly
2- Imprison the chroot To limit this group’s sftp access to the server, you must jail the chroot so that its members can only access the html folder inside its home directory. To do so, use sudo to open /etc/ssh/sshd.config in vim. Please comment this line at the end of the file:
Subsystem sftp /usr/libexec/openssh/sftp-server
Then, underneath that, add this line:
Subsystem sftp internal-sftp
So we replaced subsystem with internal-sftp. Then add following lines below it:
Match Group sftponly
ChrootDirectory /var/www
ForceCommand internal-sftp
AllowTcpForwarding no
I saved my changes after adding this line and then restarted the ssh service by:
sudo service sshd restart
3- Make the user a member of the sftponly group. Any user whose access you want to restrict must be a member of the sftponly group. As a result, we join sftponly by: usermod -G sftponly username sudo
4- Limit user access to var/www/html only. To limit a user’s access to the var/www/html folder, create a directory in that user’s home directory (named ‘html’) and mount /var/www to /home/username/html as follows:
sudo mkdir /home/username/html
sudo mount --bind /var/www /home/username/html
5- Configure write permissions If the user requires write access to /var/www/html, the user must be jailed at /var/www, with root:root ownership and 755 permissions. Then, by adding the following lines to /var/www/html, you must provide root:sftponly ownership and rights of 775 to /var/www/html:
sudo chmod 755 /var/www
sudo chown root:root /var/www
sudo chmod 775 /var/www/html
sudo chown root:www /var/www/html
6- Disable shell access If you want to make it more secure by restricting access to the shell, simply change the default shell to bin/false as follows:
sudo usermod -s /bin/false username
Answered by Iman Sedighi
Solution #4
Great article… Amazon Linux AMI was a snap to use.
There are two more commands that are useful:
To change the default FTP upload folder, follow these steps.
Step 1:
edit /etc/vsftpd/vsftpd.conf
Step 2: At the bottom of the page, make a new entry:
local_root=/var/www/html
To give read, write, and delete permission to the files in a folder so you can manage them with an FTP device.
find /var/www/html -type d -exec chmod 777 {} \;
Answered by Ravi Shanker
Solution #5
If you’re using ufw, don’t forget to include ftp:
> sudo ufw allow ftp
It took me two days to realize I’d turned on ufw.
Answered by chbong
Post is based on https://stackoverflow.com/questions/7052875/setting-up-ftp-on-amazon-cloud-server