Home / ubuntu / Questions / 1168959
Accepted
Jags
Asked: 2019-08-28 11:05:09 +0800 CST

How to configure VSFTPD for LAN-only access, and restrict the access to a single directory

  • 772

I have gone through quite a few setup guides but couldn't figure out, how to configure VSFTPD for LAN-only access, and restrict the access to a single directory (e.g.: ~/Downloads).

If possible, I do not even want to expose its presence to the Internet. Any help is greatly appreciated.

PC: Ubuntu Mate 19.04 64-bit.

vsftpd

1 Answers

  1. Best Answer

    LAN-Only Access

    This is best done with firewall rules. We will use ufw the uncomplicated firewall for this.

    First we check the status of ufw

    sudo ufw status

    If you see Status: inactive then use the following command to enable ufw:

    sudo ufw enable

    As described in the link below we will allow ports 20 and 21 for the basic VSFTPD access. We will not use the simple ufw rule like:

    sudo ufw allow ftp

    as this will allow access from everywhere. To allow LAN-Only access we will use advance syntax:

    sudo ufw allow  from 192.168.0.0/24 to any port 20 proto tcp
sudo ufw allow  from 192.168.0.0/24 to any port 21 proto tcp

    The from 192.168.0.0/24 is the LAN-Only part. Yours may be different. Some home routers assign IP addresses in the range 192.168.0.x, and others in the range 192.168.1.x, where x is between 2-255. The /24 subnet mask says any value of x in that range is allowed.

    The to any means any IP address assigned to this computer is okay. Since this computer is not acting as a router, this setting is okay.

    The port 20 (or 21) is the port this rule opens.

    The proto tcp is the only tcp protocol (not the udp protocol) can be used.

    If we want to add the ports 990, and 40,000 to 50,000 ports to the firewall as in the tutorial below, we can use one command to do that:

    sudo ufw allow  from 192.168.0.0/24 to any port 990,40000:50000 proto tcp

    A Note about IPv6

    I don't know enough about IPv6 local addresses and subnet masks to write an answer that includes IPv6 ufw rules. Without any Ipv6 allow rules any attempt to use IPv6 addresses to access the ftp site will be denied.

    The answers to this question suggests there may not be an easy solution for IPv6: How do I allow local IPv6 subnets in ufw?

    For what it is worth, the following allow rule syntax (based on an answer to the above question) is accepted by ufw:

    sudo ufw allow  from fe80::/64 to any port 21 proto tcp

    This should allow ftp access from the link-local IPv6 range that start with fe80.

    Restrict user to a single directory

    This is very well described in the Digital Ocean Tutorial. The main steps are reproduced below:

    In this example the username is sammy. The basic concept is the user sammy must not have write access to the base directory of the user-accessible directory. Create the ftp folder, set its ownership, and be sure to remove write permissions with the following commands:

    sudo mkdir /home/sammy/ftp
sudo chown nobody:nogroup /home/sammy/ftp
sudo chmod a-w /home/sammy/ftp

    Next, we create the directory where files can be uploaded and assign ownership to the user:

    sudo mkdir /home/sammy/ftp/files
sudo chown sammy:sammy /home/sammy/ftp/files

    Next we edit the VSFTPD configuration file in nano:

    sudo nano /etc/vsftpd.conf

    and make the following changes / additions:

    . . .
# Allow anonymous FTP? (Disabled by default).
anonymous_enable=NO
#
# Uncomment this to allow local users to log in.
local_enable=YES
. . .
write_enable=YES
. . .
chroot_local_user=YES
. . .
user_sub_token=$USER
local_root=/home/$USER/ftp
. . .

    When we are done making the change, save and exit the file.

    Then, we create and add our user to the file. We’ll use the -a flag to append to file:

    echo "sammy" | sudo tee -a /etc/vsftpd.userlist

    Funally we restart the daemon to load the configuration changes:

    sudo systemctl restart vsftpd

    Hope this helps

    • 1