This tutorial explains how to install and configure an FTP server on Raspberry Pi that you use to share files between your devices. We’ll use vsftpd, which a stable, secure, and fast FTP server. We will also show you how to configure vsftpd to restrict users to their home directory and encrypt the entire transmission with SSL/TLS.
For this project, you should have Raspbian installed on your Raspberry Pi . Running an FTP server doesn’t require a graphical interface, so our recommendation is to use the Raspbian Lite image and enable SSH .
Installing vsftpd on Raspberry Pi
The vsftpd package is available in the standard Raspbian repositories. To install it, run the following commands:
sudo apt update
sudo apt install vsftpd
The ftp service will automatically start after the installation process is complete. To verify it, print the service status:
sudo systemctl status vsftpd
The output will look something like below, showing that the vsftpd service is active and running:
● vsftpd.service - vsftpd FTP server Loaded: loaded (/lib/systemd/system/vsftpd.service; enabled; vendor preset: enabled) Active: active (running) since Wed 2020-10-21 19:00:41 BST; 9s ago ...
The vsftpd server sensors can be configured by editing the
Most of the settings are well documented inside the configuration file. For all available options, visit the official vsftpd page.
Start by opening the vsftpd configuration file:
sudo nano /etc/vsftpd.conf
1. FTP Access
To ensure that only the local users can access the FTP server, search for the
local_enable directives and verify your configuration match to lines below:
2. Enabling uploads
Locate and uncomment the
write_enable directive to allow changes to the filesystem, such as uploading and removing files.
3. Chroot Jail
To prevent the FTP users from accessing files outside of their home directories, uncomment the
When the chroot feature is active, vsftpd will refuse to upload files if the directory that the users are locked in is writable.
Use one of the solutions below to make the chroot environment writable:
Method 1. – The recommended option to allow upload is to keep chroot enabled and configure FTP directories. In this example, we will create an
ftpdirectory inside the user home, which will serve as the chroot and a writable
uploadsdirectory for uploading files./etc/vsftpd.conf
Method 2. – Another option is to add the following directive in the vsftpd configuration file. Use this option if you must to grant writable access to your user to its home directory./etc/vsftpd.conf
4. Passive FTP Connections
By default, vsftpd uses active mode. To use passive mode, set the minimum and maximum range of ports:
vsftpd can use any port for passive FTP connections. When the passive mode is enabled, the FTP client opens a connection to the server on a random port in the range you have chosen.
5. Limiting User Login
You can configure vsftpd to permit only certain users to log in. To do so, add the following lines at the end of the file:
userlist_enable=YES userlist_file=/etc/vsftpd.user_list userlist_deny=NO
When this feature is enabled, you need to explicitly specify which users can log in by adding the user names to the
/etc/vsftpd.user_list file (one user per line).
6. Securing Transmissions with SSL/TLS
To encrypt the FTP transmissions with SSL/TLS, you’ll need to have an SSL certificate and configure the FTP server to use it.
You can use an existing SSL certificate signed by a trusted Certificate Authority or create a self-signed certificate.
If you have a domain or subdomain pointing to the FTP server’s IP address, you can easily generate a free Let’s Encrypt SSL certificate.
In this tutorial, we will generate a self-signed SSL certificate using the
Run the following command to create a 2048-bit private key and self signed certificate valid for 10 years. Both the private key and the certificate will be saved in a same file:
sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem
Once the files are created, open the configuration file:
sudo nano /etc/vsftpd.conf
rsa_private_key_file directives, change their values to the
pam file path and set the
ssl_enable directive to
rsa_cert_file=/etc/ssl/private/vsftpd.pem rsa_private_key_file=/etc/ssl/private/vsftpd.pem ssl_enable=YES
If not specified otherwise, the FTP server will use only TLS to make secure connections.
Restart the vsftpd service
Once you are done configuring the server, the vsftpd configuration file (excluding comments) should look something like this:
listen=NO listen_ipv6=YES anonymous_enable=NO local_enable=YES write_enable=YES dirmessage_enable=YES use_localtime=YES xferlog_enable=YES connect_from_port_20=YES chroot_local_user=YES allow_writeable_chroot=YES pasv_min_port=30000 pasv_max_port=31000 userlist_enable=YES userlist_file=/etc/vsftpd.user_list userlist_deny=NO secure_chroot_dir=/var/run/vsftpd/empty pam_service_name=vsftpd rsa_cert_file=/etc/ssl/private/vsftpd.pem rsa_private_key_file=/etc/ssl/private/vsftpd.pem ssl_enable=YES
Save the file and restart the vsftpd service for changes to take effect:
sudo systemctl restart vsftpd
Opening the Firewall
If you are running a UFW firewall , you’ll need to allow FTP traffic.
To open port
21 (FTP command port), port
20 (FTP data port), and
30000-31000 (Passive ports range), run the following commands:
sudo ufw allow 20:21/tcp
sudo ufw allow 30000:31000/tcp
Reload the UFW rules by disabling and re-enabling UFW:
sudo ufw disable
sudo ufw enable
Creating FTP User
To test the FTP server, we will create a new user.
- If you already have a user that you want to grant FTP access, skip the 1st step.
- If you set
allow_writeable_chroot=YESin your configuration file, skip the 3rd step.
Create a new user named
sudo adduser newftpuser
When prompted, set the user password.
Add the user to the allowed FTP users list:
echo "newftpuser" | sudo tee -a /etc/vsftpd.user_list
Create the FTP directory tree and set the correct permissions :
sudo mkdir -p /home/newftpuser/ftp/upload
sudo chmod 550 /home/newftpuser/ftp
sudo chmod 750 /home/newftpuser/ftp/upload
sudo chown -R newftpuser: /home/newftpuser/ftp
As discussed in the previous section, the user will be able to upload files to the
At this point, your FTP server is fully functional, and you should be able to connect to your server using any FTP client such as FileZilla .
Disabling Shell Access
By default, when creating a user, if not explicitly specified the user will have SSH access to the device. To disable shell access, create a new shell that will simply print a message telling the user that their account is limited to FTP access only.
/bin/ftponly shell and make it executable:
echo -e '#!/bin/sh\necho "This account is limited to FTP access only."' | sudo tee -a /bin/ftponly
sudo chmod a+x /bin/ftponly
Append the new shell to the list of valid shells in the
echo "/bin/ftponly" | sudo tee -a /etc/shells
Change the user shell to
sudo usermod newftpuser -s /bin/ftponly
Use the same command to change the shell of all users you want to give only FTP access.
We’ve shown you how to install and configure a secure and fast FTP server on your Raspberry Pi system.
If you have any questions or feedback, feel free to leave a comment.