Elastic Compute Service:Build an FTP server on a Linux instance

Step 1: Install vsftpd

1. Update the system and install vsftpd.

   sudo yum update -y 
   sudo yum install vsftpd -y

2. Start the FTP service and enable auto-start on boot.

   sudo systemctl start vsftpd
   sudo systemctl enable vsftpd 

3. Check whether the service is started.

   netstat -antup | grep ftp

   Output similar to the following indicates the FTP service started successfully.

   

   By default, vsftpd enables anonymous access. Anonymous users can log on without credentials but cannot modify or upload files.

Step 2: Configure vsftpd

1. Create a dedicated FTP user and set a password. This example uses ftpuser.

   sudo useradd -d /data/ftp -s /sbin/nologin ftpuser  # Specify the home directory and disable shell access
   sudo passwd ftpuser 

2. Create the FTP directory and set permissions.

   sudo mkdir -p /data/ftp      # Create a custom storage directory
   sudo chown ftpuser:ftpuser /data/ftp
   sudo chmod 750 /data/ftp    # Permissions must be 755 or 750

3. Edit the vsftpd configuration file.

   Note

   FTP supports active and passive modes. Passive mode is recommended because most clients are behind firewalls or NAT and cannot expose their real IP addresses.

   1. Back up the vsftpd configuration file.

      sudo cp /etc/vsftpd/vsftpd.conf  /etc/vsftpd/vsftpd.conf.bak

   2. Edit the configuration file.

      sudo vim /etc/vsftpd/vsftpd.conf

   3. Set the basic security configuration.

      listen=YES                   # Enable IPv4 listener
      anonymous_enable=NO          # Disable anonymous access
      local_enable=YES             # Enable local user logon
      write_enable=YES             # Allow file uploads
      chroot_local_user=YES        # Lock users to their home directory
      allow_writeable_chroot=YES   # Resolve chroot write errors

   4. Append the passive mode configuration.

      pasv_enable=YES              # Enable passive mode
      pasv_min_port=40000          # Lower limit of the passive port range
      pasv_max_port=40100          # Upper limit of the passive port range
      pasv_address=public_ip_address      # Must be set to the server's public IP address

4. Restart vsftpd.

   sudo systemctl restart vsftpd

Step 3: Set security group rules

After building the FTP service, add inbound security group rules based on the FTP mode. See Add a security group rule.

Most clients are behind a LAN with translated IP addresses. In active mode, clients must expose their real IP addresses, or FTP connections may fail.

• Active mode: Allow traffic on port 21.

• Passive mode: Allow traffic on port 21 and ports 40000–40100 (the pasv_min_port to pasv_max_port range in /etc/vsftpd/vsftpd.conf). See Configuring FTP passive mode ports.

Step 4: Verify the FTP service

You can verify the FTP service with an FTP client, a browser, or a file explorer. This example uses the file explorer.

1. Test the local connection.

   Test the connection from the local machine.

   ftp ftpuser@localhost 

   A Login successful message indicates a successful connection.

   

2. Test the client connection.

   On the client computer, open the file explorer and enter the FTP address, as shown in the figure.

   

   Enter the FTP username and password in the logon dialog box. After logging on, you can upload and download files.

Step 1: Install VSFTP

1. Update the system and install vsftpd.

   sudo apt update && sudo apt upgrade -y
   sudo apt install vsftpd -y

2. Start vsftpd and enable auto-start on boot.

   sudo systemctl start vsftpd
   sudo systemctl enable vsftpd

Step 2: Configure VSFTP

1. Create a dedicated FTP user.

   sudo useradd -m -s /bin/bash ftpuser  # Create a user and automatically generate a home directory
   sudo passwd ftpuser  # Set the user password (a strong password is recommended)

2. Create the file storage directory and set permissions.

   sudo mkdir /home/ftpuser/ftp-files
   sudo chown ftpuser:ftpuser /home/ftpuser/ftp-files
   sudo chmod 755 /home/ftpuser/ftp-files

3. Back up the original configuration file.

   sudo cp /etc/vsftpd.conf /etc/vsftpd.conf.bak

4. Edit the configuration file.

   sudo nano /etc/vsftpd.conf

   Apply the following settings:

   # Basic configuration
   listen=YES
   anonymous_enable=NO          # Disable anonymous access
   local_enable=YES             # Allow local user logon
   write_enable=YES             # Enable write permissions
   chroot_local_user=YES        # Lock users in their home directory

   Append the following to the file:

   allow_writeable_chroot=YES   # Allow writing to the chroot directory
   local_root=/home/ftpuser/ftp-files  # Specify the root directory for the FTP user
   
   # Passive mode configuration (to resolve external network connection issues)
   pasv_enable=YES
   pasv_address=xx.xx.xx.xx  # Replace with your public IP address
   pasv_min_port=40000
   pasv_max_port=40100

5. Restart the FTP service.

   sudo systemctl restart vsftpd

6. A default user named ftp is created without a password during FTP installation. Change the password for this user.

    sudo passwd ftp

   Set a strong password and skip all other prompts.

7. Add the user to the FTP user allowlist.

    echo "ftp" | sudo tee -a /etc/vsftpd.userlist

8. Create an FTP file directory and grant user permissions.

   1. Create an FTP folder.

       sudo mkdir /home/ftp

   2. Set folder ownership.

      This example grants read, write, and full control permissions. Adjust as needed.

       sudo chmod 777 /home/ftp

Step 3: Set security group rules

After building the FTP service, add inbound security group rules based on the FTP mode. See Add a security group rule.

Most clients are behind a LAN with translated IP addresses. In active mode, clients must expose their real IP addresses, or FTP connections may fail.

• Active mode: Allow traffic on port 21.

• Passive mode: Allow traffic on port 21 and ports 40000–40100 (the pasv_min_port to pasv_max_port range in /etc/vsftpd/vsftpd.conf). See Set up an FTP site on Windows.