I recently had to set up an FTP server. I know right, who still uses FTP nowadays? Well apparently, some big people still do, and switching them to SFTP wasn’t an option. Luckily, I had an old self-made documentation from 2013 on how to set up all my server things, which at the time did include an FTP server, vsftpd. A quick search showed me that it still was the go-to software for this, so hurray, and here is what it said:
apt-get install vsftpd
Config file:/etc/vsftpd.conf
In this config file, uncomment the lineslocal_umask=022
andwrite_enable=YES
.
At the end, add:
lock_upload_files=NO
chroot_local_user=YES
force_dot_files=YES
Command to restart:service vsftpd restart
man: http://vsftpd.beasts.org/vsftpd_conf.html
guide: http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch15_:_Linux_FTP_Server_Setup (RIP :/)
I suppose some things had changed, as this left me with a couple of errors/warnings.
First, I got an error message saying “vsftpd: refusing to run with writable root inside chroot()”. My quick fix was to add this to the above-mentioned config file:
allow_writeable_chroot=YES
But for more details, you may want to read this https://bobcares.com/blog/500-oops-vsftpd-refusing-to-run-with-writable-root-inside-chroot/
Second, I got a message in FileZilla saying “Server sent passive reply with unroutable address. Using server address instead”. As the message suggests, it’s not breaking for FileZilla, which still managed to connect. However, it’s a problem for some clients. My final fix was to add this to the config:
pasv_enable=YES
pasv_min_port=8745
pasv_max_port=8745
#pasv_address=[server IP]
Turns out passive mode wasn’t enabled by default in my case, pasv_enable solves that.
Then I had a firewall issue, as I used to believe FTP uses just port 21, but I learned on this occasion that passive mode will automatically use a random port between pasv_min_port and pasv_max_port. Since the server where I’m setting this up is behind a paranoid firewall and I have to open ports one by one, I set them both to the same value. Not sure what the implications are compared to multiple random ports.
The last line I just kept commented out for safe-keeping, as I found it as a possible solution but it turned out it didn’t help, and I found there that it seems best to keep it unset.
And that’s about it, all working now. Although it could probably use some security tweaks. My priority here was “just make that damned thing work”.
Update 2021-03-31
It was brought to my attention that FTP needs one port per concurrent transfer, so having pasv_min_port = pasv_max_port means the server will only accept one concurrent transfer. Good enough for my use case, but you may want to keep a wider range for yours.
Update 2021-09-03
Coming back to this machine half a year later, I got that “Server sent passive reply with unroutable address. Using server address instead” message from Hell again. Despite no change in the config.
So I dug up some more, and eventually found this. Long story short, my pasv_address
was IPv4, so I had to set listen_ipv6=NO
and listen=YES
(the default is the other way around, for some strange reason).
Problem solved (again). Until it reappears again?
0 Responses
Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.