A couple days ago we were migrating a legacy wordpress installation to a digitalocean one-click wordpress droplet. Afterwards we needed to adjust the system to allow FTP connections. Here’s a little rundown on how we adjusted the droplet for having a somewhat secure FTP setup.
Vsftpd is shorthand for Very Secure FTP Daemon and is a unix-based ftp server that prides itself on being insanely fast. It can be installed through most unix-based package managers such as apt (ubuntu), pacman (Arch), yum (Fedora, CentOS, Redhat), etc.
Since we’re running on ubuntu we’ll just execute the following command to install vsftpd.
Open up the file at /etc/vsftpd.conf in your favorite text editor (vim, nano, …) and make sure the following lines are uncommented :
local_enable allows system-defined users in the /etc/passwd file to login through vsftpd.
write_enable allows changes to the filesystem through ftp, such as uploading.
ascii_upload_enable and ascii_download_enable tell vsftpd to disable ‘ascii mangling’ it’s a horrible feature of the ftp protocol that basically replaces line-endings regardless of whether or not the ftp server is running on a windows or unix machine. Take a look at the following redhat article for a more in-depth description and analysis of how vsftpd applies this.
chroot is shorthand for ‘change root’ and will basically enable an environment that prevents the user from leaving its home directory.
Add a new user
DigitalOcean doesn’t setup a ‘restricted’ user by default, since developers would only need FTP access to the wordpress folder we decided to setup a new user and set his home directory to that folder.
This will create a user named wordpress, you will be asked some basic questions and also be asked to setup a password for that user.
This will make sure the wordpress user is part of the www-data group.
Configure the wordpress user
Now we’ll setup the wordpress user to have an ‘ftp’-bound mountpoint between its home-directory and the wordpress folder.
Create an empty directory at /var/ftp/wordpress to be used as a mount point
Mount bind the /var/www/html folder ( default install location for wordpress ) onto /var/ftp/wordpress. this way when navigating to /var/ftp/wordpress, it will be the same as if you were going to /var/www/html.
Change the home directory of the wordpress user to be /var/ftp/wordpress
Last but not least
Last but not least we need to open up port 21 on our firewall to allow ftp traffic and restart vsftpd for the changes to take effect.
You can check if the port change went into effect by executing ufw show, which should output something like the following
Afterwards execute the following to restart vsftpd and automatically start it on server boot.
You should now have a fully functioning FTP server with a user that is restricted to a single directory. There’s a lot more possibilities and configuration options for vsftpd, but this should get you started.
In case you do want to learn more, try checking out any of the following :