linux - password - setup ftp on amazon ec2 ubuntu




Setting up FTP on Amazon Cloud Server (9)

Don't forget to update your iptables firewall if you have one to allow the 20-21 and 1024-1048 ranges in.

Do this from /etc/sysconfig/iptables

Adding lines like this:

-A INPUT -m state --state NEW -m tcp -p tcp --dport 20:21 -j ACCEPT

-A INPUT -m state --state NEW -m tcp -p tcp --dport 1024:1048 -j ACCEPT

And restart iptables with the command:

sudo service iptables restart

I am trying to set up FTP on Amazon Cloud Server, but without luck. I search over net and there is no concrete steps how to do it.

I found those commands to run:

$ yum install vsftpd
$ ec2-authorize default -p 20-21
$ ec2-authorize default -p 1024-1048
$ vi /etc/vsftpd/vsftpd.conf
#<em>---Add following lines at the end of file---</em>
    pasv_enable=YES
    pasv_min_port=1024
    pasv_max_port=1048
    pasv_address=<Public IP of your instance>
$ /etc/init.d/vsftpd restart

But I don't know where to write them.


FileZila is good FTP tool to setup with Amazon Cloud.

  1. Download FileZila client from https://filezilla-project.org/
  2. Click on File -> Site Manager - >
  3. New Site
  4. Provide Host Name IP address of your amazon cloud location (Port if any)
  5. Protocol - SFTP (May change based on your requirement)
  6. Login Type - Normal (So system will not ask for password each time)
  7. Provide user name and password.
  8. Connect.

You need to do these step only 1 time, later it will upload content to the same IP address and same site.


I followed clone45's answer all the way to the end. A great article! Since I needed the FTP access to install plug-ins to one of my wordpress sites, I changed the home directory to /var/www/mysitename. Then I continued to add my ftp user to the apache(or www) group like this:

sudo usermod -a -G apache myftpuser

After this I still saw this error on WP's plugin installation page: "Unable to locate WordPress Content directory (wp-content)". Searched and found this solution on a wp.org Q&A session: https://wordpress.org/support/topic/unable-to-locate-wordpress-content-directory-wp-content and added the following to the end of wp-config.php:

if(is_admin()) {
    add_filter('filesystem_method', create_function('$a', 'return "direct";' ));
    define( 'FS_CHMOD_DIR', 0751 );
}

After this my WP plugin was installed successfully.


I've simplified clone45 steps:

Open the ports as he mentioned

sudo su
sudo yum install vsftpd
echo -n "Public IP of your instance: " && read publicip
echo -e "anonymous_enable=NO\npasv_enable=YES\npasv_min_port=1024\npasv_max_port=1048\npasv_address=$publicip\nchroot_local_user=YES" >> /etc/vsftpd/vsftpd.conf
sudo /etc/init.d/vsftpd restart

In case you have ufw enabled, remember add ftp:

> sudo ufw allow ftp

It took me 2 days to realise that I enabled ufw.


It will not be ok until you add your user to the group www by the following commands:

sudo usermod -a -G www <USER>

This solves the permission problem.

Set the default path by adding this:

local_root=/var/www/html

Thanks @clone45 for the nice solution. But I had just one important problem with Appendix b of his solution. Immediately after I changed the home directory to var/www/html then I couldn't connect to server through ssh and sftp because it always shows following errors

permission denied (public key)

or in FileZilla I received this error:

No supported authentication methods available (server: public key)

But I could access the server through normal FTP connection.

If you encountered to the same error then just undo the appendix b of @clone45 solution by set the default home directory for the user:

sudo usermod -d /home/username/ username

But when you set user's default home directory then the user have access to many other folders outside /var/www/http. So to secure your server then follow these steps:

1- Make sftponly group Make a group for all users you want to restrict their access to only ftp and sftp access to var/www/html. to make the group:

sudo groupadd sftponly

2- Jail the chroot To restrict access of this group to the server via sftp you must jail the chroot to not to let group's users to access any folder except html folder inside its home directory. to do this open /etc/ssh/sshd.config in the vim with sudo. At the end of the file please comment this line:

Subsystem sftp /usr/libexec/openssh/sftp-server

And then add this line below that:

Subsystem sftp internal-sftp

So we replaced subsystem with internal-sftp. Then add following lines below it:

 Match Group sftponly
        ChrootDirectory /var/www
        ForceCommand internal-sftp
        AllowTcpForwarding no

After adding this line I saved my changes and then restart ssh service by:

sudo service sshd restart

3- Add the user to sftponly group Any user you want to restrict their access must be a member of sftponly group. Therefore we join it to sftponly by: sudo usermod -G sftponly username

4- Restrict user access to just var/www/html To restrict user access to just var/www/html folder we need to make a directory in the home directory (with name of 'html') of that user and then mount /var/www to /home/username/html as follow:

sudo mkdir /home/username/html
sudo mount --bind /var/www /home/username/html

5- Set write access If the user needs write access to /var/www/html, then you must jail the user at /var/www which must have root:root ownership and permissions of 755. You then need to give /var/www/html ownership of root:sftponly and permissions of 775 by adding following lines:

sudo chmod 755 /var/www
sudo chown root:root /var/www
sudo chmod 775 /var/www/html
sudo chown root:www /var/www/html

6- Block shell access If you want restrict access to not access to shell to make it more secure then just change the default shell to bin/false as follow:

sudo usermod -s /bin/false username

This is a great write-up. Note that you will probably need to add the user you created to the "FTP" usergroup:

> gpasswd -a <usr> ftp


maybe worth mentioning in addition to clone45's answer:

Fixing Write Permissions for Chrooted FTP Users in vsftpd

The vsftpd version that comes with Ubuntu 12.04 Precise does not permit chrooted local users to write by default. By default you will have this in /etc/vsftpd.conf:

chroot_local_user=YES
write_enable=YES

In order to allow local users to write, you need to add the following parameter:

allow_writeable_chroot=YES

Note: Issues with write permissions may show up as following FileZilla errors:

Error: GnuTLS error -15: An unexpected TLS packet was received.
Error: Could not connect to server

References:
Fixing Write Permissions for Chrooted FTP Users in vsftpd
VSFTPd stopped working after update





ftp