How to Install and Configure VSFTPD FTP Server on Ubuntu 20.04/22.04
FTP (File Transfer Protocol) is a classic way to transfer files between systems. If you’re setting up a server for file sharing or remote access, VSFTPD (Very Secure FTP Daemon) is one of the most secure and reliable options available. Let’s walk through the steps to install and configure it on Ubuntu 20.04 or 22.04.
This will work for ubuntu server on AWS or any other cloud provider / Dedicated hosting.
🛠️ Step 1: Update Your System
Before installing anything, make sure your system is up to date:
sudo apt update && sudo apt upgrade -y
📦 Step 2: Install VSFTPD
Install the FTP server package from Ubuntu’s official repository:
sudo apt install vsftpd -y
Once installed, check the service status:
sudo systemctl status vsftpd
You should see it running. If not, start it manually:
sudo systemctl start vsftpd
🔐 Step 3: Configure VSFTPD
Create a copy of configuration file for back up
sudo mv /etc/vsftpd.conf /etc/vsftpd.conf.bak
Now create a new configuration file
sudo nano /etc/vsftpd.conf
..and paste the following in this
listen=NO listen_ipv6=YES anonymous_enable=NO local_enable=YES write_enable=YES local_umask=022 dirmessage_enable=YES use_localtime=YES xferlog_enable=YES connect_from_port_20=YES chroot_local_user=YES secure_chroot_dir=/var/run/vsftpd/empty pam_service_name=vsftpd force_dot_files=YES pasv_min_port=40000 pasv_max_port=50000
To save file and exit, press CTRL + X, press Y and then press ENTER.
Restart vsftpd
sudo systemctl restart vsftpd
👤 Step 4: Create an FTP User
Now we need to create ftp user. Let us say ftp username is ftpuser
sudo adduser ftpuser
Set a password and follow the prompts. You may simply keep pressing enter for all prompts other than password.
Optional: Restrict ftpuser to FTP-only access
If you want to ensure that ftpuser can access the server only via FTP and not through SSH, you can disable their SSH login by adding their username to the SSH configuration blacklist. If SSH access is acceptable, feel free to skip to Step 4.
To edit the SSH configuration file, run:
sudo nano /etc/ssh/sshd_config
DenyUsers ftpuser
If you have created more than one ftpusers then you may add all of them in same line separated by spaces like following
DenyUsers ftpuser1 ftpuser2 frpuser3
📁 Step 5: Set Up FTP Directory
We have now two options:
A.) Option-1 : Upload to web root directory (/var/www/html or /var/www/virtual-host-directory)
B.) Option-2 : Upload to home directory.
A.) Option-1: Upload to web root directory (/var/www/html or /var/www/virtual-host-directory)
If you have not created multiple virtual host, then your default web server root will be /var/www/html. We will make /var/www the home directory for our ftp user
sudo usermod -d /var/www ftpuser
Following will allow our FTP user to write and alter files in the document root directory.
sudo chown ftpuser:ftpuser /var/www/html
B.) Option-2 : Upload to home directory.
If you’d prefer the user to upload files directly within their home directory, start by creating a folder named ftp inside their home directory, followed by a subfolder called files. In the example below, the username is ftpuser:
sudo mkdir /home/ftpuser/ftp
Set the ownership of the ftp directory to no nobody:nogroup.
sudo chown nobody:nogroup /home/ftpuser/ftp
Set directory permissions to comply with VSFTPD requirements
To ensure VSFTPD allows login, you must make the ftp directory non-writable for all users. Use the chmod command as shown below:
sudo chmod a-w /home/ftpuser/ftp
Next, let’s create a subdirectory inside /ftp where the user will be able to browse and upload files.
sudo mkdir /home/ftpuser/ftp/files
Assign ownership of this directory to our new FTP user otherwise they will not be able to write to it.
sudo chown ftpuser:ftpuser /home/ftpuser/ftp/files
Now open config file again
sudo nano /etc/vsftpd.conf
And copy and paste following at the bottom
user_sub_token=$USER local_root=/home/$USER/ftp
To save file and exit, press CTRL + X, press Y and then press ENTER.
Restart vsftpd
sudo systemctl restart vsftpd
Step 6 : Configure Firewall
If you haven’t enabled the UFW firewall yet on Ubuntu , it’s strongly recommended to do so. However, before activating it, ensure you’ve added a rule to allow SSH connections—otherwise, you risk being locked out of your server if you’re accessing it remotely. If you prefer not to configure a firewall, feel free to skip this step.
sudo ufw allow OpenSSH
We’ll begin by opening ports 20 and 21 to support standard FTP operations. Next, we’ll allow the range 40000–50000 for passive FTP connections. Additionally, we’ll open port 990 to prepare for TLS encryption, which will be configured in a later step.
sudo ufw allow 20/tcp
sudo ufw allow 21/tcp
sudo ufw allow 40000:50000/tcp
sudo ufw allow 990/tcp
Go ahead and enable the firewall if it’s not already active. If prompted about potential disruption to your SSH connection, simply press Y followed by ENTER to proceed.
sudo ufw enable
Check firewall status
sudo ufw status
Note : If you are using AWS ec2, then instead of firewall, use security group to allow ports
Step 7: Test FTP
It’s time to test vsftpd by attempting to log in with the user account you set up earlier. We suggest using FileZilla, a reliable FTP client compatible with Windows, macOS, and Linux.
Launch FileZilla, enter your server’s IP address, the FTP username and password you previously created, then click Quickconnect to initiate the connection.
Once connected, FileZilla should indicate a successful login. To verify that file permissions are correctly configured, try uploading files, creating folders, and editing content within your web root directory.
You may notice a warning in FileZilla stating: “Status: Insecure server, it does not support FTP over TLS.” To secure your FTP connection and protect login credentials and data, it’s strongly recommended to configure TLS at this stage.
If you encounter login issues, consult the vsftpd log for troubleshooting. To view the latest 200 entries, use the following command:
sudo tail /var/log/vsftpd.log -n 200
Step 8. Secure FTP with TLS (Recommended)
Keep in mind that FTP does not encrypt data by default, which means your login credentials and transferred files are exposed to potential interception. To secure your connection, it’s recommended to use FTPS—FTP layered with SSL/TLS encryption—when accessing vsftpd.
To get started, we’ll generate a new SSL certificate using the openssl tool.
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem
Keep pressing enter when it asks to fill details like country, company name etc to use default.
With your private key successfully generated, the next step is to update the vsftpd configuration file to enable TLS support.
Open the configuration file using the nano editor:
sudo nano /etc/vsftpd.conf
Paste the following at bottom:
ssl_enable=YES rsa_cert_file=/etc/ssl/private/vsftpd.pem rsa_private_key_file=/etc/ssl/private/vsftpd.pem allow_anon_ssl=NO force_local_data_ssl=YES force_local_logins_ssl=YES ssl_tlsv1=YES ssl_sslv2=NO ssl_sslv3=NO require_ssl_reuse=NO ssl_ciphers=HIGH
Save and exit (press CTRL + X, press Y, then press ENTER)
Restart vsftpd.
sudo systemctl restart vsftpd
Now, test the connection again using FileZilla. Once connected, you should see a padlock icon at the bottom-right corner of FileZilla.
“By following this guide, you can successfully install and secure VSFTPD on Ubuntu 20.04/22.04. Whether on AWS, DigitalOcean, or a dedicated server, this setup ensures secure and reliable file transfers.”
That’s it—we’re all set! Feel free to drop any questions if you have them.
❓ Frequently Asked Questions (FAQ) about VSFTPD on Ubuntu
1. How do I connect to VSFTPD in Ubuntu?
You can connect to your VSFTPD server using an FTP client like FileZilla. Enter your server’s IP address, FTP username, and password, then click Quickconnect. Make sure ports 20, 21, and 40000–50000 are open in your firewall or cloud security group.
2. Is VSFTPD secure?
Yes. VSFTPD stands for Very Secure FTP Daemon and is considered one of the most secure FTP servers available. By enabling TLS/SSL encryption, you can protect login credentials and data during file transfers.
3. Which ports should I open for VSFTPD on Ubuntu?
You need to open:
-
Port 20 & 21 → For FTP control and data
-
Ports 40000–50000 → For passive FTP connections
-
Port 990 → For FTPS (FTP over TLS/SSL)
If you’re on AWS, make sure to allow these ports in your EC2 security group.
4. How do I enable TLS in VSFTPD?
To enable TLS:
-
Generate a new SSL certificate with
openssl. -
Update
/etc/vsftpd.confwithssl_enable=YESand certificate paths. -
Restart VSFTPD using:
After this, connect again with FileZilla—you should see a padlock icon confirming TLS is active.
5. What is the default VSFTPD configuration file in Ubuntu?
The main configuration file is located at:
It controls settings like anonymous access, passive ports, TLS, and user directory rules.
6. Can I restrict FTP users from accessing SSH?
Yes. If you want an FTP-only user, add their username in the SSH configuration blacklist:
Restart SSH with:
I'm a qualified Software Engineer and a professional entrepreneur. I have substantial experience managing large technical teams and overseeing million-dollar projects. Besides work, I enjoy traveling, reading books, and writing blogs.
Previous Post