Installing vsftpd on Amazon’s Linux AMI

By default, Amazon’s Linux AMI provides only the amzn repository. While this repository does have quite a selection of packages, there are a few commonly used packages that are missing (e.g. php-mcrypt). On the FTP side, the only FTP server included is VS-FTP (vsftpd). While my personal preference has historically been pure-ftpd, this is a quick look at how to setup vsftpd on the server.

The installation is quite straightforward:

sudo yum install vsftpd -y

Configuration files are located in: /etc/vsftpd

The only file that requires modification is vsftpd.conf

It is easier to setup ‘active’ FTP, but not by much. Active FTP requires fewer open ports on the server, but takes an extra step for a user in most cases.

The default config should provide a functioning server. If you are using Virtualmin, it might set the listen_address, which I found prevented vsftpd from starting, simply comment out the setting, and all works fine.

For FTP, you will need to open port 21, which can be done using Amazon’s EC2 console (they actually have an FTP option).

Start the FTP daemon (sudo service vsftpd start), and everything should just work.

With the above setup you will be running ‘active’ FTP. In a client, you will most likely need to explicitly set the transfer mode as active (in Filezilla, this is done at: Edit > Settings > Connection > FTP ).

Since passive mode tends to be preferred, it is a simple change to make.

Firstly, modify your vsftpd.conf file, adding:

pasv_enable=YES
pasv_max_port=xxxxx
pasv_min_port=xxxxx
pasv_address=xxx.xxx.xxx.xxx

The first setting enables passive mode, the next two restrict the port range (since ports need to be opened for this to work), and the last setting specifies the external IP address (e.g. elastic IP). Alternatively, the last setting can be replaced with:

pasv_addr_resolve=YES
pasv_address=DOMAIN_NAME

This variation is handy if a static IP is not being used, as it allows you to specify a domain name instead.

Following this, simply open the port range you chose:

Using Amazon’s EC2 console, add a custom port range to your security group, specify from and to values matching the min and max ports used in your configuration file, and set the type as TCP; the source IP will likely be 0.0.0.0/0 (no restrictions)

Finally, restart vsftpd (sudo service vsftpd restart) and give it a try. any system user not listed in the ftpusers and user_list files should be able to login (ec2-user, of course, doesn’t use a password, so might prove more of a challenge).

By cyberx86

Just a random guy who dabbles with assorted technologies yet works in a completely unrelated field.

9 comments

  1. Is it possible to use winSCP to access the ec2 server without the ssl keys. what login details do i use after a created a new user?

    1. You certainly can use WinSCP to login without keys (i.e. with a password). You need to setup a user that has a password (i.e. use passwd), a home directory, and a valid shell (from /etc/shells). Also, you need to ensure that your user is permitted to login via SSH (e.g. edit /etc/ssh/sshd_config adding AllowUsers {username} – this should only be needed if SSH is configured to disallow logins (e.g. with DenyUsers)). You may also wish to restrict the set of commands that user can run as a safeguard. Once you can SSH into the server as your new user (e.g. using PuTTY) then you should have no problem with WinSCP (using the exact same login information as with PuTTY). I would however recommend using a key (you can generate your own keys – you don’t need to use the ones that EC2 provides) for your new user instead of using a password.

  2. Thanks for the post, very helpful! To get vsftpd to start automatically you have to make a symlink in the /etc/rc3.d/ directory that references the script in /etc/init.d/vsftpd.
    Get to a privileged prompt by using “sudo -s” and then “cd /etc/rc3.d“, then to make the link I used: “ln -s /etc/init.d/vsftpd S91vsftpd“.
    Then use “init 6” to reboot, and see if you can open an FTP after it reboots.

    I also wanted to use a separate EBS volume so that I could create an LVM, since I am unsure how big or fast this FTP will grow… but that’s a whole other blog.
    Thanks again!!

  3. Do you need to do the:

    pasv_enable=YES

    I had read where one person said vsftpd had PASV on by default. Is this true?

    1. I include pasv_enable to be explicit, however, VSFTPd does have default values for all its settings, and, by default (i.e. if omitted), pasv_enable=YES. (See the manpage for the full list of defaults)

Leave a comment

Your email address will not be published. Required fields are marked *