All posts by Don Matteo

How to Install VSFTPD

Install FTP server with VSFTPD and hardening using Fail2ban

Very Secure File Transfer Protocol Deamon (VSFTPD), as the service of the same name promises us, VSFTPD is a secure FTP daemon, which is used as the default FTP server by most Linux distributions, such as in Debian, Ubuntu, CentOS, Fedora, RHEL and more. VSFTPD is a secure and stable FTP server and is authorized under the GNU General Public License. VSFTPD is designed for secure and easy support for virtual clients with PAM (Pluggable Authentication Modules). This tutorial shows how to install VSFTPD and implement it with Fail2ban on Debian 10 (buster) or other Linux versions. Fail2ban is an intrusion prevention system written in Python that runs on any Linux operating system that includes a manipulable firewall.


On Debian and Ubuntu, VSFTPD installation goes with the apt package manager from the default repository.

CentOS and RHEL install VSFTPD using YUM.

After the installation we take steps to configuring VSFTPD.

For CentOS / RHEL / Fedora, vsftpd.conf is under /etc/vsftpd.

  If you don’t work with VIM, you can edit with nano or ne.

We disable anonymous login and allow local users to write.

chroot jail for FTP users

chroot stands for change root and is a feature for Unix systems to change the root directory. chroot only affects the current process and its child processes, it is a simple jail mechanism in which the FTP server prevents users from accessing files outside of its directory. chroot is also an easy way to sandbox untrusted data. The chroot settings for VSFTPD users can be found in the file vsftpd.conf under the line chroot_local_user and change there to YES, also with chroot_list_enable.

The configuration for chroot users, go to the line chroot_local_user and change to YES, as with chroot_list_enable

All users are chrooted, except for a few who are exempt by creating the file /etc/vsftpd.chroot_list to containing those users who are excluded from chroot.

  CentOS / RHEL path /etc/vsftpd/vsftpd.chroot_list

It is possible to completely lock out users, to refuse login for certain users, add following lines to the file vsftpd.conf.

Create a file vsftpd.userlist and add users to it. Add user per line like the service accounts, for example: vsftpd.userlist

SFTP encrypted authentication

So that passwords are not sent in clear text, add these options to the configuration file, some of which are already available, check them and change the options if necessary.

Note: The default is that SFTP is already enabled by the SSH daemon, so check the file /etc/ssh/sshd_config.

Hint! more recommended VSFTPD settings

VSFTPD protection with Fail2ban

To protect the FTP server from brute force attacks, Fail2ban is activated for VSFTPD. If there are a defined number of failed login attempts, the suspicious host is locked for a certain amount of time. For Fail2ban to work, the logs are important. For this purpose, Fail2ban is installed on the FTP server.

For Fail2ban and VSFTPD, create the file jail.local, if not already exist.

  The file jail.conf can also be copied, or individual blocks of the services can be added to jail.local.

The logs are important for the functionality of Fail2ban. The FTP server (VSFTPD) logs in to log file /var/log/vsftpd.log. Fail2ban is flexible and can be adapted to most requirements. If an additional service is used, which requires xferlog, it can be logged in both log files with dual_log_enable=YES.

  In the standard, /var/log/vsftpd.log is read out, which is predefined with the variable %(vsftpd_log)s.

The fail2ban filter for vsftpd contains the file at /etc/fail2ban/filter.d/vsftpd.conf

To apply changes to Fail2ban, the daemon must be restarted.

The IP addresses blocked by Fail2ban can be checked, here as root with the following fail2ban-client command.

Windows view file extensions

How to make file extensions in Explorer visible

For Windows 10, the file extensions are hidden by default, settings are in control panel – File Explorer Options – Advanced Settings:

Hide extensions for known file types

The file extension is often used to identify the format of a file. For example: name.txt indicates a text file. Modern Windows versions do not know the limitation of file names, like the 8.3 convention known by MS-DOS (8 characters file name, 3 characters extension). In Windows 10, the default setting is that all file extensions known to the system are hidden in Explorer. This fact is exploited by various malware programs. To make the file extension visible, go to the Explorer options in the Control Panel, or call up File Explorer Options directly.

Press the Win + R key to open Run, enter control folders and click OK.

In the File Explorer Options, the setting for file extensions can be hidden or displayed in the View Tab.

Hide extensions for known file types

Uncheck Hide extensions for known file types and click OK. Any files are now displayed with extensions.

SSH Login with PuTTY Key Authentication

PuTTY SSH login with using puttygen key pairs

SSH authentication via asymmetric keys is more secure than using passwords, further public key authentication also enables automated login, for example to log in from scripts without a password request. The PuTTY Key Generator puttygen.exe is used to generate RSA (standard) or DSA and ECDSA key pairs.

The tool can be found at via Download PuTTY, if you have install PuTTY using the putty-installer.msi, then puttygen can already be found in the Windows Start menu under PuTTY. To create an RSA key pair, just click on the Generate button. If you want to generate DSA or ECDSA keys, the desired algorithm can be choose at the parameter box with radio button.

Generate PuTTY Key Pair in puttygen

The necessary random mechanism is provided by moving the mouse freely in the free area of the dialog box during key generation. Then you can enter optionally Key passphrase.

PuTTY Key generate

To save the private key be click on the button Save private key, in the dialog “are you sure you want to save this key without a passphrase to protect it!“, you can decide to save with or without passphrase. The save of the public key is not absolutely necessary, because it can be calculated at any time from the private key.

The private key should be kept in a safe place, especially if the private key is not protected by a passphrase. Once a private key has been lost, unauthorized persons cannot do anything, if is protected by a passphrase. On the other hand, in the case of automated processing by scripts, a passphrase is not desired.

The file name and the path when saving are free of choice in the chooser, but the extension .ppk has spread for PuTTY keys, because there is a reference to the format that differs from Linux. PuTTY does not accept OpenSSH keys, but in the Conversions menu it is possible to import existing OpenSSH keys and also to export PuTTY keys.

Save Public Key to server

The public key should be published on the server, completely mark it with the mouse in the Key field and copy it to the clipboard with Ctrl + C.

PuTTY Key Generator Public key pasting into authorized_keys

Just log in with PuTTY again with username and password on the Linux server, open the file ~/.ssh/authorized_keys with an editor of choice and insert the public key from the clipboard.

  Do not changed anything on the key, just copy & paste. The file authorized_keys can contain several keys one after the other, without spaces or lines in between.

Use PuTTY with Private Key

To use public key authentication next time you log in, go to the PuTTY start page Basic options for your PuTTY session in the Session area enter the IP address or the Host Name, for Saved Sessions you enter a desired name and click on Save, but first choose the file name of the private key in the Category under Connection click + on SSH they opens the Auth area with Private key file for authentication field. The easiest way to do this is to click on Browse and select the appropriate file in the file chooser.

PuTTY SSH Key Authentication

The credentials for each individual connection can be stored as a session. If a connection is now established to the Linux server, it requires the identity, so that the specified user name must have a public key specified in the file authorized_keys which matches the private key.

Now it asks for the passphrase (if entered) to activate the private key stored in the local .ppk file. If both keys are matched access will granted.

SSH configuration on Linux server

On the Linux server, the SSH server configuration for SSH authentication via asymmetric keys must be activated, with most Linux distributions public key authentication is activated by default.

  OpenSSH: A leading hash (#) character means that it is the default value, if you would change the value, removed # and modify the parameter.

The users manage their public keys under $home in the key file ~/.ssh/authorized_keys, after creating it with adduser the .ssh directory is usually not exist, in this case it is made as root for the user john as follows.

  The .ssh directory is not visible to other users.