How to Setup FTP (SFTP) on an AWS EC2 Instance

Robin ScottAWS EC2 Tutorials14 Comments

AWS Consulting Partner logo dark

Below are the commands required to setup FTP (well, SFTP in fact) on your AWS EC2 cloud instance. I’m assuming you use AWS flavour of Linux.

If you use Ubuntu or whatever, file locations, commands, and other such will more than likely be different.

I have added in some commentary which may or may not help for the novice / intermediate user. I’m trying to bring you up to speed with what commands do, as a lot of tutorials assume knowledge which may or may not exist in the user.

Please ignore anything you already know, and complain like fury in the comments where I’ve explained anything wrong 🙂

Step One – Getting Started

Login to your cloud server via Terminal. I often use PuTTy. Its up to you how you do this. This tutorial assumes you can login as ec2-user. If you cannot, you have bigger problems than I can address right now!

Commands to run

sudo -i

// to access as root henceforth (rather than typing “sudo” at the start of each command); for brevity, and to avoid wearing out your fingers.

yum update -y

// to update your cloud server to latest stable release of *everything*. The -y means when it asks if you want to install you’ve already said “yes”

yum install vsftpd

// to install the ftp gubbins you will need to say yes

Step Two – Open Ports in Security Group

You need to go to your AWS account in your browser and open up the ports required for FTP access.

This is done by:

1) Login to AWS http://aws.amazon.com/
2) Open up the EC2 panel from the management console
3) Select “security groups” from the left menu and find the relevant one OR select the EC2 instance in question and directly click on the security group from the bottom of the page area
4) Hit “Edit” on the relevant security group INBOUND rules
5) Add two rules Type > Custom TCP Rules – port ranges 20-21 and 1024-1048 (all from source “anywhere” if you want to allow FTP from anywhere, otherwise secure by locking down to just your IP, assuming a) you know this and b) it won’t change!)

Step 3 – Ensure vsftpd starts on server reboot

You want to make sure your new service will start when your server reboots, in future.

Enter the following into terminal

chkconfig --level 345 vsftpd on

// This makes sure that vsftpd starts when the instance reboots (note it will need starting initially, which a restart we do below will achieve!)

Step 4 – Update vsftpd.conf file

Back in your terminal window (PuTTy or whatever), run the following commands to update your vsftpd.conf file using vi.

vi /etc/vsftpd/vsftpd.conf

// this uses the vi editor to edit the vsftpd.conf file. Get familiar with vi if you are going to use PuTTy to regularly edit stuff on your AWS instance.

Hit the insert key or “i” to start inserting (well deleting, replacing, and whatever too) in vi, or use your favourite method to achieve the below:

Change

anonymous_enable=YES

to

anonymous_enable=NO

// this prevents ananymous access over FTP. Ananymous access is a Bad Thing. It (kind of) means any old yoyo can be on FTP.

Then add the following to the bottom of the file

pasv_enable=YES
pasv_min_port=1024
pasv_max_port=1048
pasv_address=[YOURPUBLICIP]

// Be SURE to replace [YOURPUBLICIP] with your public IP, or this will not work right! You can see what this is doing though, right? Its enabling passive connections, specifiying the ports to use, and the IP. All stuff to do.

// Press escape
// type
:wq
// Hit enter

// :wq tells vi to “write” this file and “quit” the colon means “commands coming” and the escape key beforehand says “I’m about to say some commands, stop inserting into file”.

NEXT Restart vsftpd

/etc/init.d/vsftpd restart

Step 5 – Create an FTP user

Type the following into terminal to create this user / password – replace “silicondales” with your intended username!

adduser silicondales
passwd silicondales

Step 6 – Restrict user to home directory

You will want to prevent an FTP user getting ideas above his station, and “chroot” him or her to their directory (means they cannot go “above” their home directory and try to tinker about with (for example) server settings).

Edit the vsftpd.conf again in terminal and again using vi:

vi /etc/vsftpd/vsftpd.conf

Uncomment (remove the # in front of) the line which says:

chroot_local_user=YES

Then its save and quit as before.

// Hit escape
:wq
// Enter

// again save your new settings by writing to vi and quitting

Restart vsftpd by entering this into terminal:

/etc/init.d/vsftpd restart

Step 7 -Change / Set user’s FTP home directory & give group permissions

Enter the below command into terminal to set the user (in this case our silicondales user – replace this with your actual username!) home directory. In this example, I’m saying the html is the user’s root (this is where the website in this pretend case lives – note you can use a subdirectory for service providers and lock ’em down!).

usermod -d /var/www/html silicondales

Then, make sure the user in question is part of the group which owns the files in this folder, to allow them to upload / change / delete as you wish. Read up on this. You might want to be careful allowing an FTP user to modify files in your server!

First for this, check the ownership status of files in your html (or whatever) folder, by doing the following:

cd /var/www/html/

// navigate to the folder in question

ls -l

// will output the permissions and ownership and group for the files in this directory. In our case we’re going to add the user to this relevant group. In our case, the group is “apache”

usermod -a -G apache silicondales

// the above adds the user silicondales to the group apache, which will mean this user gains the same access allowed to that group. This will help you with some permissions stuff you would otherwise experience with FTP’ing things up and down.

Finally, restart to apply everything and you should be done!

/etc/init.d/vsftpd restart

Leave a comment below if this worked or did not work for you. I may be able to help. But I hope the above did get you there! If it did, just leave a comment saying “hooray” or something :)!

14 Comments on “How to Setup FTP (SFTP) on an AWS EC2 Instance”

  1. Hi!

    Thanks it worked almost perfectly!

    Only thing that didn’t work was with service restart.
    When running on AWS EC2 you are running a systemd-based OS where traditional init scripts have
    been replaced by native systemd services files so /etc/init.d/ is empty. To make use of service
    files simply invoke “systemctl”. You have to replace /etc/init.d/vsftpd restart commands by:
    systemctl stop vsftpd.service
    systemctl start vsftpd.service

    Thanks,
    Karol

    1. That’s great – and thanks for posting the little difference you experienced. That will help someone Googling in future, I am sure! This is why I love open source!

  2. Hi

    Thanks for this it’s just what I need but when I try using Filezilla I get: (I’ve masked the ip addresses):

    Status: Resolving address of ec2-xx-xx-xx-xx.eu-west-2.compute.amazonaws.com
    Status: Connecting to xx.xx.xx.xx:21…
    Status: Connection established, waiting for welcome message…
    Status: Insecure server, it does not support FTP over TLS.
    Status: Logged in
    Status: Retrieving directory listing…
    Command: PWD
    Response: 257 “/”
    Command: TYPE I
    Response: 200 Switching to Binary mode.
    Command: PASV
    Response: 227 Entering Passive Mode (86,131,226,181,4,20).
    Command: LIST
    Error: Connection timed out after 20 seconds of inactivity
    Error: Failed to retrieve directory listing
    Status: Disconnected from server

      1. Hi Robin

        I tried that and only got as far as:

        Status: Connecting to xx.xx.xx.xx.eu-west-2.compute.amazonaws.com…
        Response: fzSftp started, protocol_version=8
        Command: open “username@xx.xx.xx.xx.eu-west-2.compute.amazonaws.com” 22
        Error: Disconnected: No supported authentication methods available (server sent: publickey)
        Error: Could not connect to server

        I’ve run through your steps but no luck

        I have set up a successful WinSCP connection using the “Transferring Files to Your Linux Instance Using WinSCP” section http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/putty.htmlhowever that is for the default user ‘ec2-user’.

        Your article appealed to me as I want to give access to a specific folder to another user, and I like your writing style 🙂

        I’ve tried it again but connecting in passive mode and this happens:

        Status: Resolving address of ec2-xx.xx.xx.xx.eu-west-2.compute.amazonaws.com
        Status: Connecting to xx.xx.xx.xx.:21…
        Status: Connection established, waiting for welcome message…
        Response: 220 (vsFTPd 2.2.2)
        Command: AUTH TLS
        Response: 530 Please login with USER and PASS.
        Command: AUTH SSL
        Response: 530 Please login with USER and PASS.
        Status: Insecure server, it does not support FTP over TLS.
        Command: USER xxxxxxxxxx
        Response: 331 Please specify the password.
        Command: PASS ********
        Response: 230 Login successful.
        Command: OPTS UTF8 ON
        Response: 200 Always in UTF8 mode.
        Status: Logged in
        Status: Retrieving directory listing…
        Command: PWD
        Response: 257 “/”
        Command: TYPE I
        Response: 200 Switching to Binary mode.
        Command: PASV
        Response: 227 Entering Passive Mode (86,131,226,181,4,2).
        Command: LIST
        Error: Connection timed out after 20 seconds of inactivity
        Error: Failed to retrieve directory listing
        Status: Disconnected from server

        Any thoughts?

        Thanks again
        Mark

  3. Ignore that, I’ve sussed that

    “pasv_address=[YOURPUBLICIP]

    // Be SURE to replace [YOURPUBLICIP] with your public IP” is the public IP of the server, not my IP. Doh!

    And it does work over plain FTP.

    Thanks for your article!

  4. Thanks, this almost worked. When I tried to upload I got “Permission Denied.” Something was fishy to me when adding users to the group. Since we created the group www but we added the users to “apache.” When I changed that to “www,” I was able to upload.

  5. I have added an ftp user and can login via filezilla and connect successfully. When I try to delete a file I get the 550 Delete operation failed error. When i look at the file permission it shows owner / group 48 /48 I added the user to the apache group and it still shows 48 / 48.

    1. Hi Ryan,

      Great to hear you got this working. This sounds like a permissions issue, and like the “group” membership was not quite working as expected. From what you said before, it sounds like the ownership wasn’t quite setup right.

      Good to hear you got this working.

      Its worth going through to understand what setfacl does – it tells the system which files username can have access to.

      In this tutorial, this (should be) covered by giving group membership, but this is likely what didn’t quite work in your case. There are always several ways to make things work though!

    2. So in your case, if owner / group were 48 / 48 then you would have needed to add your user to the “48” group (not apache, as this is not the group in your setup), by issuing the following command:

      usermod -a -G 48 someusername

Leave a Reply

Your email address will not be published. Required fields are marked *