How to Setup FTP (FTPS (not SFTP)) on an AWS EC2 Instance

/

Below are the commands required to setup FTP (well, FTPS in fact, and specifically not SFTP, which you can most easily use by adding your security certificate to your FTP program and accessing over SSH) on your AWS EC2 cloud instance.

I’m assuming you use the AWS flavour of Linux. If you do not use AWS Linux, and you use, say, Ubuntu, or Lightsail, please note… your mileage may vary. In plain English, this means, do not expect commands for one type of Linux to work in another. They may not.

If you use Ubuntu or whatever, file locations, commands, and other such will more than likely be different.

I have added in some commentary which may or may not help for the novice / intermediate user. I’m trying to bring you up to speed with what commands do, as a lot of tutorials assume knowledge which may or may not exist in the user.

This description, below, will allow you to add simple, or secure (FTPS – secured by vsftpd) FTP to your Amazon Linux AWS EC2 instance. This can often be useful to do things such as allowing service providers or third parties to drop files into a directory to which they are “chrooted”.

Please ignore anything you already know, and complain like fury in the comments where I’ve explained anything wrong :)

Step One – Getting Started

Login to your cloud server via Terminal. I often use PuTTy. Its up to you how you do this. This tutorial assumes you can login as ec2-user. If you cannot, you have bigger problems than I can address right now!

Commands to run

sudo -i

// to access as root henceforth (rather than typing “sudo” at the start of each command); for brevity, and to avoid wearing out your fingers.

yum update -y

// to update your cloud server to latest stable release of *everything*. The -y means when it asks if you want to install you’ve already said “yes”

yum install vsftpd

// to install the ftp gubbins you will need to say yes

Step Two – Open Ports in Security Group

You need to go to your AWS account in your browser and open up the ports required for FTP access.

This is done by:

1) Login to AWS https://aws.amazon.com/
2) Open up the EC2 panel from the management console
3) Select “security groups” from the left menu and find the relevant one OR select the EC2 instance in question and directly click on the security group from the bottom of the page area
4) Hit “Edit” on the relevant security group INBOUND rules
5) Add two rules Type > Custom TCP Rules – port ranges 20-21 and 1024-1048 (all from source “anywhere” if you want to allow FTP from anywhere, otherwise secure by locking down to just your IP, assuming a) you know this and b) it won’t change!)

Step 3 – Ensure vsftpd starts on server reboot

You want to make sure your new service will start when your server reboots, in future.

Enter the following into terminal

chkconfig --level 345 vsftpd on

// This makes sure that vsftpd starts when the instance reboots (note it will need starting initially – a restart we do below will achieve this!)

Step 4 – Update vsftpd.conf file

Back in your terminal window (PuTTy or whatever), run the following commands to update your vsftpd.conf file using vi.

vi /etc/vsftpd/vsftpd.conf

// this uses the vi editor to edit the vsftpd.conf file. Get familiar with vi if you are going to use PuTTy to regularly edit stuff on your AWS instance.

Hit the insert key or “i” to start inserting (well deleting, replacing, and whatever too) in vi, or use your favourite method to achieve the below:

Change

anonymous_enable=YES

to

anonymous_enable=NO

// this prevents ananymous access over FTP. Ananymous access is a Bad Thing. It (kind of) means any old yoyo can be on FTP.

Then add the following to the bottom of the file

pasv_enable=YES
pasv_min_port=1024
pasv_max_port=1048
pasv_address=[YOURPUBLICIP]

// Be SURE to replace [YOURPUBLICIP] with your public IP, or this will not work right! You can see what this is doing though, right? Its enabling passive connections, specifiying the ports to use, and the IP. All stuff to do.

// Press escape
// type
:wq
// Hit enter

// :wq tells vi to “write” this file and “quit” the colon means “commands coming” and the escape key beforehand says “I’m about to say some commands, stop inserting into file”.

NEXT Restart vsftpd

/etc/init.d/vsftpd restart

Step 5 – Create an FTP user

Type the following into terminal to create this user / password – replace “silicondales” with your intended username!

adduser silicondales
passwd silicondales

Step 6 – Restrict user to home directory

You will want to prevent an FTP user getting ideas above his station, and “chroot” him or her to their directory (means they cannot go “above” their home directory and try to tinker about with (for example) server settings).

Edit the vsftpd.conf again in terminal and again using vi:

vi /etc/vsftpd/vsftpd.conf

Uncomment (remove the # in front of) the line which says:

chroot_local_user=YES

Then its save and quit as before.

// Hit escape
:wq
// Enter

// again save your new settings by writing to vi and quitting

Restart vsftpd by entering this into terminal:

/etc/init.d/vsftpd restart

Step 7 -Change / Set user’s FTP home directory & give group permissions

Enter the below command into terminal to set the user (in this case our silicondales user – replace this with your actual username!) home directory. In this example, I’m saying the html is the user’s root (this is where the website in this pretend case lives – note you can use a subdirectory for service providers and lock ’em down!).

usermod -d /var/www/html silicondales

Then, make sure the user in question is part of the group which owns the files in this folder, to allow them to upload / change / delete as you wish. Read up on this. You might want to be careful allowing an FTP user to modify files in your server!

First for this, check the ownership status of files in your html (or whatever) folder, by doing the following:

cd /var/www/html/

// navigate to the folder in question

ls -l

// will output the permissions and ownership and group for the files in this directory. In our case we’re going to add the user to this relevant group. In our case, the group is “apache”

usermod -a -G apache silicondales

// the above adds the user silicondales to the group apache, which will mean this user gains the same access allowed to that group. This will help you with some permissions stuff you would otherwise experience with FTP’ing things up and down.

Finally, restart to apply everything and you should be done!

/etc/init.d/vsftpd restart

Leave a comment below if this worked or did not work for you. I may be able to help. But I hope the above did get you there! If it did, just leave a comment saying “hooray” or something :)!