Secure FTP Site with FileZilla
Server - Ubuntu

Secure FTP Site With Filezilla
There are three elements you will need to deal with when you are setting up SSL with VSFTPD. First, you will need to set up a self-signed certificate for VSFTPD and configure the VSFTPD to use that certificate. Second, you will need to set up FileZilla to connect on port 21 but use SSL to make the connection so all data and passwords are transferred encrypted. The third problem is to configure the UFW firewall to allow your connections.




Create the self-signed certificate.

openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout vsftpd.pem -out vsftpd.pem


Enter the information that reflects your site.

Country Name (2 letter code) [AU]:US

State or Province Name (full name) [Some-State]:MT

Locality Name (eg, city) []:TC

Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompany

Organizational Unit Name (eg, section) []:

Common Name (eg, YOUR name) []:Fred Smith

Email Address []: This e-mail address is being protected from spambots. You need JavaScript enabled to view it

This will then be reflected in the certificate when you see it.



Copy the resulting vsftpd.pem to /etc/ssl/certs

cp vsftpd.pem /etc/ssl/certs/


Edit /etc/vsftpd.conf to allow SSL.



#### No Anonymous Connections Allowed #####


##### Customer Connections #####




















Several items to note in this configuration. The newer versions of FileZilla will require higher level encryption from VSFPTD. As a result this line must be added to the VSFTPD file:




The passive ports which will transfer data must be indicated:





You can use any port range above 1024. It has to be a port range because passive FTP will use a number of ports.



FileZilla v.3.5.3

This example is using the popular FileZilla which has both a Windows and Linux client to use to connect to a FTP server.


With this setup all data and user authentication is forced to be encrypted.


Proceed to this URL to download the FileZilla program (the example install on Windows):


Scan the file for viruses (just a normal Windows precaution) and then install the file. Open FileZilla, you will find a link in the menu.


SSL on VSFTPD and FileZilla



When FileZilla opens click the Site Manager, it is highlighted in the example.

SSL on VSFTPD and FileZilla


The Site Manager will allow you to set the FTP site for your backups. Enter the information exactly as it is highlighted in the example.

SSL on VSFTPD and FileZilla




The next step is to enter the username and password you were provided when you had your account created for remote backups. Do not put what is in this example as your username/password are going to be different.

SSL on VSFTPD and FileZilla


When this is complete click “OK” to save your settings.


Next navigate to the location on your local machine where the backups are that you want to copy to the backup server. Note your location may be different.

SSL on VSFTPD and FileZilla


Next connect to the server by clicking the Site Manager and “FTP” which will connect you to your remote backup server and home location.

SSL on VSFTPD and FileZilla


When you connect to the server the first time you will see a certificate which indicates that the server is using encryption so your data is protected while it transfers. Be sure to check the box on the certificate so you do not have to view the certificate each time.


Now to transfer files, just drag from your local machine to the remote machine. Drag your files you want to backup to the directory highlighted.

SSL on VSFTPD and FileZilla


You will be able to see the files being transferred.


You can also drag files from the backup server to your local machine by dragging to the local directory.

SSL on VSFTPD and FileZilla



You must add several rules to allow the passive connections to your FTP server. The remote machines will connect on port 21 and then transfer data on ports 30000:40000 (your port choice may be different).


ufw allow proto tcp from any to any port 21

ufw allow proto tcp from any to any port 30000:40000


ufw status

Status: active


To Action From

-- ------ ----

20/tcp ALLOW

30000:40000/tcp ALLOW Anywhere

21/tcp ALLOW Anywhere


That should do it, make sure you check /var/log/messages for errors or dropped connections.