FTP - Services - Ubuntu 15.04 Server with systemd: Administration and Reference (2015)

Ubuntu 15.04 Server with systemd: Administration and Reference (2015)

Part II. Services

Chapter 7. FTP

The File Transfer Protocol (FTP) is designed to transfer large files across a network from one system to another. Like most Internet operations, FTP works on a client/server model. FTP client programs can enable users to transfer files to and from a remote system running an FTP server program. Any Linux system can operate as an FTP server. It has to run only the server software—an FTP daemon with the appropriate configuration. Transfers are made between user accounts on client and server systems. A user on the remote system has to log in to an account on a server and can then transfer files to and from that account’s directories only. A special kind of user account named ftp, allows any user to log in to it with the username “anonymous.” This account has its own set of directories and files that are considered public, available to anyone on the network who wants to download them. The numerous FTP sites on the Internet are FTP servers supporting FTP user accounts with anonymous login. Any Linux system can be configured to support anonymous FTP access, turning them into network FTP sites. Such sites can work on an intranet or on the Internet.

FTP Servers

FTP server software consists of an FTP daemon and configuration files. The daemon is a program that continuously checks for FTP requests from remote users. When a request is received, it manages a login, sets up the connection to the requested user account, and executes any FTP commands the remote user sends. For anonymous FTP access, the FTP daemon allows the remote user to log in to the FTP account using anonymous as the username. The user then has access to the directories and files set up for the FTP account. As a further security measure, however, the daemon changes the root directory for that session to be the FTP home directory. This hides the rest of the system from the remote user. Normally, any user on a system can move around to any directories open to him or her. A user logging in with anonymous FTP can see only the FTP home directory and its subdirectories. The remainder of the system is hidden from that user. This effect is achieved by the chroot operation (discussed later) that literally changes the system root directory for that user to that of the FTP directory. By default, the FTP server also requires a user to be using a valid shell. It checks for a list of valid shells in the /etc/shells file. Most daemons have options for turning off this feature.

FTP Servers


Very Secure FTP Server (vsftpd)






Washington University web server (WU-FTPD)


Table 7-1: FTP Servers

Available Servers

Several FTP servers are available for use on Linux systems (see Table 7-1 ). Three of the more common servers include vsftpd, pureftpd, and proftpd. The Very Secure FTP Server provides a simple and very secure FTP server (vsftpd package). The Pure FTPD servers is a lightweight, fast, and secure FTP server, based upon Troll-FTPd (pure-ftpd package), http://pureftpd.org. ProFTPD is a popular FTP daemon based on an Apache web server design (proftpd-basic package). It features simplified configuration and support for virtual FTP hosts, http://proftpd.org. Another FTP daemon, the Washington University FTP server, was the standard server used before vsftpd (wu-ftpd package).

You can only have one FTP server installed. Should you decide to install another, the currently installed one will be removed.

FTP Users

Normal users with accounts on an FTP server can gain full FTP access simply by logging into their accounts. Such users can access and transfer files directly from their own accounts or any directories they may have access to. You can also create users, known as guest users that have restricted access to the FTP publicly accessible directories. This involves setting standard user restrictions, with the FTP public directory as their home directory. Users can also log in as anonymous users, allowing anyone on the network or Internet to access files on an FTP server.

Anonymous FTP: vsftpd

An anonymous FTP site is essentially a special kind of user on your system with publicly accessible directories and files in its home directory. Anyone can log in to this account and access its files. Because anyone can log in to an anonymous FTP account, you must be careful to restrict a remote FTP user to only the files on that anonymous FTP directory. Normally, a user’s files are interconnected to the entire file structure of your system. Normal users have write access that lets them create or delete files and directories. The anonymous FTP files and directories can be configured in such a way that the rest of the file system is hidden from them and remote users are given only read access.

An FTP site is made up of an FTP user account, an FTP home directory, and controlled access to selected configuration and support files. Most distributions have already set up an FTP user account when you installed your system. Within the FTP home directory, you then have a publicly accessible directory that holds the files you want to make available to remote users. This directory usually has the name pub, for public.

The FTP User Account: anonymous

To allow anonymous FTP access by other users to your system, you must have a user account named FTP. Ubuntu has already created this account for you. You can then place restrictions on the FTP account to keep any remote FTP users from accessing any other part of your system. The entry for this account in your /etc/passwd file is set up to prevent normal user access to it. The following is the entry you find in your /etc/passwd file on Ubuntu that sets up an FTP login as an anonymous user:

ftp:x:117:134:ftp daemon,,,:/srv/ftp:/bin/false

The x in the password field blocks the account, which prevents any other users from gaining access to it, thereby gaining control over its files or access to other parts of your system. The user ID, 117, is a unique ID. The comment field is "ftp daemon". The login directory is /srv/ftp. A location commonly used for servers is the /srv directory. When FTP users log in to your system, they are placed in this directory.

Should you want to change your FTP server to use a different directory, you would simply change the FTP user's home directory to be that new directory. You can use the usermod command with the -d option to make the change. First be sure to create the new directory. In the following example the FTP directory is changed to /srv/myftp.

sudo mkdir /srv/myftp
sudo usermod -d /srv/myftp ftp

The FTP home directory is owned by the root user, not by the FTP user. The FTP user has no administrative control over the FTP home directory. Use the ls-d command to check on the ownership of the FTP directory.

ls -ld /srv/ftp

If you set up a different FTP directory, be sure to change a directory’s ownership. You use the chown command, as shown in this example for a myftp directory:

sudo chown root.nogroup /srv/myftp

The permission for the FTP directory is set to 755; read, write and execute permission for the root user, but only read and execute permission for everyone else. If you create your own FTP directory, be sure to change the permissions on that directory to 755. Use the chmod command.

sudo chmod 755 /srv/myftp

An important part of protecting your system is preventing remote users from using any commands or programs not in the restricted directories. For example, you would not let a user use your ls command to list filenames, because ls is located in your /bin directory. At the same time, you want to let the FTP user list filenames using an ls command. Newer FTP daemons such as vsftpd and ProFTPD solve this problem by creating secure access to needed system commands and files, while restricting remote users to only the FTP site’s directories.

Another, more traditional solution is to create copies of certain system directories and files needed by remote users, and to place them in the ftp directory where users can access them. A bin directory is placed in the ftp directory and remote users are restricted to it, instead of the system’s bin directory. Whenever they use the ls command, remote users are using the one in ftp/bin, not the one you use in /bin. To set up such support, you would make a new bin directory in the ftp directory, and then make a copy of the ls command and place it in ftp/bin. Do this for any commands you want to make available to FTP users. Then create an ftp/etc directory to hold a copy of your passwd and group files. Again, the idea is to prevent any access to the original files in the /etc directory by FTP users. The ftp/etc/passwd file should be edited to remove any entries for regular users on your system. All other entries should have their passwords set to x to block access. For the group file, remove all user groups and set all passwords to x. Create an ftp/lib directory, and then make copies of the libraries you need to run the commands you placed in the bindirectory.

Anonymous FTP Files

A directory named pub, located in the FTP home directory, usually holds the files you are making available for downloading by remote FTP users. When FTP users log in, they are placed in the FTP home directory (/srv/ftp), and they can then change to the pub directory to start accessing those files (/srv/ftp/pub). Within the pub directory, you can add as many files and directories as you want. You can even designate some directories as upload directories, enabling FTP users to transfer files to your system.

In each subdirectory set up under the pub directory to hold FTP files, you should create a README file and an INDEX file as a courtesy to FTP users. The README file contains a brief description of the kind of files held in this directory. The INDEX file contains a listing of the files and a description of what each one holds.

The Very Secure FTP Server

The Very Secure FTP Server (vsftpd) is small, fast, easy, and secure. It is designed to avoid the overhead of large FTP server applications, while maintaining a very high level of security. It can also handle a very large workload, managing high traffic levels on an FTP site. It is perhaps best for sites where many anonymous and guest users will be downloading the same files. This FTP server is the supported server for Ubuntu, available on the Ubuntu main repository and provided with critical updates.

The Very Secure FTP Server is inherently designed to provide as much security as possible, taking full advantage of UNIX and Linux operating system features. The server is separated into privileged and unprivileged processes. The unprivileged process receives all FTP requests, interpreting them and then sending them over a socket to the privileged process, which then securely filters all requests. Even the privileged process does not run with full root capabilities, using only those that are necessary to perform its tasks. In addition, the Very Secure FTP Server uses its own version of directory commands like ls, instead of the system's versions.

Check the Ubuntu Server Guide | File Servers | FTP Servers for basic configuration.


See Table 7-2 for a list of vsftpd configuration and support files.




Users always denied access


Specified users denied access (allowed access if userlist_deny is NO)


Local users allowed access (denied access if chroot_local_user is on)


vsftpd configuration file


PAM vsftpd script


Service file for vsftpd server, standalone


Anonymous FTP directory

Table 7-2: Configuration and support files for vsftpd

The Very Secure FTP server package is vsftpd. Use apt-get, aptitude, or the Synaptic Package Manager to install it. The package also installs anonymous FTP support.

sudo apt-get install vsftpd

The Very Secure FTP Server is managed by systemd using the vsftpd.service unit file, shown here. It is a simple file that is run after the network starts (After), and is started by the multi-user.target (runlevels 2, 3, 4, and 5) (WantedBy). It is run by the /usr/sbin/vsftpd command with reads the /etc/vsftpd/vsftpd.conf file for configuration.


Description=vsftpd FTP server

ExecStart=/usr/sbin/vsftpd /etc/vsftpd.conf
ExecReload=/bin/kill -HUP $MAINPID
ExecStartPre=-/bin/mkdir -p /var/run/vsftpd/empty


Running vsftpd

The Very Secure FTP Server’s daemon is named vsftpd. It is designed to be run as a stand-alone server, which can be started and stopped using the /lib/systemd/system/vsftpd.service server script. To start, stop, and restart vsftpd, you can use the service command. If you previously enabled another FTP server such as ProFTPD, be sure to disable it first. You can start, stop, and restart the vsftpd server using the service script. Whenever you make changes to your configuration, be sure to restart the FTP server to make the changes take effect.

sudo service vsftpd restart

The anonymous FTP directory will be ftp user's home directory, /srv/ftp. Here will be located the file and directories for an anonymous FTP server.

Firewall access

To allow firewall access to the FTP port, usually port 21, you should enable access using a firewall configuration tool like ufw (desktop).

For the ufw default firewall, you would use the following command. The ufw firewall maintains its IPtables files in /etc/ufw. You can also use the Gufw tool (desktop) to add access on the Preconfigured tab for the FTP port, port 21.

sudo ufw allow tcp/21

If you are managing your IPtables firewall directly, you could manage access directly by adding the following IPtables rule. This accepts input on port 21 for TCP/IP protocol packages.

iptables -A INPUT -p tcp --dport 21 -j ACCEPT

Configuring vsftpd

You configure vsftpd using one configuration file, /etc/vsftpd.conf. Configuration options are simple and kept to a minimum. The vsftpd.conf file contains a set of directives where an option is assigned a value (there are no spaces around the = sign). Options can be on and off flags assigned a YES or NO value, features that take a numeric value, or ones that are assigned a string (see Table 7-3 ). A default vsftpd.conf file is installed in the /etc directory. This file lists some of the commonly used options available with detailed explanations for each. Those that are not used are commented out with a preceding # character. Option names are very understandable. For example, anon_upload_enable allows anonymous users to upload files; whereas anon_mkdir_write_enable lets anonymous users create directories. The Man page for vsftpd.conf lists all options, providing a detailed explanation for each.

The vsftpd server runs as the nobody user for unsecured tasks. The nobody user is used by various services. You can change this to a user dedicated to FTP server, something like ftpsecure. Set the user name in the nopriv_user option.


Enabling Standalone Access

To run vsftpd as a standalone server, set the listen option to YES. This instructs vsftpd to continually listen on its assigned port for requests. You can specify the port it listens on with the listen_port option.


To listen on an IPv6 socket you remove the comment for the listen_ipv6 option.


Enabling Login Access

In the following example taken from the vsftpd.conf file, anonymous FTP is enabled by assigning the YES value to the anonymous_enable option. Be aware that if you disable this option by commenting it out, the default is to enable anonymouse FTP. The local_enable option allows local users on your system to use the FTP server.

# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
# Uncomment this to allow local users to log in.

Should you want to let anonymous users log in without providing a password, you can set no_anon_password to YES.

Local User Permissions

A variety of user permissions control how local users can access files on the server. If you want to allow local users to create, rename, and delete files and directories on their account, you have to enable write access with the write_enable option. This way, any files they upload, they can also delete. Literally, the write_enable option activates a range of commands for changing the file system, including creating, renaming, and deleting both files and directories. With user_config_dir you can configure specific users.


You can further specify the permissions for uploaded files using the local_umask option (022 is the recommended default set in vsftpd.conf, turning off the write permission for other users and giving you read, write, and execute for the owner; and read and execute for all other users, a 755 permission setting).





Set standalone mode


Specify port for standalone mode


Enable anonymous user access


Enable access by local users


Enable write access by local users (modify and create files)


Specify whether anonymous users must submit a password


Enable uploading by anonymous users


Allow anonymous users to create directories


Make uploaded files read-only to all users


Set time limit in seconds for idle sessions


Set time limit in seconds for failed connections


Display directory messages


Display FTP login message


Enable logging of transmission transactions


Specify log file


Enable denying anonymous users, whose e-mail addresses are specified in vsftpd.banned


Deny access to users specified in the vsftp.user_list file


Deny or allow users access depending on setting of userlist_deny


When set to YES, userlist_file deny list users access.


Restrict users to their home directories


Allow users access to home directories. Unless chroot_local_user is set to YES, this file contains a list of users not allowed access to their home directories


Allow access by all users to their home directories


Specify PAM script


Enable recursive listing


Directory for user specific configurability

Table 7-3: Configuration Options for vsftpd.conf

Because ASCII uploads entail certain security risks, they are turned off by default. However, if you are uploading large text files, you may want to enable them in special cases. Use ascii_upload_enable to allow ASCII uploads.

Anonymous User Permissions

You can also allow anonymous users to upload and delete files, as well as create or remove directories. Uploading by anonymous users is enabled with the anon_upload_enable option. To let anonymous users also rename or delete their files, you set the anon_other_write_enable option. To let them create directories, you set the anon_mkdir_write_enable option.


The anon_world_readable_only option will make uploaded files read-only (downloadable), restricting write access to the user that created them. Only the user who uploaded a file can delete it.

All uploaded files are owned by the anonymous FTP user. You can have the files owned by another user, adding greater possible security. In effect, the actual user owning the uploaded files becomes hidden from anonymous users. To enable this option, use chown_uploads and specify the new user with chown_username. Never make the user an administrative user like root.


The upload directory itself should be given write permission by other users.

sudo chmod 777 /srv/ftp/upload

You can control the kind of access that users have to files with the anon_umask option, setting default read/write permissions f or uploaded files. The default is 077, which gives read/write/execute permission to the owner only (700). To allow all users read access, you set the umask to 022, where the 2 turns off write permission but sets read and execute permission (755). The value 000 allows both read, write, and execute for all users.


The dirmessage_enable option allows a message held in a directory's .message file to be displayed whenever a user accesses that directory. The ftpd_banner option lets you set up your own FTP login message. The default is shown here:

ftpd_banner=Welcome to blah FTP service.


A set of xferlog options control logging. You can enable logging, as well as specify the format and the location of the file.


Use xferlog_file option to specify the log file you want to use. The default is shown here:


You can choose to save entries in the standard ftpd xferlog format.


Connection Time Limits

To efficiently control the workload on a server, you can set time limits on idle users and failed transmissions. The idle_session_timeout option will cut off idle users after a specified time, and data_connection_timeouts will cut off failed data connections. The defaults are shown here:


vsftpd Access Controls

Certain options control access to the FTP site. As previously noted, the anonymous_enable option allows anonymous users access, and local_enable permits local users to log in to their accounts. Files set up to control access will have a vsftpd. prefix, like vsftpd.banned_emails for email addresses of banned anonymous users.

Denying Access

The deny_email_enable option lets you deny access by anonymous users, and the banned_email_file option designates the file (usually vstfpd.banned_emails) that holds the e-mail addresses of those users. The /etc/ftpusers file lists those users that can never be accessed. These are usually system users like root, mail, and nobody.

User Access

The userlistnable option controls access by users, denying access to those listed in the file designated by the userlist_file option (usually vsftpd.user_list). If, instead, you want to restrict access to just certain select users, you can change the meaning and usage of the vsftpd.user_list file to indicate only those users allowed access, instead of those denied access. To do this, you set the userlist_deny option to NO (its default is YES). Only users listed in the vsftpd.user_list file will be granted access to the FTP site.

User Restrictions

The chroot_listnable option controls access by local users, letting them access only their home directories, while restricting system access. The chroot_list_file option designates the file (usually vstfpd.chroot) that lists those users allowed access. You can allow access by all local users with the chroot_local_user option.


If this option is set, then the file designated by chroot_list_file will have an inverse meaning, listing those users not allowed access. In the following example, access by local users is limited to those listed in vsftpd.chroot:


On Ubuntu the secure_chroot_dir option is used to specify a non-user secure non-writeable directory used when FTP does not require file system access.


User Authentication and SSL Encryption

The vsftpd server makes use of the PAM service to authenticate local users that are remotely accessing their accounts through FTP. In the vsftpd.conf file, the PAM script used for the server is specified with the pam_service_name option.


In the etc/pam.d directory, you will find a PAM file named vsftpd with entries for controlling access to the vsftpd server. PAM is currently set up to authenticate users with valid accounts, as well as deny access to users in the /etc/ftpusers file. The default /etc/pam.d/vsftpd file is shown here:

# Standard behavior for ftpd(8)
auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
# Note: vsftpd handles anonymouse logins on its own. Do not enable pam_ftp.so.
# Standard pam includes
@include common-account
@include common-session
@include common-auth
auth required pam_shells.so

The rsa_cert_file option specifies the location of the RSA certificate file, and the rsa_private_key_file option specifies the SSL encryption key to use for SSL connections.


Command Access

Command usage is highly restricted by vsftpd. Most options for the ls command that lists files are not allowed. Only the asterisk file-matching operation is supported. To enable recursive listing of files in subdirectories, you have to enable the use of the -R option by setting thels_recurse_enable option to YES. Some clients will assume that the recursive option is enabled.

vsftpd Virtual Hosts

Though the capability is not inherently built in to vsftpd, you can configure and set up the vsftpd server to support virtual hosts. Virtual hosting is where a single FTP server operates as if it has two or more IP addresses. Several IP addresses can then be used to access the same server. The server will then use a separate FTP user directory and files for each host. With vsftpd, this involves manually creating separate FTP users and directories for each virtual host, along with separate vsftpd configuration files for each virtual host in the /etc/ directory. In either case, you will have to create an FTP user and directory for each host.

Virtual Hosts on a standalone server

On Ubuntu, vsftpd is configured to run as a standalone service. Adding virtual hosts is a simple matter of creating a separate vsftpd configuration file for each virtual host. Then run an instance of vsftpd for each using a different configuration file. The configuration files are placed in the /etc directory and can have the prefix vsftpd-, and in /etc/vsftpd-mysite1.conf. In the configuration file, use the listen_address option to specify which IP address that virtual host will use.


When you run vsftpd, specify the configuration file to use.

sudo service vsftpd /etc/vsftpd-mysite1.conf

See the /usr/share/doc/vsftpd/examples/INTERNET_SITE_NOINETD directory for more information.

You will, of course, have to set up a user and a directory for each virtual host. For example, for the first virtual host you could use mysite1 and use the directory /srv/mysite1. Be sure to set root ownership and the appropriate permissions.

sudo useradd -d /srv/mysite1 mysite1
sudo chown root.root /srv/mysite1
sudo chmod a+rx /srv/mysite1
sudo unmask 022
sudo mkdir /srv/mysite1/pub

Virtual Hosts with xinetd

Currently, vsftpd as installed on Ubuntu supports the older xinetd. You will first have to install the xinetd package. If you wish to run vsftpd as a xinetd service, you have to create a separate xinetd service script for each host in the /etc/xinetd.d directory. In effect, you have severalvsftpd services running in parallel for each separate virtual host. Check the following file in /usr/share/doc/vsftpd for information on how to set up virtual hosts with xinetd.


Create an FTP user for each host. Create directories for each host (you can use the one already set up for one of the users). For example, for the first virtual host, you could use FTP-host1. Be sure to set root ownership and the appropriate permissions.

sudo useradd -d /srv/ftp-host1 FTP-host1
sudo chown root.root /srv/ftp-host1
sudo chmod a+rx /srv/ftp-host1
sudo umask 022
mkdir /srv/ftp-host1/pub

Set up two corresponding vsftpd service scripts in the /etc/xinetd.d directory. The vsftpd directory in /usr/share/doc/vsftpd/examples/INTERNET_SITE has an xinetd example script, vsftpd.xinetd. You can copy it to the /etc/xinetd.d directory and give it a name for the virtual host, likevsftpd-host1. Make a copy for each virtual host. Within each, add a bind entry to specify the IP address the virtual host will respond to.


Within the same scripts, add a server_args entry specifying the name of the configuration file to use.

server_args = vsftpd-host1.conf

Within the /etc directory, create separate configuration files for each virtual host, using the same name specified in server_args, like vsftpd-host1.conf. Within each, specify the FTP user you created for each, using the ftp_username entry.

ftp_username = FTP-host1

Once you have finished your configuration, restart xinetd to restart the vsftpd server.

sudo service xinetd restart

vsftpd Virtual Hosts with systemd

As currently installed, vsftpd does not support virtual hosts using systemd directly. But you can set up the appropriate service and target files to have systemd run vsftpd virtual hosts. The vsftpd@.service systemd template file reads the configuration files listed in the /etc/vsftpddirectory. The vsfptd@.service file is shown here.


Description=Vsftpd ftp daemon

ExecStart=/usr/sbin/vsftpd /etc/vsftpd/%i.conf


The following example uses two IP addresses for an FTP server. Create an FTP user for each host. Create directories for each host (you can use the one already set up for one of the users). For example, for the first virtual host you could use FTP-host1. Be sure to set root ownership and the appropriate permissions.

useradd -d /var/ftp-host1 FTP-host1
chown root.root /var/ftp-host1
chmod a+rx /var/ftp-host1
umask 022
mkdir /var/ftp-host1/pub

Within the /etc/vsftpd directory, create separate configuration files for each virtual host. Within each, specify the FTP user you created for each, using the ftp_username entry.

ftp_username = FTP-host1

The vsftpd@.service file needs a corresponding target file, vsftpd.target, which provides group configuration of all the vsftpd servers you start with the vsftpd@.service file. The vsftpd.target file starts the servers after the network.target file (network service files) and it is wanted by multi-user.target.


Description=FTP daemon


vsftpd Virtual Users

Virtual users can be implemented by making use of PAM to authenticate authorized users. In effect, you are allowing access to certain users, while not having to actually set up accounts for them on the FTP server system. First, create a PAM login database file to use along with a PAM file in the /etc/pam.d directory that will access the database (for sample files and documentation check /usr/share/doc/vsftpd/examples/VIRTUAL_USERS). Then create a virtual FTP user along with corresponding directories that the virtual users will access. In the vsftpd.conf file, you disable anonymous FTP:


Then enable guest access:


For more refined user control, you can set up a user configuration directory with files for different permissions for each user. Set the user_config_dir option in the /etc/vsftpd.conf file to the directory that will hold user configuration files. For example:


Be sure to create that directory.

sudo mkdir /etc/vsftpd_user_conf

In separate files named with a user name, enter the vsftpd permissions and options you want for that user. See /usr/share/doc/vsftpd/examples/VIRTUAL_USERS_2 for more information.

Using FTP with rsync

Many FTP servers also support rsync operations using rsync as a daemon. This allows intelligent incremental updates of files from an FTP server. You can update multiple files in a directory or a single file such as a large ISO image.

Accessing FTP Sites with rsync

To access the FTP server running an rsync server, you enter the rsync command, and following the hostname, you enter a double colon and then either the path of the directory you want to access or one of the FTP server’s modules. In the following example, the user updates a localmyproject directory from the one on the mytrek.com FTP site:

sudo rsync ftp.mytrek.com::/home/ftp/pub/myproject /home/myproject

To find out what directories are supported by rsync, you check for rsync modules on that site. These are defined by the site's /etc/rsyncd.conf configuration file. A module is just a directory with all its subdirectories. To find available modules, you enter the FTP site with a double colon only.

sudo rsync ftp.mytrek.com::

This tells you that the ftp.mytrek.com site has an FTP module. To list the files and directories on the module, you can use the rsync command with the -r option.

rsync -r ftp.mytrek.com::ftp

Many sites that run the rsync server will have an rsync protocol that will already be set to access the available rsync module (directory). You can even use rsync to update just a single file, such as an ISO image that may have been changed.

Configuring an rsync Server

To configure your FTP server to let clients use rsync on your site, you need to first run rsync as a server. First configure rsync to run as a server. The rsync configuration file is /etc/default/rsync. Set the RSYNC_ENABLE entry to true.


If you make any configuration changes, be sure to restart the rsync server with the service command.

sudo service rsync restart

When run as a daemon, rsync will read the /etc/rsyncd.conf file for its configuration options. Here you can specify FTP options such as the location for the FTP site files. There is no default configuration file set up for you in the /etc directory. You will have to create one. You could copy a default version from the /usr/share/doc/rsync/examples directory.

sudo cp /usr/share/doc/rsync/examples/rsyncd.conf /etc

The configuration file is segmented into modules, each with its own options. A module is a symbolic representation of an exported tree (a directory and its subdirectories). The module name is enclosed in brackets, for instance, [ftp] for an FTP module. You can enter options for that module, as by using the path option to specify the location of your FTP site directories and files (/srv/ftp is the default for the vsftpd server). The user and group IDs can be specified with the uid and gid options. The default is nobody. A sample FTP module heading with the vsftpd path setting is shown here:

comment = public archive
path = /srv/ftp

The sample version of rsyncd.conf will have an ftp module set up for you with default values assigned. Many less common options will be commented out with a # character.

For more restricted access, you can add an auth users option to specify authorized users; rsync will allow anonymous access to all users by default. The hosts allow and hosts deny access controls limit access for specific hosts. Access to areas on the FTP site by rsync can be further controlled using a secrets file, such as /etc/rsyncd.secrets. This is a colon-separated list of user names and passwords.


A corresponding module to the controlled area would look like this:

comment = special projects
path = /var/projects/special
command = restricted access
auth users = aleina,larisa
secrets file = /etc/rsyncd.secrets

If you are on your FTP server and want to see what modules will be made available, you can run rsync with the localhost option and nothing following the double colon.

$ rsync localhost::
ftp public archive
specialftp special projects

Remote users can find out what modules you have by entering your hostname and double colon only.

rsync ftp.mytrek.com::

rsync Mirroring

Some sites will allow you to use rsync to perform mirroring operations. With rsync you do not have to copy the entire site, just those files that have been changed. The following example mirrors the mytrek FTP site to the /srv/ftp/mirror/mytrek directory on a local system:

rsync -a --delete ftp.mytrek.com::ftp /srv/ftp/mirror/mytrek

The -a option is archive mode, which includes several other options, such as -r (recursive) to include all subdirectories, -t to preserves file times and dates, -l recreate symbolic links, and -p to preserve all permissions. In addition, the --delete option is added to delete files that don't exist on the sending side, removing obsolete files.


ProFTPD is based on the same design as the Apache web server, implementing a similar simplified configuration structure and supporting such flexible features as virtual hosting. ProFTPD is an open source project made available under a GPL license. At proftpd.org you can find detailed documentation including FAQs, user manuals, and sample configurations. Check the site for new releases and updates. ProFTPD is available on the Universe repository as proftpd-basic and proftpd-doc, with additional authentication modules for mysql, ldap, odbc, sqlite, and pgsql.

You cannot have both vsftpd and ProFTPD installed at the same time. If you install ProFTPD, then vsftpd will be removed.

When you install ProFTPD you are prompted to choose to install it as a standalone or inetd server. Configuration files are located in the /etc/proftpd directory. The primary configuration file is /etc/proftpd/proftpd.conf. Virtual servers are configured in the virtual.conf file. Modules have their own configuration files such as sql.conf and ldap.conf. You can choose what modules to load in the modules.conf file.