vsftpd (Very Secure File Transfer Protocol Daemon) is an open-source FTP server that is designed to be secure, fast, and stable. It is written in C and supports various features, such as virtual hosts, bandwidth throttling, and access control. vsftpd is available for Linux and Unix-like operating systems, and it is widely used as a reliable and secure FTP server.

To install and configure vsftpd FTP server on Debian 11, follow these steps:

• Start by updating the package repository and installing vsftpd from the default Debian package repository:

sudo apt update
sudo apt install vsftpd

• After the installation is complete, open the vsftpd configuration file using your favorite text editor:

sudo vi /etc/vsftpd.conf

• In the configuration file, uncomment the following line and set its value to YES to enable vsftpd’s built-in TLS support:

ssl_enable=YES

• Also, uncomment the following lines and set their values as follows to specify the locations of the TLS certificate and private key files:

rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key

By default, vsftpd uses the self-signed TLS certificate and private key provided by the ssl-cert package. You can use these default files for testing purposes, but it is recommended to generate your own certificate and private key for production environments.

• Save the configuration file and close the editor. Then, restart the vsftpd service to apply the changes:

sudo systemctl restart vsftpd

• To verify that vsftpd is running and listening on the FTP port (21), run the following command:

sudo ss -tulpn | grep ftp

You should see an output similar to this, indicating that vsftpd is listening on port 21:

tcp    LISTEN     0      128          *:ftp                   *:*      users:(("vsftpd",pid=20078,fd=6))

1. To test the vsftpd FTP server, open an FTP client on your local computer and connect to the Debian 11 server using its public IP address or hostname. Use the default username and password (debian/password) to log in, and verify that you can upload and download files from the server.
2. To enable TLS encryption for the FTP client connections, set the FTP client to use explicit FTP over TLS (FTPS). This will encrypt the data transfer between the client and the server, ensuring that the transferred data is secure and cannot be intercepted by third parties.
3. If you are using the default self-signed certificate and private key provided by the ssl-cert package, the FTP client may display a warning message about the certificate being untrusted. This is normal, as the self-signed certificate is not signed by a trusted certificate authority (CA). You can choose to accept the certificate and continue, but it is recommended to generate your own certificate and private key signed by a trusted CA for production environments.

By following these steps, you have successfully installed and configured vsftpd FTP server on Debian 11, and you have also enabled TLS encryption to secure the FTP data transfer. You can now use the FTP server to securely transfer files to and from your server, and you can further enhance its security by restricting the users who can log in and by enabling anti-DoS protection.

To further secure your vsftpd FTP server, you can follow these additional steps:

• To restrict the users who can log in to the FTP server, open the vsftpd configuration file and uncomment the following line:

userlist_enable=YES

Then, create a new file called /etc/vsftpd.userlist and add the names of the users who are allowed to log in to the FTP server, one per line. For example:

alice
bob
carol

Save the file and close the editor. Then, restart the vsftpd service to apply the changes:

sudo systemctl restart vsftpd

• To restrict the users to their home directories and prevent them from accessing other parts of the file system, open the vsftpd configuration file and uncomment the following lines:

chroot_local_user=YES
chroot_list_enable=YES

Then, create a new file called /etc/vsftpd.chroot_list and add the names of the users who are allowed to access their home directories, one per line. For example:

alice
bob

Save the file and close the editor. Then, restart the vsftpd service to apply the changes:

sudo systemctl restart vsftpd

• To further protect against malicious users, you can enable vsftpd’s built-in anti-DoS protection. Open the vsftpd configuration file and uncomment the following lines:

max_per_ip=5
max_clients=20

These settings will limit the maximum number of connections that a single IP address can make to the FTP server (5), and the maximum number of connections that the FTP server can accept from all IP addresses (20). This will help prevent DoS attacks and other malicious activities that try to overwhelm the FTP server with excessive connections.

Save the configuration file and close the editor. Then, restart the vsftpd service to apply the changes:

sudo systemctl restart vsftpd

By following these steps, you have further enhanced the security of your vsftpd FTP server, and you have added protection against malicious users and DoS attacks. You can continue to monitor the FTP server’s logs and make further adjustments to the configuration as needed to ensure that the server remains secure and stable.