Assuming you already have an SSL/TLS key that you may have created for your HTTP server [Read It], we will use it for VSFTPD.
sudo apt update sudo apt install vsftpd sudo service vsftpd status sudo ufw allow from 200.200.200.200 to any
For now, allow your public IP (replace 200.200.200.200 with yours) to have full access to your server to avoid any issues with open ports on your firewall. We will remove this rule later and apply more precise port settings.
Test connecting to your FTP server with FileZilla (for example). Now edit the configuration file:
sudo cp /etc/vsftpd.{conf,bkp}
sudo nano /etc/vsftpd.conf
Find all of these settings and make them match the following:
listen=NO listen_ipv6=YES anonymous_enable=NO local_enable=YES write_enable=YES local_umask=022 dirmessage_enable=YES use_localtime=YES xferlog_enable=YES connect_from_port_20=YES secure_chroot_dir=/var/run/vsftpd/empty pam_service_name=vsftpd utf8_filesystem=YES
For SSL/TLS, add the following at the end of the file:
rsa_cert_file=/etc/apache2/md/domains/domain.com/pubcert.pem rsa_private_key_file=/etc/apache2/md/domains/domain.com/privkey.pem ssl_enable=YES allow_anon_ssl=NO force_local_data_ssl=YES force_local_logins_ssl=YES ssl_tlsv1=YES ssl_sslv2=NO ssl_sslv3=NO require_ssl_reuse=NO ssl_ciphers=HIGH
Note: This tutorial assumes the server already has a certificate issued by Let’s Encrypt using Apache’s MD module. If your certificate was generated differently, locate those files on your system. In most cases, only the domain name in the paths above will need to change.
You should also enable Passive Mode (recommended):
pasv_enable=Yes pasv_min_port=40000 pasv_max_port=50000
Restart the service, confirm it is running, and test the connection from FileZilla:
sudo systemctl restart vsftpd sudo systemctl status vsftpd
Now remove the broad firewall rule and replace it with precise ones. First, find the rule number:
sudo ufw status numbered | grep 200.200.200.200
Remember that 200.200.200.200 is your client’s public IP, not the server’s IP.
[ 7] Anywhere ALLOW IN 200.200.200.200
The number in brackets is the rule to delete. In this example it is 7. Delete it (confirm when prompted):
sudo ufw delete 7
Add the new rules:
sudo ufw allow 20:21/tcp comment "FTP" sudo ufw allow 40000:50000/tcp comment "FTP Passive Mode"
The second rule applies only if you enabled Passive Mode. The port range (40000:50000) must match exactly between the VSFTPD configuration file and the firewall.
How wide should the range be? That is up to you. A smaller range like 50 ports is fine if you do not expect many simultaneous transfers.
Now configure Fail2Ban to monitor and protect the FTP server. Assuming you already have Fail2Ban running [Read It], you just need to add VSFTPD to the configuration:
sudo nano /etc/fail2ban/jail.local
Search for vsftpd (Ctrl+W) and make sure it looks like this:
[vsftpd] enabled = true port = ftp,ftp-data,ftps,ftps-data logpath = %(vsftpd_log)s
Then open the filter file:
sudo nano /etc/fail2ban/filter.d/vsftpd.conf
It should look like the following. If it differs, replace its contents with this:
[INCLUDES] before = common.conf [Definition] __pam_re=\(?%(__pam_auth)s(?:\(\S+\))?\)?:? _daemon = vsftpd failregex = ^%(__prefix_line)s%(__pam_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=(ftp)? ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$ ^ \[pid \d+\] \[[^\]]+\] FAIL LOGIN: Client "<HOST>"(?:\s*$|,) ^ \[pid \d+\] \[root\] FAIL LOGIN: Client "<HOST>"(?:\s*$|,) ignoreregex =
Restart Fail2Ban, check the status of the new jail, and attempt a failed login to confirm it is being captured:
sudo systemctl restart fail2ban sudo fail2ban-client status vsftpd

After a failed login attempt, “Total failed” will start counting.
If you accidentally ban yourself, run the following command with your IP address:
sudo fail2ban-client unban 200.200.200.200