For our web management service we also performance website backups in a timely manner by using our own FTP server. This guide is written on how we configured VSFTP (A recognized FTP server in Linux distros such as Ubuntu) to handle multiple websites.
For example lets say the develop website is based on WordPress. There is a good free backup plugin called Backwpup. We use this plugin to automate the backup process. This plugin has options to select as the backup location. They include such as DropBox, Amazon, and FTP. We wanted to move to FTP because we would then have the control of our data. This article discrbe how we setup our FTP server so that it will be available through Internet to backup the websites.
What is our case?
- There are multiple websites that need to be backup
- We need to have unique FTP accounts for each client/ website
- FTP connections has to be secure
- Need to use a sub domain of a domain we own to point the FTP server
Configuring the sub domain to point to our server
You can skip this part if you do not need to use a domain to point to your FTP server over the Internet. You must own he domain name and ability to configure it. We need to edit/ add some DNS records. In our case we brought the domain name from namecheap. Our domain name is ‘creotex.com’ so lets say I want to point ‘ftp’ sub domain to our server here’s how to do it. Please note that our server already have a static Internet IP address. So we need to point that IP address. If you are using a dynamic DNS, your configuration would be different.
In our case we have to add the desired sub domain and assign the IP address and record type as A (Address).
Sub Domain Name: ftp IP Address: 999.999.999.999 Record Type: A(Address)
Save the changes. It will take some time to see the changes take affect.
Port Forwarding in the network router
Ok cool, now who ever call our sub domain will point to our Internet IP address. In other words it will reach the local network router. From there we must tell the router to send the FTP request data to the FTP server. Let’s say out VSFTP server listens on port 900 for connections (This is the gneeral port used in vsftpd for secure connections) and let’s say we configure our website to use port 21 to establish FTP connections with the server. So we need to tell the router that whoever talks to port 21 from Internet, send them to our server on port 900. That way our FTP server will recieve the request. Also port 20 would be required by VSFTP to initiate a data connection. So this port has to be forwarded too.
We must also specify the local machines IP address along with port 900. Below is a diagram of the situation.
Note: It is recommended to set the machine’s local IP address to be static so that it wouldn’t change when the machine is restarted. [How To?]
apt-get install vsftpd
With this command, VSFTPD server should be installed on your Ubuntu machine. One of the reasons to use VSFTPD is with it we can allow local users or virtual users to login. In our case we needed to have virtual users because we need to create a separate user for each website.
Note: Since a client can have more than one website, you can think a virtual user as a client or you can think each website will represent as a virtual user. Important thing is, here each virtual user can assign a unique folder that will act as the root to his login. And whatever inside that folder will be accessible by the virtual user. With this in mind you can chose how you structure the virtual user’s unique folder.
Let’s first discuss the folder structure to backup our sites. There should be a main folder that going to hold every virtual user’s backup data. We will call this ‘ftp’. So in our case we have placed it as ‘media/backup/ftp’. We will need this absolute path to use in the VSFTP config file. Inside this folder then separate folders are created for each virtual user. The folder name must be equal to the username of the virtual user. So if there are virtual users with usernames user1, user2 we have to create these folders inside ftp folder.
Once created, these folders must have limited permissions. It is because these folders are used as the root directories for each virtual user and VSFTPD does not allow write permission for root folders. To do that use chown. Example, I will assign root for these folders.
sudo chown root:root /media/backup/ftp/user1
There is a config option to override this security feature and avoid changing permissions. But that configuration is available from VSFTPD version 3 and upper. It is.
Then we need to create another folder inside each of these root folders to hold the backups. In our case we are going to create two folders called ‘website’ and ‘database’. Website folder will contain backups of the whole website along with database. The other will only contain the database backups. Why because we backup the whole site weekly and database daily. You can chose as you like.
Now ‘website’ and ‘database’ folder must have read, write permissions. Let’s give the ownership to ftp.
sudo chown ftp:ftp /media/backup/ftp/user1/website
Create virtual users and authentication
We need to create a PAM file first. That will tell where to look for user and authentication details. We need to create this file inside ‘etc/pam.d’ folder. Will call it vsftpd.virtual.
sudo gedit /etc/pam.d/vsftpd.virtual
Then append the following.
#%PAM-1.0 auth required pam_userdb.so db=/etc/vsftpd/vsftpd-virtual-user account required pam_userdb.so db=/etc/vsftpd/vsftpd-virtual-user session required pam_loginuid.so
Note: vsftpd-virtual-user is the db file that we are now going to create that hold virtual users and passwords.
To setup the vsftpd-virtual-user db, first we must create a text file that list the users and passwords. Lets place this file inside /etc/vsftpd.
sudo mkdir /etc/vsftpd cd /etc/vsftpd sudo gedit vusers.txt
The first line is for the username then next line is for that user’s password. Likewise you can place other usernames and passwords.
user1 user1password user2 user2password
Now this must be put into the db fie. To create the db file we use db_load program. If it’s not available you must install the db-utils package.
db_load -T -t hash -f vusers.txt vsftpd-virtual-user.db chmod 600 vsftpd-virtual-user.db
Update vftpd.conf file
Now we will edit the VFTPD config file. it is by default placed in /etc folder.
listen=YES anonymous_enable=NO local_enable=YES write_enable=YES chroot_local_user=YES guest_enable=YES rsa_cert_file=/etc/ssl/private/vsftpd.pem rsa_private_key_file=/etc/ssl/private/vsftpd.pem ssl_enable=YES allow_anon_ssl=NO force_local_data_ssl=YES force_local_logins_ssl=YES ssl_tlsv1=YES ssl_sslv2=NO ssl_sslv3=NO listen_port=990 virtual_use_local_privs=YES write_enable=YES pam_service_name=vsftpd.virtual guest_enable=YES guest_username=vsftpd user_sub_token=$USER local_root=/media/backup/ftp/$USER passv_enable=YES passv_min_port=10090 passv_min_port=10100 pssv_address=188.8.131.52
All configuration options are listed here.
Using SSL to secure FTP
By default VSFTP will have a certificate used in the configuration. They are configured with the following options.
Using Passive mode FTP
Passive mode FTP can be enabled by using passv options in the configuration. Note that for the data connections we are using a set of selected ports (10090 – 10100). These ports are need to port forward from router to the FTP server machine. [More about Passive Mode]
Setting up VSFTPD might be hard to configure, so with this guide I hope it will help someone.