Knowledge Base Overview

You'd think that setting up FTP in an AWS EC2 instance is simple. Actually it is but there are a few pitfalls. If you don't know them you will spend a lot of time until you get it to work. In this tutorial document I will show you the pitfalls I encountered when I you set up FTP in my Amazon cloud server.

Before we start lets talk about the configuration and environment. The information here is based on a regular AWS EC2 Linux server instance and with yum I installed vsftpd as the FTP Server. From my local client I use FileZilla as the FTP client and transfer is set to Passive Mode. This will add a few more pitfalls as I will explain in this document.

I also assume everything is properly installed and please understand that the following is only about the configuration, i.e. not installation of anything. Now lets get started with this tutorial.

Security Group

Lets begin with the access control from the outside world and for an EC2 instance access is controlled by the security group. Unless you have a security group applied that allows basically anything. In such a very unrecommended case you can skip this part.

As an initial thought you enable the two default FTP ports; TCP 20 and 21 for data transfer and communication. While you are adding these two ports also allow a TCP port range from like 1024-1048; I will explain later, just trust me on this one for now.

With this we are basically ready to accept all passive mode traffic for FTP to the server. Now lets look at the server.

Server Setup

Before we dive into the vsftpd configuration a couple words first about the server setup and something you might check just to be sure. If you have a local Linux setup (like CentOS) you should really check this steps as well.

SELinux

If you use a basic Linux instance in your EC2 you should not have to worry about SELinux but you might want to check first, like this:

# sestatus

SELinux status:   disabled

If your status is enabled you will also make sure that the file and context permissions are properly set. I will not go into details here, maybe in a separate document later because it seems SELinux is not enabled in most AWS Linux instances.

iptables

Your basic Linux instance should not be using any iptables. You might want to check this as well, like this:

# iptables -L

Chain INPUT (policy ACCEPT)

target     prot opt source           destination

Chain FORWARD (policy ACCEPT)

target     prot opt source           destination

Chain OUTPUT (policy ACCEPT)

target     prot opt source           destination

If you have any settings here I assume it was you who added them and hence know how to deal with it. The default instances don't have anything in place here.

vsftpd.conf

Now lets go about the configuration of vsftpd and the settings you have to add.

In your Linux system and for a vsftpd installation you will find the config as /etc/vsftpd/vsftpd.conf and don't forget to look at the man pages as man vsftpd.conf.

Passive Address: pasv_address

The pasv_address is an important setting in EC2 and it essentially will allow passive mode specifically if you use a client like FileZilla. If you have a Windows client and use the command line ftp application you will be fine without this settings. FileZilla however will sort of hang like this:

Status:    Retrieving directory listing...

Command:  PWD

Response:  257 "/"

Command:  TYPE I

Response:  200 Switching to Binary mode.

Command:  PASV

Error:  Disconnected from server: ECONNABORTED - Connection aborted

Error:  Failed to retrieve directory listing

Note that the last command PASV asked for passive mode but it never completes. That's because FileZilla is verifying something in the background. Unfortunately you cannot see an error even when you turn on debugging. If you have ftp logging on for vsftpd you can see the response like this, though:

"227 Entering Passive Mode (10,12,35,53,75,191)."

Note the first four numbers in the parenthesis. This is the host's IP address. If you don't set the pasv_address which has to be your external IP address (usually the elastic IP) vsftpd will submit the local server IP address which for an EC2 instance is a 10.x.x.x private address; 10.12.35.53 in this example.

Because FileZilla does not know this address it refuses to proceed; it explicitly expects the external IP address which is the address it knows and is connected to. I don't know if this is a bug in FileZilla, i.e. why there is no error message or any other form of event telling you this.

Passive ports

Finally you will need to set the passive ports which might be a little bit unusual but I will try to explain it. That's also where we talk about the settings for the security group I asked you set in the beginning.

Why do we need this port range, you wonder? Besides the two standard TCP ports 20 and 21 there are in fact more ports required in passive mode. Usually you don't have to worry about this because many hosting environment don't offer an external firewall for your environment or at least none you have to manage yourself. Unlike the AWS where we have a firewall and use security groups to control access. The security groups are simply firewall rules and I assume you use them properly.

Many server setups either don't have any internal firewall for access control or standard rules (like in iptables) allowing new ports for established sessions.

In iptables you would setup and have something like this:

Chain INPUT (policy ACCEPT)

target   prot opt source       destination

ACCEPT   all  --  anywhere     anywhere

ACCEPT   all  --  anywhere     anywhere     state RELATED,ESTABLISHED

So what is happening now in the background with passive mode? FTP servers like vsftpd ask the client to connect to a new port for further transactions when in passive mode. If your server does not have any access control the request is granted but if you a control like iptables above your request is accepted as well because it is part of an established sessions. That's the server part but we have a firewall.

Because we have an external firewall (with security groups) this will be blocked unless we open some ports. So, if you have set the port range I mention earlier you can add the min and max port as pasv_min_port and pasv_max_port in your vsftpd configuration. You can basically set any number range but I would not set this to far apart.

The little annoying part here is that FileZilla leaves you clueless in the dark—again. Once you are past the PASV command you will hang right after the next command which should be the LIST command. The ftp command line client in Windows seems to begin with or fall back to port 20.