How to run a ftp server on an Amazon Micro Instance

A micro instance which runs for your with Linux at 0.025 U$ per hour (around 18 U$ a month) is just right to operate a FTP server. Plus the data transfer which costs you 0.1U$ IN and around 0.15U$ OUT.
There is only a minor challenge to get started, the elastic IP assignment which makes it impossible to connect to the ftp server in passive mode out of-the-box.
This short tutorial describes how to get started and covers also the use of virtual users (we skip the basic art assuming you are familar with creating instances and the handling of key-files etc.).

I advise to create a separate volume in EC2 if you plan to ftp large amount of files or eventually opt for a bigger instance.

How to add a volume:

  • Create a new volume specifying a suitable size (you pay for the size you allocate not for the size you use inside the volume!)
  • Attach it to the instance (define a device, eg. /dev/sdf)
  • Login to you instance format the volume (mkfs -t ext2 /dev/sdf)
  • Create a mountpoint (mkdir  /mnt/ftpvolume)
  • Mount the volume (mount /dev/sdf /mn/ftpvolume)
    Be aware: you need to mount every time you restart the instance ! There are scripts to do it automatically, but this is not straight forward in EC2)

How to install and configure the ftp service:

  • Look for an Ubuntu i386 server AMI in your preferred region and create a new instance.
  • Use a security group with an open port 21 and the passive ports (eg.62222 to 63333 as configured below).
  • Create an elastic IP and attach it to the new instance.
  • Login the instance (using ssh and your private key).
  • Add the ftp server vsftpd package (sudo apt-get install vsftpd.conf)
  • Add the libpam package which we need to maintain the virtual users (sudo apt-get install libpam-pwdfile)
  • Add the mini-httpd package which contains the hptasswd command we need to enter the passwords (apt-get install mini-httpd)
  • Configure PAM (vi /etc/pam.d/vsftpd)
    Remove other content in this file.

    auth required pam_pwdfile.so pwdfile /etc/ftpd.passwd
    account required pam_permit.so
    
  • Configure vsftpd (vi /etc/vsftpd.conf)
    This shows only the important changes and new entries

    ...
    local_enable=YES
    ...
    write_enable=YES
    ...
    local_umask=022
    ...
    chroot_local_user=YES
    ...
    virtual_use_local_privs=YES
    guest_enable=YES
    user_sub_token=$USER
    local_root=/mnt/ftpvolume/ftphome/$USER {or whatever your ftp root folder is going to be}
    hide_ids=YES
    pasv_min_port=62222
    pasv_max_port=63333
    pasv_address={your Elastic IP}
    
  • Restart vsftpd (service vsftpd restart)
  • Create the root directory for the ftp service as defined in the config file
  • Create user and user directory
    For the first user you add
    htpasswd -c /etc/ftpd.passwd Username
    subsequent users
    htpasswd /etc/ftpd.passwd Username
    mkdir /mnt/ftpvolume/ftphome/username
    chmod 777 /mnt/ftpvolume/ftphome/username
  • Create a superuser ftpadmin with access to all user directories
    Instead of creating own folder, create a link
    ln -s /mnt/ftpvolume/ftphome ftpadmin

Remarks: This might not be best practice, but
a) for the EC2 instance you open only port 32
b) vsftpd is the best choice for secure ftp
c) each virtual user is locked into his home-folder.

Feel free to add comments in regards of security.

Advertisements

2 thoughts on “How to run a ftp server on an Amazon Micro Instance

  1. Can you provide any suggestion on how to use libpam-pwdfile and mini-httpd on the “Amazon Linux” 32 bit instance as I do not beleive these packages are in the repository?

    Thank!

  2. Pingback: Running FTP server on EC2 on demand | The JavaDude Weblog

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s