So you’ve setup your web server and now you want a simple backup space to store your backups away from the main server, just in case the worst happens!

Plesk uses FTP for off server backup space so you could go down the route of renting a third party FTP backup space, but I’ve always found these pretty expensive for what they are so here’s how you can create your own basic backup server using a small and cheap VPS. You can find reliable providers for very little per month and it’s not critical that it be on fast SSD hard drives, so long as it’s reliable, speed really doesn’t matter in this instance.

Before I begin, please be aware that FTP is not the most secure of systems so if you’re backing up any kind of sensitive data it’s probably best to ensure the data itself is encrypted or password protected. If you’re using Plesk for offsite backups their system can do this for you automatically at the time of backup… just don’t forget the password!

OK, so lets get to it…

First off we need to spin up a VPS instance, I’ll be using Ubuntu 14.04 in this example

Start with some basic updates

apt-get update

apt-get upgrade

Install our chosen FTP service, in this instance vsftpd

apt-get install vsftpd

Give the server its new name

At this point we want to set our hostname, this should be your servers intended FQDN (fully qualified domain name). The file to update will be located at:

etc/HOSTNAME

This file will likely be empty when you open it. Within this file you should include the FQDN that the server will be known by. It can be any domain or subdomain you own and can manage the DNS of (e.g. server.yourdomain.tld). You will need to create an A record on your DNS server managing this FQDN pointing to your servers IP address.

this should follow the following format

server.yourdomain.tld

 Now to configure VSFTPD, our FTP server

The next step is to change the configuration settings for vsftpd. Open the /etc/vsftpd.conf file in your preferred text editor. You’ll notice there are a number of settings you can play with, we’re not going to go into any detail on these, but the critical changes you must make are shown below:

listen=YES

tells vsftpd to run as a standalone daemon (the simplest method for getting up and running). anonymous_enable=NO disallows anonymous FTP users, which is generally preferred for security reasons but can be enabled for testing purposes.

local_enable=YES

allows any user account defined in the /etc/passwd file access to the FTP server and is generally how most FTP users will connect.

write_enable=YES

is commented out by default, but removing the hash (#) allows files to be uploaded to the FTP server. chroot_local_user=YES restricts users to their home directory and is also commented out by default.

Make the options match those shown below:

listen=YES

anonymous_enable=NO

local_enable=YES

write_enable=YES

chroot_local_user=YES

You additionally want to add the following line just under the chroot_local_user=YES

allow_writeable_chroot=YES

This is the simplest method to use the FTP server so long as you are the only user of the FTP backup server, if you wish to have clients or third parties store data you should look into using writable sub directories instead of allowing writable user-root access which can cause some security issues.

then restart the service with:

service vsftpd restart

Adding an FTP User

Now we want to add an authorised user for FTP access, do this with the line:

adduser foobar

Replace foobar with the username you want and follow through the prompts on screen, at this point it will also ask you to setup a user password.

Testing FTP

At this stage you should now be able to login using the FTP user you just created. Congratulations, you have yourself an FTP backup server! You can stop now if you wish or follow on to encrypt your FTP for a more secure connection.

Securing your FTP with SSL

While standard unencrypted FTP access as outlined so far is sufficient in most cases, when transferring sensitive information over FTP it is useful to utilise a more secure connection using SSL.

To begin you’ll likely need to generate a new SSL certificate with the following command, following the prompts as appropriate to complete the process:

openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem

Now you must ensure that vsftpd is aware of the SSL certificate. Open the /etc/vsftpd.conf file once again:

Look near the bottom of the file for two rsa_ settings like this, indicating the location of the SSL certificate that was just created:

rsa_cert_file=/etc/ssl/private/vsftpd.pem

rsa_private_key_file=/etc/ssl/private/vsftpd.pem

If those lines don’t exist or match the appropriate path to the SSL certificate we just created, update them accordingly.

Additionally, there are a number of configuration settings to handle SSL connections, particularly forcing use of the TLS protocol which is ideal, add the following below the area in the file where the SSL certificates are referenced:

ssl_enable=YES

allow_anon_ssl=NO

force_local_data_ssl=YES

force_local_logins_ssl=YES

ssl_tlsv1=YES

ssl_sslv2=NO

ssl_sslv3=NO

require_ssl_reuse=NO

ssl_ciphers=HIGH

Some of the settings are self-explanatory, but the key components are the overall enabling of SSL, the restriction to use only TLS, and disallowing anonymous access.

With the settings added and the file saved, once again restart the vsftpd service:

service vsftpd restart

Now your FTP server is ready to accept secure connections using “FTP over TLS” encryption.

Setup User and Group Disk Quota

If you’re going to have a number of different users and you want to limit the storage capacity of each user follow on. This isn’t only related to FTP, it can be used for any purpose on the server that requires a user to have limited storage capacity.

Install the quota service

apt-get install quota

Modify the /etc/fstab, and add the keyword usrquota and grpquota to the corresponding filesystem that you would like to monitor. I strongly suggest you take a backup of the server before proceeding with this change as it could make your server inaccessible if you modify this file incorrectly.

the below is an example with the two keywords added, however it’s likely your setup won’t be exactly the same, the important thing is to add ,usrquota,grpquota to the end of the details that correspond to the options part of the text

before:

LABEL=DOROOT  / ext4  errors=remount-ro  0 1

after:

LABEL=DOROOT  / ext4  errors=remount-ro,usrquota,grpquota  0 1

reboot the server after saving the above:

reboot

now run the command:

quotacheck -avugfm

The above command will create an aquota file for user and group under the filesystem directory.

Assign a disk quota to a user

Now we’re ready to assign a quota to a user account. Lets modify foobar that we created earlier (or whatever user name you created in the FTP user creation stage). We do this using the edquota command:

edquota foobar

this will result in a file view that will look a little like the below

Disk quotas for user foobar (uid 100):
  Filesystem           blocks       soft       hard     inodes     soft     hard
  /dev/sda4                 8      10000      10240       2        0        0

The text editor shows 7 different columns:

1. Indicates the name of the file system that has a quota enabled
2. Indicates the amount of blocks currently used by the user
3. Indicates the soft block limit for the user on the file system
4. Indicates the hard block limit for the user on the file system
5. Indicates the amount of inodes currently used by the user
6. Indicates the soft inode limit for the user on the file system
7. Indicates the hard inode limit for the user on the file system

The blocks refer to the amount of disk space, while the inodes refer to the number of files/folders that can be used. Most of the time the block amount will be used in the quota.

The hard block limit is the absolute maximum amount of disk space that a user or group can use. Once this limit is reached, no further disk space can be used. The soft block limit defines the maximum amount of disk space that can be used. However, unlike the hard limit, the soft limit can be exceeded for a certain amount of time. This time is known as the grace period.

In the example above, a soft limit off 10000Kb and hard limit of 10240Kb are used. To see the quota in action an FTP/SFTP transfer can be started, where multiple files will be uploaded with a total size of 12 Mb for example (as long as its larger than the hard limit). The FTP/SFTP client will indicate a transfer error, meaning that the user will be unable to upload any files.

You’ll probably want a higher limit than 10Mb, if you want 10Gb for example insert 10000000 into the soft limit value and 10485760 as the hard value

if you want to check the quota for a particular user you can use the command:

quota foobar

if you want to check the quota allocations and usage for all users you can use the command:

repquota -a

if you wish to edit the grace period use command:

edquota -t

Congratulations, if you’ve followed to the end of the guide you should now have your own FTP server with SSL connection and quotas per user limits.

Just leave a comment if you have any problems and I’ll see if I can point you in the right direction, if you do anything differently or have suggestions let me know?