Onionized Hidden FTP Server

Tor Hidden FTP server :-

File Transfer Protocol (FTP) is one of the standard ways to transfer files from Client-Server and vice versa. FTP servers run on two modes Active and Passive. But some firewall/NAT blocks the Data port (20) from the FTP server. And the Passive mode of the FTP solved this by Client connecting to a random port on the server which can penetrate the firewall/NAT device.

Issue with Passive FTP mode as a Tor Hidden Service :-

This works fine for clearnet, but this is a huge problem if you want to Onionize your FTP service. Because, Tor expects you to know the know the ports for which requests might come. Since client connects to an PASV FTP, Its impossiable for Tor to predict the port used for Data channel.

Fix to Data port issue on Tor :-

One way of fixing this issue is limiting the port usage of the PASV FTP server config. Something like 5000-5019 (20 ports) would be ideal and map all the 20 ports on the Tor config file as a HiddenServicePort. I have shown complete steps below.


  • Step 1 :-

Install vsFTPd on your machine

root@host:~# apt-get install vsftpd 
  • Step 2 :-

Open the /etc/vsftpd.conf file and add the following lines (At the bottom)

root@host:~# systemctl restart vsftpd.service
  • The first line will make sure that PASV mode is enabled on your FTP server
  • The secound line will set a MIN port number for the Data channel
  • The third line will will set a MAX port number. The Min-Max range can be of any value unprivileged port range, 1024–65535
  • Step 3 :-

Now, open /etc/tor/torrc file and add the following lines

			   HiddenServiceDir /var/lib/tor/ftp_service/
		     	   HiddenServicePort 21
			   HiddenServicePort 5000
			   HiddenServicePort 5001
			   HiddenServicePort 5018
			   HiddenServicePort 5019
  • Make sure you add all the 20 ports ranging from 5000-5019 as a HiddenServicePort
  • After this is done, Restart Tor process and you will be be seeing hostname, key pair and other files under the /var/lib/tor/ftp_service/ (If you are not seeing those, You might be doing something wrong so Check the Tor logs or journalctl)

It is really important to lockdown/jail the FTP user into their home directory. Following are some really important security measures


  • Always create new user for FTP
  • It's important to create a new user which is only used for the PASV FTP login
    root@host:~# adduser FTP_USER
    Now, essential important step is to revoke SSH access to this FTP_USER (Very important, Never skip) To revoke/deny SSH access to a particular user, In our case FTP_USER, add the following to /etc/ssh/sshd_config file DenyUsers FTP_USER

It's also good idea to only allow root to login via SSH. To do so, add the following to /etc/ssh/sshd_config file AllowUsers root

  • Chroot Jail the FTP user

Chroot Jailing is a way of isolating applications (FTP) from the rest of your computer, by putting them in a jail. This is an important security measures for out PASV FTP Onion Service. To do so, add the following to your /etc/vsftpd.conf file

root@host:~# systemctl restart vsftpd.service

And ofcourse, we can do much more things for security purposes (Like Writable, File Permission and etc) but the above are the main or essential ones.

Advantages of using Tor Hidden FTP Service :

  1. It's End to End Encrypted
    • The payload or your FTP Packet is insecure by design but on top of Onion Encryption, It becomes End to End encrypted since the Layered encryption will only unpeel at the Hidden Service Endpoint.

An example of this is in Clearnet is If a web server or httpd listener supported HTTP only. A reverse proxy server can perform a TLS/SSL Handshake and acts as an SSL Offloading Proxy and routes the plain-text HTTP packet internally/through Private network into the listening backend server

  1. The Server remains Anonymous (Biggest Gain)
    • It's Tor Hidden Service and your traffic Never Exits the Tor network/overlay so the servers remain anonymous.
  1. FTP is capable of Larger File Transfers
    • Infact, FTP services can easily facilitate larger transfers and It also allows Multiple files/directories to be transfered at once.
  1. Transfers can be resumed under connection losts.

How to configure your Client to connect to the Onion v3 PASV FTP Hidden Service ?

If your running a Tor daemon locally, port 9050 is your Tor SOCKS5 or if your using Tor browser 9150 will be your SOCKS5 port. So, You will need to goto Proxy settings on your FTP client and insert and 9050 or 9150 on SOCKS5 Proxy configurations.

Last modified 5 months ago Last modified on May 27, 2020, 4:17:39 AM