How to Setup FTP Server with VSFTPD on CentOS 7

Introduction

Before we begin talking about, how to set up FTP server with VSFTPD on CentOS, let's briefly understand – What is FTP Server?

An FTP (File Transfer Protocol) server is a software application that allows the transfer of files between computers on a network. It provides a convenient and secure way to upload, download, and manage files remotely. FTP servers are commonly used by businesses, web developers, and individuals to share files over the internet.

With an FTP server, users can access files using an FTP client software or a web browser. The server maintains user accounts and permissions, ensuring secure file transfers. FTP servers are essential for efficient file sharing and collaboration in today's digital world.

In this tutorial, we will setup FTP Server with VSFTPD on CentOS 7. It is a reliable, safe, and efficient FTP server. Additionally, we will demonstrate how to set up vsftpd to limit users to their home directory and encrypt all data transfers using SSL/TLS.

Use SCP or SFTP for faster and more secure data transfers.

Advantages of FTP Server

1. Efficient file transfer: FTP servers allow fast and reliable transfer of large files, making it ideal for businesses and individuals dealing with substantial data.
2. Remote access: With FTP servers, users can access and manage files from anywhere, providing convenience and flexibility for remote work.
3. User-friendly interface: FTP servers offer intuitive interfaces, making it easy for users to navigate, upload, and download files without technical expertise.
4. Secure data transfer: FTP servers employ encryption and user authentication mechanisms to ensure the confidentiality and integrity of files during transfer.
5. Collaboration and sharing: FTP servers enable multiple users to access and collaborate on files simultaneously, enhancing teamwork and productivity.

Prerequisites to Setup FTP Server with VSFTPD on CentOS 7

Make sure you are logged in as a user with sudo privileges before proceeding with this tutorial.

Installing vsftpd on CentOS 7

In the default CentOS repositories, the vsftpd package is available. Use the following command to install it:

sudo yum install vsftpd

Start the vsftpd daemon once the package has been installed, then set it to launch automatically when the system boots:

sudo systemctl start vsftpd
sudo systemctl enable vsftpd

By printing the status of the vsftpd service, you can confirm that it is active:

sudo systemctl status vsftpd

The output will appear similar to the one below, demonstrating that the vsftpd service is operational and running:

Output

● vsftpd.service - Vsftpd ftp daemon
   Loaded: loaded (/usr/lib/systemd/system/vsftpd.service; enabled; vendor preset: disabled)
   Active: active (running) since Thu 2018-11-22 09:42:37 UTC; 6s ago
 Main PID: 29612 (vsftpd)
   CGroup: /system.slice/vsftpd.service
           └─29612 /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf

Configuring vsftpd

Editing the /etc/vsftpd/vsftpd.conf configuration file is required to configure the vsftpd service. The configuration file contains detailed information on most of the settings. Visit the official vsftpd page to see all the available options.

In the coming sections, we will go over some crucial configuration settings needed to set up a secure vsftpd installation.

Open the vsftpd configuration file first:

sudo nano /etc/vsftpd/vsftpd.conf

1. FTP Access

Only local users will be permitted access to the FTP server, locate the anonymous_enable and local_enable directives, and confirm that your configuration matches the lines below:

anonymous_enable=NO
local_enable=YES

2. Enabling uploads

To enable filesystem modifications like uploading and deleting files, uncomment the write_enable setting.

write_enable=YES

3. Chroot Jail

Uncomment the chroot directive to prevent FTP users from accessing any files outside their home directories.

chroot_local_user=YES

When chroot is enabled, by default, vsftpd will not permit file uploads if the directory that the users are locked in is writable. This is done to avoid a security vulnerability.

To allow uploads when chroot is enabled, use one of the methods described below.

• Method 1 – It is advised to keep chroot enabled and set up FTP directories in order to allow upload. In this tutorial, we will make a writable uploads directory for uploading files, as well as an ftp directory inside the user home that will act as the chroot.

user_sub_token=$USER
local_root=/home/$USER/ftp

• Method 2 – An alternative is to add the below directive in the vsftpd configuration file. Use this option if you need to give your user writable access to its home directory.

allow_writeable_chroot=YES

4. Passive FTP Connections

Any port can be used by vsftpd for passive FTP connections. The minimum and maximum range of ports will be specified, and the range will later be opened in our firewall.

The configuration file should include the following lines:

pasv_min_port=30000
pasv_max_port=31000

5. Limiting User Login

Add the following lines after the userlist_enable=YES line to allow only specific users to login into the FTP server:

userlist_file=/etc/vsftpd/user_list
userlist_deny=NO

When you enable this option, you must explicitly state which users can log in by adding their names to the/etc/vsftpd/user_list file (one user per line).

6. Securing Transmissions with SSL/TLS

You need to have an SSL certificate and set up the FTP server in order to use SSL/TLS to encrypt the FTP transmissions.

You can create a self-signed certificate or use an SSL certificate that has already been issued and is signed by a recognized Certificate Authority.

Furthermore, you can easily create a free Let's Encrypt SSL certificate if your domain or subdomain points to the IP address of the FTP server.

In this tutorial, we will use the openssl command to create a self-signed SSL certificate.

The following command will generate a self-signed certificate with a 2048-bit private key that is valid for 10 years. The certificate and the private key will both be saved in the same file:

sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/vsftpd/vsftpd.pem -out /etc/vsftpd/vsftpd.pem

Open the vsftpd configuration file after the SSL certificate has been generated:

sudo nano /etc/vsftpd/vsftpd.conf

The rsa_cert_file and rsa_private_key_file directives should be located, their values should be changed to the pam file location, and the ssl_enable directive should be set to YES:

rsa_cert_file=/etc/vsftpd/vsftpd.pem
rsa_private_key_file=/etc/vsftpd/vsftpd.pem
ssl_enable=YES

The FTP server will only make secure connections using TLS unless otherwise specified.

Restart the vsftpd Service

After you have finished editing, the vsftpd configuration file (without comments) should look like this:

anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
chroot_local_user=YES
listen=NO
listen_ipv6=YES
pam_service_name=vsftpd
userlist_enable=YES
userlist_file=/etc/vsftpd/user_list
userlist_deny=NO
tcp_wrappers=YES
user_sub_token=$USER
local_root=/home/$USER/ftp
pasv_min_port=30000
pasv_max_port=31000
rsa_cert_file=/etc/vsftpd/vsftpd.pem
rsa_private_key_file=/etc/vsftpd/vsftpd.pem
ssl_enable=YES

Save the file, then restart the vsftpd service to make changes take effect:

sudo systemctl restart vsftpd

Opening the Firewall

You must permit FTP traffic if you are running a firewall.

The following commands should be used to open ports 21 (FTP command port), 20 (FTP data port), and 30000-31000 (Passive ports range):

sudo firewall-cmd --permanent --add-port=20-21/tcp
sudo firewall-cmd --permanent --add-port=30000-31000/tcp

Type the following to reload the firewall rules:

firewall-cmd --reload

Creating an FTP User

We will create a new user to test our FTP server.

• Skip the first step if you already have a user to whom you want to grant FTP access.
• Skip the third step if you set allow_writeable_chroot=YES in your configuration file.

1) Add a new user with the name newftpuser:

sudo adduser newftpuser

After that, set the user password:

sudo passwd newftpuser

2) Add the user to the list of allowed FTP users:

echo "newftpuser" | sudo tee -a /etc/vsftpd/user_list

3) Set the proper permissions and create the FTP directory tree:

sudo mkdir -p /home/newftpuser/ftp/upload
sudo chmod 550 /home/newftpuser/ftp
sudo chmod 750 /home/newftpuser/ftp/upload
sudo chown -R newftpuser: /home/newftpuser/ftp

As previously discussed, the user will be able to upload files to the ftp/upload directory.

Your FTP server should now be completely operational, and you can connect to your server using any FTP client that can be set up to use TLS encryption, such as FileZilla.

Disabling Shell Access

When creating a user, unless otherwise specified, the user will have SSH access to the server by default.

We will create a new shell to disable shell access, which will just produce a message informing the user that their account is limited to only FTP access.

The /bin/ftponly shell can be created and made executable by using the following commands:

echo -e '#!/bin/sh\necho "This account is limited to FTP access only."' | sudo tee -a  /bin/ftponly
sudo chmod a+x /bin/ftponly

Simply add the new shell to the list of authorized shells in the /etc/shells file:

echo "/bin/ftponly" | sudo tee -a /etc/shells

User shell should be changed to /bin/ftponly:

sudo usermod newftpuser -s /bin/ftponly

Change the shell for any other users who should only have FTP access using the same command.

FAQs to Setup FTP Server with VSFTPD on CentOS 7

Conclusion

We hope this tutorial helped you understand how to install and configure a safe and efficient FTP server on your CentOS 7 system.

If you have any queries, please leave a comment below, and we’ll be happy to respond to them.