How to Setup FTP Server with VSFTPD on CentOS 7
Choose a different version or distribution
Introduction
Before we begin talking about, how to set up FTP server with VSFTPD on CentOS, let's briefly understand – What is FTP Server?
An FTP (File Transfer Protocol) server is a software application that allows the transfer of files between computers on a network. It provides a convenient and secure way to upload, download, and manage files remotely. FTP servers are commonly used by businesses, web developers, and individuals to share files over the internet.
With an FTP server, users can access files using an FTP client software or a web browser. The server maintains user accounts and permissions, ensuring secure file transfers. FTP servers are essential for efficient file sharing and collaboration in today's digital world.
In this tutorial, we will setup FTP Server with VSFTPD on CentOS 7. It is a reliable, safe, and efficient FTP server. Additionally, we will demonstrate how to set up vsftpd to limit users to their home directory and encrypt all data transfers using SSL/TLS.
Use SCP or SFTP for faster and more secure data transfers.
Advantages of FTP Server
- Efficient file transfer: FTP servers allow fast and reliable transfer of large files, making it ideal for businesses and individuals dealing with substantial data.
- Remote access: With FTP servers, users can access and manage files from anywhere, providing convenience and flexibility for remote work.
- User-friendly interface: FTP servers offer intuitive interfaces, making it easy for users to navigate, upload, and download files without technical expertise.
- Secure data transfer: FTP servers employ encryption and user authentication mechanisms to ensure the confidentiality and integrity of files during transfer.
- Collaboration and sharing: FTP servers enable multiple users to access and collaborate on files simultaneously, enhancing teamwork and productivity.
Prerequisites to Setup FTP Server with VSFTPD on CentOS 7
Make sure you are logged in as a user with sudo privileges before proceeding with this tutorial.
Installing vsftpd on CentOS 7
In the default CentOS repositories, the vsftpd package is available. Use the following command to install it:
sudo yum install vsftpd
Start the vsftpd daemon once the package has been installed, then set it to launch automatically when the system boots:
sudo systemctl start vsftpd
sudo systemctl enable vsftpd
By printing the status of the vsftpd service, you can confirm that it is active:
sudo systemctl status vsftpd
The output will appear similar to the one below, demonstrating that the vsftpd service is operational and running:
Output
● vsftpd.service - Vsftpd ftp daemon
Loaded: loaded (/usr/lib/systemd/system/vsftpd.service; enabled; vendor preset: disabled)
Active: active (running) since Thu 2018-11-22 09:42:37 UTC; 6s ago
Main PID: 29612 (vsftpd)
CGroup: /system.slice/vsftpd.service
└─29612 /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf
Configuring vsftpd
Editing the /etc/vsftpd/vsftpd.conf
configuration file is required to configure the vsftpd service. The configuration file contains detailed information on most of the settings. Visit the official vsftpd page to see all the available options.
In the coming sections, we will go over some crucial configuration settings needed to set up a secure vsftpd installation.
Open the vsftpd configuration file first:
sudo nano /etc/vsftpd/vsftpd.conf
1. FTP Access
Only local users will be permitted access to the FTP server, locate the anonymous_enable
and local_enable
directives, and confirm that your configuration matches the lines below:
anonymous_enable=NO
local_enable=YES
2. Enabling uploads
To enable filesystem modifications like uploading and deleting files, uncomment the write_enable
setting.
write_enable=YES
3. Chroot Jail
Uncomment the chroot
directive to prevent FTP users from accessing any files outside their home directories.
chroot_local_user=YES
When chroot is enabled, by default, vsftpd will not permit file uploads if the directory that the users are locked in is writable. This is done to avoid a security vulnerability.
To allow uploads when chroot is enabled, use one of the methods described below.
- Method 1 – It is advised to keep chroot enabled and set up FTP directories in order to allow upload. In this tutorial, we will make a writable
uploads
directory for uploading files, as well as anftp
directory inside the user home that will act as the chroot.
user_sub_token=$USER
local_root=/home/$USER/ftp
- Method 2 – An alternative is to add the below directive in the vsftpd configuration file. Use this option if you need to give your user writable access to its home directory.
allow_writeable_chroot=YES
4. Passive FTP Connections
Any port can be used by vsftpd for passive FTP connections. The minimum and maximum range of ports will be specified, and the range will later be opened in our firewall.
The configuration file should include the following lines:
pasv_min_port=30000
pasv_max_port=31000
5. Limiting User Login
Add the following lines after the userlist_enable=YES
line to allow only specific users to login into the FTP server:
userlist_file=/etc/vsftpd/user_list
userlist_deny=NO
When you enable this option, you must explicitly state which users can log in by adding their names to the/etc/vsftpd/user_list
file (one user per line).
6. Securing Transmissions with SSL/TLS
You need to have an SSL certificate and set up the FTP server in order to use SSL/TLS to encrypt the FTP transmissions.
You can create a self-signed certificate or use an SSL certificate that has already been issued and is signed by a recognized Certificate Authority.
Furthermore, you can easily create a free Let's Encrypt SSL certificate if your domain or subdomain points to the IP address of the FTP server.
In this tutorial, we will use the openssl
command to create a self-signed SSL certificate.
The following command will generate a self-signed certificate with a 2048-bit private key that is valid for 10 years. The certificate and the private key will both be saved in the same file:
sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/vsftpd/vsftpd.pem -out /etc/vsftpd/vsftpd.pem
Open the vsftpd configuration file after the SSL certificate has been generated:
sudo nano /etc/vsftpd/vsftpd.conf
The rsa_cert_file
and rsa_private_key_file
directives should be located, their values should be changed to the pam
file location, and the ssl_enable
directive should be set to YES
:
rsa_cert_file=/etc/vsftpd/vsftpd.pem
rsa_private_key_file=/etc/vsftpd/vsftpd.pem
ssl_enable=YES
The FTP server will only make secure connections using TLS unless otherwise specified.
Restart the vsftpd Service
After you have finished editing, the vsftpd configuration file (without comments) should look like this:
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
chroot_local_user=YES
listen=NO
listen_ipv6=YES
pam_service_name=vsftpd
userlist_enable=YES
userlist_file=/etc/vsftpd/user_list
userlist_deny=NO
tcp_wrappers=YES
user_sub_token=$USER
local_root=/home/$USER/ftp
pasv_min_port=30000
pasv_max_port=31000
rsa_cert_file=/etc/vsftpd/vsftpd.pem
rsa_private_key_file=/etc/vsftpd/vsftpd.pem
ssl_enable=YES
Save the file, then restart the vsftpd service to make changes take effect:
sudo systemctl restart vsftpd
Opening the Firewall
You must permit FTP traffic if you are running a firewall.
The following commands should be used to open ports 21
(FTP command port), 20
(FTP data port), and 30000-31000
(Passive ports range):
sudo firewall-cmd --permanent --add-port=20-21/tcp
sudo firewall-cmd --permanent --add-port=30000-31000/tcp
Type the following to reload the firewall rules:
firewall-cmd --reload
Creating an FTP User
We will create a new user to test our FTP server.
- Skip the first step if you already have a user to whom you want to grant FTP access.
- Skip the third step if you set
allow_writeable_chroot=YES
in your configuration file.
1) Add a new user with the name newftpuser
:
sudo adduser newftpuser
After that, set the user password:
sudo passwd newftpuser
2) Add the user to the list of allowed FTP users:
echo "newftpuser" | sudo tee -a /etc/vsftpd/user_list
3) Set the proper permissions and create the FTP directory tree:
sudo mkdir -p /home/newftpuser/ftp/upload
sudo chmod 550 /home/newftpuser/ftp
sudo chmod 750 /home/newftpuser/ftp/upload
sudo chown -R newftpuser: /home/newftpuser/ftp
As previously discussed, the user will be able to upload files to the ftp/upload
directory.
Your FTP server should now be completely operational, and you can connect to your server using any FTP client that can be set up to use TLS encryption, such as FileZilla.
Disabling Shell Access
When creating a user, unless otherwise specified, the user will have SSH access to the server by default.
We will create a new shell to disable shell access, which will just produce a message informing the user that their account is limited to only FTP access.
The /bin/ftponly
shell can be created and made executable by using the following commands:
echo -e '#!/bin/sh\necho "This account is limited to FTP access only."' | sudo tee -a /bin/ftponly
sudo chmod a+x /bin/ftponly
Simply add the new shell to the list of authorized shells in the /etc/shells
file:
echo "/bin/ftponly" | sudo tee -a /etc/shells
User shell should be changed to /bin/ftponly
:
sudo usermod newftpuser -s /bin/ftponly
Change the shell for any other users who should only have FTP access using the same command.
FAQs to Setup FTP Server with VSFTPD on CentOS 7
How do I start and stop the VSFTPD service?
To start the VSFTPD service, use the command sudo systemctl start vsftpd
. To stop the service, use sudo systemctl stop vsftpd
.
Where can I find the configuration file for VSFTPD?
The configuration file for VSFTPD is located at /etc/vsftpd/vsftpd.conf
.
How do I configure VSFTPD to allow anonymous FTP access?
Open the configuration file, uncomment the line anonymous_enable=YES
, and save the changes. Then, restart the VSFTPD service.
How can I create FTP user accounts with VSFTPD?
You can create FTP user accounts by using the command sudo adduser <username>
. The user will be able to log in via FTP.
How do I restrict FTP access to specific directories for users?
You can use the chroot_local_user=YES
option in the VSFTPD configuration file to restrict FTP access to the user's home directory.
How can I limit the maximum number of simultaneous connections to my VSFTPD server?
Set the max_clients
and max_per_ip
options in the VSFTPD configuration file to limit the total connections and connections per IP respectively.
How do I enable logging for VSFTPD?
In the VSFTPD configuration file, uncomment the line xferlog_file=/var/log/xferlog
to enable logging. You can then view the logs in the specified file.
Conclusion
We hope this tutorial helped you understand how to install and configure a safe and efficient FTP server on your CentOS 7 system.
If you have any queries, please leave a comment below, and we’ll be happy to respond to them.