Read in 6 minutes
How to Setup FTP Server with VSFTPD on CentOS 7
FTP (File Transfer Protocol) is a standard client-server network protocol that allows users ro transfer files to and from a remote network.
In this tutorial we’ll be installing vsftpd (Very Secure Ftp Daemon) on CentOS 7. It is a stable, secure and fast FTP server. We will also show you how to configure vsftpd to restrict users to their home directory and encrypt the entire transmission with SSL/TLS.
Before continuing with this tutorial, make sure you are logged in as a user with sudo privileges.
Installing vsftpd on CentOS 7
The vsftpd package is available in the default CentOS repositories. To install it, issue the following command:
sudo yum install vsftpd
Once the package is installed, start the vsftpd daemon and enable it to automatically start at boot time:
sudo systemctl start vsftpd sudo systemctl enable vsftpd
You can verify the vsftpd service is running by printing its status:
sudo systemctl status vsftpd
The output will look something like below, showing that the vsftpd service is active and running:
● vsftpd.service - Vsftpd ftp daemon Loaded: loaded (/usr/lib/systemd/system/vsftpd.service; enabled; vendor preset: disabled) Active: active (running) since Thu 2018-11-22 09:42:37 UTC; 6s ago Main PID: 29612 (vsftpd) CGroup: /system.slice/vsftpd.service └─29612 /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf
Configuring the vsftpd service involves editing the
/etc/vsftpd/vsftpd.conf configuration file. Most of the settings are well documented inside the configuration file. For all available options visit the official vsftpd page.
In the following sections we will go over some important settings required to configure a secure vsftpd installation.
Start by opening the vsftpd configuration file:
sudo nano /etc/vsftpd/vsftpd.conf
1. FTP Access
We’ll allow access to the FTP server only the local users, find the
local_enable directives and verify your configuration match to lines below:
2. Enabling uploads
write_enable setting to allow changes to the filesystem such as uploading and deleting files.
3. Chroot Jail
Prevent the FTP users to access any files outside of their home directories by uncomment the
By default, when chroot is enabled vsftp will refuse to upload files if the directory that users are locked in is writable. This is to prevent a security vulnerability.
Use one of the methods below to allow uploads when chroot is enabled.
Method 1. - The recommended method to allow upload is to keep chroot enabled, and configure FTP directories. In this tutorial we will create an
ftpdirectory inside the user home which will serve as the chroot and a writable
uploadsdirectory for uploading files./etc/vsftpd/vsftpd.conf
Method 2. - Another option is to add the following directive in the vsftpd configuration file. Use this option if you must to grant writable access to your user to its home directory./etc/vsftpd/vsftpd.conf
4. Passive FTP Connections
vsftpd can use any port for passive FTP connections. We’ll specify the minimum and maximum range of ports and later open the range in our firewall.
Add the following lines to the configuration file:
5. Limiting User Login
To allow only certain users to login to the FTP server add the following lines after the
When this option is enabled you need to explicitly specify which users are able to login by adding the user names to the
/etc/vsftpd/user_list file (one user per line).
6. Securing Transmissions with SSL/TLS
In order to encrypt the FTP transmissions with SSL/TLS, you’ll need to have an SSL certificate and configure the FTP server to use it.
You can use an existing SSL certificate signed by a trusted Certificate Authority or create a self signed certificate.
If you have a domain or subdomain pointing to the FTP server’s IP address you can easily generate a free Let’s Encrypt SSL certificate.
In this tutorial we will generate a self signed SSL certificate using the
The following command will create a 2048-bit private key and self signed certificate valid for 10 years. Both the private key and the certificate will be saved in a same file:
sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/vsftpd/vsftpd.pem -out /etc/vsftpd/vsftpd.pem
Now that the SSL certificate is created open the vsftpd configuration file:
sudo nano /etc/vsftpd/vsftpd.conf
rsa_private_key_file directives, change their values to the
pam file path and set the
ssl_enable directive to
rsa_cert_file=/etc/vsftpd/vsftpd.pem rsa_private_key_file=/etc/vsftpd/vsftpd.pem ssl_enable=YES
If not specified otherwise, the FTP server will use only TLS to make secure connections.
Restart the vsftpd Service
Once you are done editing, the vsftpd configuration file (excluding comments) should look something like this:
anonymous_enable=NO local_enable=YES write_enable=YES local_umask=022 dirmessage_enable=YES xferlog_enable=YES connect_from_port_20=YES xferlog_std_format=YES chroot_local_user=YES listen=NO listen_ipv6=YES pam_service_name=vsftpd userlist_enable=YES userlist_file=/etc/vsftpd/user_list userlist_deny=NO tcp_wrappers=YES user_sub_token=$USER local_root=/home/$USER/ftp pasv_min_port=30000 pasv_max_port=31000 rsa_cert_file=/etc/vsftpd/vsftpd.pem rsa_private_key_file=/etc/vsftpd/vsftpd.pem ssl_enable=YES
Save the file and restart the vsftpd service for changes to take effect:
sudo systemctl restart vsftpd
Opening the Firewall
If you are running an firewall you’ll need to allow FTP traffic.
To open port
21 (FTP command port), port
20 (FTP data port) and
30000-31000 (Passive ports range), issue the following commands:
sudo firewall-cmd --permanent --add-port=20-21/tcp sudo firewall-cmd --permanent --add-port=30000-31000/tcp
Reload the firewall rules by typing:
Creating an FTP User
To test our FTP server we will create a new user.
- If you already have a user which you want to grant FTP access skip the 1st step.
- If you set
allow_writeable_chroot=YESin your configuration file skip the 3rd step.
Create a new user named
sudo adduser newftpuser
Next, you’ll need to set the user password:
sudo passwd newftpuser
Add the user to the allowed FTP users list:
echo "newftpuser" | sudo tee -a /etc/vsftpd/user_list
Create the FTP directory tree and set the correct permissions:
sudo mkdir -p /home/newftpuser/ftp/upload sudo chmod 550 /home/newftpuser/ftp sudo chmod 750 /home/newftpuser/ftp/upload sudo chown -R newftpuser: /home/newftpuser/ftp
As discussed in the previous section the user will be able to upload its files to the
At this point your FTP server is fully functional and you should be able to connect to your server with any FTP client that can be configured to use TLS encryption such as FileZilla.
Disabling Shell Access
By default, when creating a user, if not explicitly specified the user will have SSH access to the server.
To disable shell access, we will create a new shell which will simply print a message telling the user that their account is limited to FTP access only.
Run the following commands to create the
/bin/ftponly shell and make it executable:
echo -e '#!/bin/sh\necho "This account account is limited to FTP access only."' | sudo tee -a /bin/ftponly sudo chmod a+x /bin/ftponly
Append the new shell to the list of valid shells in the
echo "/bin/ftponly" | sudo tee -a /etc/shells
Change the user shell to
sudo usermod newftpuser -s /bin/ftponly
Use the same command to change the shell for other users you want to give only FTP access.
In this tutorial, you learned how to install and configure a secure and fast FTP server on your CentOS 7 system.