Red Hat / CentOS VSFTPD FTP Server Configuration

by Vivek Gite · 18 comments

This entry is part 1 of 5 in the series CentOS / RHEL FTP Server

CentOS / RHEL FTP Server

vsftpd (Very Secure FTP Daemon) is an FTP server for UNIX-like systems, including CentOS / RHEL / Fedora and other Linux distributions. It supports IPv6, SSL, locking users to their home directories and many other advanced features.

In this guide you will learn:

  1. Setup vsftpd to Provide FTP Service.
  2. Configure vsftpd.
  3. Configure Firewalls to Protect the FTP Server.
  4. Configure vsftpd with SSL/TLS.
  5. Setup vsftpd as Download Only Anonymous Internet Server.
  6. Setup vsftpd With Virtual Users and Much More.


VSFTPD offer security, performance and stability over other servers. A quick list of vsftpd features:

  1. Virtual IP configurations
  2. Virtual users
  3. Run as standalone or inetd / xinetd operation
  4. Per-user configuration
  5. Bandwidth throttling
  6. Per-source-IP configurability
  7. Per-source-IP limits
  8. IPv6 ready
  9. Encryption support through SSL integration
  10. And much more.

Install Vsftpd FTP Server

Install the vsftpd package via yum command:
# yum install vsftpd

Vsftpd Defaults

  1. Default port: TCP / UDP - 21 and 20
  2. The main configuration file: /etc/vsftpd/vsftpd.conf
  3. Users that are not allowed to login via ftp: /etc/vsftpd/ftpusers

Configure Vsftpd Server

Open the configuration file, type:
# vi /etc/vsftpd/vsftpd.conf
Turn off standard ftpd xferlog log format:

xferlog_std_format=NO

Turn on verbose vsftpd log format. The default vsftpd log file is /var/log/vsftpd.log:

log_ftp_protocol=YES

Above to directives will enable logging of all FTP transactions. Lock down users to their home directories:

chroot_local_user=YES

Create warning banners for all FTP users:

banner_file=/etc/vsftpd/issue

Create /etc/vsftpd/issue file with a message compliant with the local site policy or a legal disclaimer:

NOTICE TO USERS

Use of this system constitutes consent to security monitoring and testing.
All activity is logged with your host name and IP address.

Turn On Vsftpd Service

Turn on vsftpd on boot:
# chkconfig vsftpd on
Start the service:
# service vsftpd start
# netstat -tulpn | grep :21

Configure Iptables To Protect The FTP Server

Open file /etc/sysconfig/iptables, enter:
# vi /etc/sysconfig/iptables
Add the following lines, ensuring that they appear before the final LOG and DROP lines for the RH-Firewall-1-INPUT:

-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT

Open file /etc/sysconfig/iptables-config, enter:
# vi /etc/sysconfig/iptables-config
Ensure that the space-separated list of modules contains the FTP connection tracking module:

IPTABLES_MODULES="ip_conntrack_ftp"

Save and close the file. Restart firewall:
# service iptables restart

Tip: View FTP Log File

Type the following command:
# tail -f /var/log/vsftpd.log
Sample output:

Thu May 21 11:40:31 2009 [pid 42298] FTP response: Client "10.1.3.108", "530 Please login with USER and PASS."
Thu May 21 11:40:36 2009 [pid 42298] FTP command: Client "10.1.3.108", "USER vivekda"
Thu May 21 11:40:36 2009 [pid 42298] [vivek] FTP response: Client "10.1.3.108", "331 Please specify the password."
Thu May 21 11:40:38 2009 [pid 42298] [vivek] FTP command: Client "10.1.3.108", "PASS
"
Thu May 21 11:40:38 2009 [pid 42297] [vivek] OK LOGIN: Client "10.1.3.108"
Thu May 21 11:40:38 2009 [pid 42299] [vivek] FTP response: Client "10.1.3.108", "230 Login successful."
Thu May 21 11:40:38 2009 [pid 42299] [vivek] FTP command: Client "10.1.3.108", "SYST"
Thu May 21 11:40:38 2009 [pid 42299] [vivek] FTP response: Client "10.1.3.108", "215 UNIX Type: L8"
Thu May 21 11:40:39 2009 [pid 42299] [vivek] FTP command: Client "10.1.3.108", "PORT 10,1,3,108,162,253"
Thu May 21 11:40:39 2009 [pid 42299] [vivek] FTP response: Client "10.1.3.108", "200 PORT command successful. Consider using PASV."
Thu May 21 11:41:05 2009 [pid 42299] [vivek] FTP response: Client "10.1.3.108", "150 Ok to send data."
Thu May 21 11:41:06 2009 [pid 42299] [vivek] OK UPLOAD: Client "10.1.3.108", "/windows-7-too-many-programs.png", 8957 bytes, 6.70Kbyte/sec
Thu May 21 11:41:06 2009 [pid 42299] [vivek] FTP response: Client "10.1.3.108", "226 File receive OK."
Thu May 21 11:41:10 2009 [pid 42299] [vivek] FTP command: Client "10.1.3.108", "TYPE A"
Thu May 21 11:41:10 2009 [pid 42299] [vivek] FTP response: Client "10.1.3.108", "200 Switching to ASCII mode."
Thu May 21 11:41:11 2009 [pid 42299] [vivek] FTP command: Client "10.1.3.108", "PORT 10,1,3,108,217,96"
Thu May 21 11:41:11 2009 [pid 42299] [vivek] FTP response: Client "10.1.3.108", "200 PORT command successful. Consider using PASV."
Thu May 21 11:41:11 2009 [pid 42299] [vivek] FTP command: Client "10.1.3.108", "LIST"
Thu May 21 11:41:11 2009 [pid 42299] [vivek] FTP response: Client "10.1.3.108", "150 Here comes the directory listing."
Thu May 21 11:41:11 2009 [pid 42299] [vivek] FTP response: Client "10.1.3.108", "226 Directory send OK."

Tip: Restrict Access to Anonymous User Only

Edit the vsftpd configuration file /etc/vsftpd/vsftpd.conf and add the following:

local_enable=NO

Tip: Disable FTP Uploads

Edit the vsftpd configuration file /etc/vsftpd/vsftpd.conf and add the following:

write_enable=NO

Security Tip: Place the FTP Directory on its Own Partition

Separation of the operating system files from FTP users files may result into a better and secure system. Restrict the growth of certain file systems is possible using various techniques. For e.g., use /ftp partition to store all ftp home directories and mount ftp with nosuid, nodev and noexec options. A sample /etc/fstab enter:

/dev/sda5  /ftp          ext3    defaults,nosuid,nodev,noexec,usrquota 1 2

Disk quota must be enabled to prevent users from filling a disk used by FTP upload services. Edit the vsftpd configuration file. Add or correct the following configuration options to represents a directory which vsftpd will try to change into after an anonymous login:
anon_root=/ftp/ftp/pub

Series NavigationLinux Create An FTP User Account»

Featured Articles:

Want to read Linux tips and tricks, but don't have time to check our blog everyday? Subscribe to our daily email newsletter to make sure you don't miss a single tip/tricks. Subscribe to our weekly newsletter here!

{ 18 comments… read them below or add one }

1 Emil CHERICHEȘ 05.22.09 at 5:19 am

ip_conntrack_ftp is used for ftp tracking when used thru NAT.
I don’t belive it’s necessary here.

2 Vivek Gite 05.22.09 at 10:15 am

The ip conntrack ftp module is used by iptables to listen to traffic and allow connections to the data ports (20). This allows an FTP server to operate on a machine which is running a firewall. Without this option passive ftp will not work.

Another option is just skip this module assign min and max pass ranges in vsftpd and open those ports (see “Vsftpd Set Download Only Anonymous Internet Server”).

3 Damian Myerscough 05.22.09 at 11:04 am

Hello Vivek,

I noticed you a mount argument you put noexe

/dev/sda5 /ftp ext3 defaults,nosuid,nodev,noexe,usrquota 1 2

This should be modified to noexec

/dev/sda5 /ftp ext3 defaults,nosuid,nodev,noexec,usrquota 1 2

Nice guide though :)

4 Vivek Gite 05.22.09 at 12:28 pm

Thanks for the heads-up!

5 chika 05.23.09 at 7:52 am

proftpd LoL

6 Usman 05.28.09 at 9:51 am

Nice Tutorial but you didn’t talked about point “Setup vsftpd With Virtual Users and Much More” in above tutorial!

7 Vivek Gite 05.28.09 at 11:18 am

Vsftpd virtual user tutorial is covered here.

8 fabian 06.06.09 at 12:28 pm

Can you mention the difference b/w vsftpd and pure-ftp. Which is better?

9 Vivek Gite 06.06.09 at 1:50 pm

It is hard to say as we don’t know anything about your setup. vsftpd is in base RHEL system and there is no need to compile pure-ftp or 3rd party rpms. I will stick to vsftpd as it is part of os itself and updated and patched by Red Hat as and when required.

10 Amritesh 06.08.09 at 12:28 pm

I have followed the process i am able to log in via ftp but i am not able to run any command like ls, get ,put etc plz guide me…..
error is as following

[root@localhost ~]# ftp 10.100.100.200
Connected to 10.100.100.200.
220 Welcome to AmritesH’s FTP service.
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (10.100.100.200:root): amritesh
331 Please specify the password.
Password:
230 Login successful.
ftp> ls
550 Permission denied.
Passive mode refused. Turning off passive mode.
550 Permission denied.
ftp: bind: Address already in use

11 Vivek Gite 06.08.09 at 1:50 pm

a) Do you have firewall configured? If so make sure it is working correctly.

b) What about file permissions?

12 Amritesh 06.10.09 at 10:31 am

thx vivek i m giving u firewall and vsftpd.config files details..

I have set the permission to 777
my iptable file is

# Generated by iptables-save v1.3.5 on Wed Jun 10 21:13:16 2009
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [423:45748]
:RH-Firewall-1-INPUT – [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp –icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp –dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp –dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp –dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state –state NEW -m tcp –dport 20 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state –state NEW -m tcp –dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state –state NEW -m tcp –dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state –state NEW -m tcp –dport 23 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT –reject-with icmp-host-prohibited
COMMIT

and
vsftpd.config is

#Examplempe vsftpd config file
#
# See man 5 vsftpd.conf for more information.
#
# $Header: /var/cvsroot/gentoo-x86/net-ftp/vsftpd/files/vsftpd.conf,v 1.6 2005/08/03 09:38:31 uberlord Exp $

# Enable vsftpd to run as a standalone daemon
# Comment these two out to run under inetd or xinetd
#background=YES
listen=YES

# Allow anonymous FTP?
#anonymous_enable=YES

# Uncomment this to allow local users to log in.
local_enable=YES

# Uncomment this to enable any form of FTP write command.
write_enable=YES

# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd’s)
local_umask=022

# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable=YES

# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES

# Activate directory messages – messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES

# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES

# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using “root” for uploaded files is not
# recommended!
chown_uploads=YES
chown_username=ftp
# Activate logging of uploads/downloads.
#xferlog_enable=YES

# If you want, you can have your log file in standard ftpd xferlog format
xferlog_std_format=YES

# You may override where the log file goes if you like.
xferlog_file=/var/log/vsftpd.log

# You may change the default value for timing out an idle session.
#idle_session_timeout=600

# You may change the default value for timing out a data connection.
#data_connection_timeout=120

# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=nobody

# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES

# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that turning on ascii_download_enable enables malicious remote parties
# to consume your I/O resources, by issuing the command “SIZE /big/file” in
# ASCII mode.
# These ASCII options are split into upload and download because you may wish
# to enable ASCII uploads (to prevent uploaded scripts etc. from breaking),
# without the DoS risk of SIZE and ASCII downloads. ASCII mangling should be
# on the client anyway..
#ascii_upload_enable=YES
#ascii_download_enable=YES

# You may fully customise the login banner string:
ftpd_banner=Welcome to AmritesH’s FTP service.

# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd/banned_emails

# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
#chroot_list_enable=YES
# (default follows)
#chroot_list_file=/etc/vsftpd/chroot_list

# You may activate the “-R” option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as “ncftp” and “mirror” assume
# the presence of the “-R” option, so there is a strong case for enabling it.
#ls_recurse_enable=YES

cmds_allowed=ls,pwd,dir,mkdir,rmdir,put,get,mget,prompt,cd ..,cd ~,ls -ltr
pam_service_name=vsftpd
tcp_wrappers=YES
#userlist_deny=NO
userlist_enable=NO
#userlist_file=/etc/vsftpd.user_list
#chmod_enable=YES
#chroot_list_enable=YES
#chroot_list_file=/etc/vsftpd.chroot_list
#local_root=/root/
#dirlist_enable=YES
#download_enable=YES
#chown_uploads=YES
#ftp_data_port=20
#port_enable=YES
pasv_enable=YES
#pasv_max_port=64000
#pasv_min_port=60000
#pasv_promiscuous=NO
cmds_allowed=PASV,RETR,QUIT,ls,dir

13 satrio 09.27.09 at 9:58 am

do you now how to configuration for ip version 6?can you show me the configuration? thank you before :)

14 Vamsi 10.16.09 at 7:42 am

Hi !
How to add users ?
please :D

15 vorf 12.28.09 at 12:48 pm

mmm..interesting..

16 Prakash 01.08.10 at 10:08 am

Very clearly you have explained configuration setup,
Thanks

17 Vishal 03.11.10 at 11:04 am

I have installed RHEL5, installed VSFTP it is running fine in Linux but when i try this ftp site from windows pc the error is occured “530 Permission denied” but with anonymous access it is working i want authentication while using the ftp on both in windows and Linux, i have disabled anonymous access

18 Daniel 03.18.10 at 2:19 pm

thanks men!!
there are pretty guides at internet, but this works perfect.

Leave a Comment

You can use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Tagged as: , , , , , , , , , , , ,

Previous post:

Next post: