Manage your Network!

Installing & Configuring VSFTPD FTP Server for Redhat Enterprise Linux, CentOS & Fedora

Vsftpd is a popular FTP server for Unix/Linux systems. For thoes unaware of the vsftpd ftp server, note that this is not just another ftp server, but a mature product that has been around for over 12 years in the Unix world. While Vsftpd it is found as an installation option on many Linux distributions, it is not often Linux system administrators are seeking for installation and configuration instructions for it, which is the reason we decide to cover it on Firewall.cx.

This article focuses on the installation and setup of the Vsftpd service on Linux Redhat Enterprise, Fedora and CentOS, however it is applicable to almost all other Linux distributions. We'll also take a look at a number of great tips which include setting quotas, restricting access to anonymous users, disabling uploads, setting a dedicated partition for the FTP service, configuring the system's IPTable firewall and much more.

VSFTPD Features

Following is a list of vsftpd's features which confirms this small FTP package is capable of delivering a lot more than most FTP servers out there:

Virtual IP configurations
Virtual users
Standalone or inetd operation
Powerful per-user configurability
Bandwidth throttling
Per-source-IP configurability
Per-source-IP limits
IPv6
Encryption support through SSL integration
and much more....!

Installing The VSFTPD Linux Server

To initiate the installation of the vsftpd package, simply open your CLI prompt and use the yum command (you need root privileges) as shown below:

# yum install vsftpd

Yum will automatically locate, download and install the latest vsftpd version.

Configure VSFTPD Server

To open the configuration file, type:

# vi /etc/vsftpd/vsftpd.conf

Turn off standard ftpd xferlog log format and turn on verbose vsftpd log format by making the following changes in the vsftpd.conf file:

xferlog_std_format=NO
log_ftp_protocol=YES

Note: the default vsftpd log file is /var/log/vsftpd.log.

Above two directives will enable logging of all FTP transactions.

To lock down users to their home directories:

chroot_local_user=YES

You can create warning banners for all FTP users, by defining the path:

banner_file=/etc/vsftpd/issue

Now you can create the /etc/vsftpd/issue file with a message compliant with the local site policy or a legal disclaimer:

“NOTICE TO USERS - Use of this system constitutes consent to security monitoring and testing. All activity is logged with your host name and IP address”.

Turn On VFSTPD Service

Turn on vsftpd on boot:

# systemctl enable vsftpd@.service

Start the service:

# systemctl start This email address is being protected from spambots. You need JavaScript enabled to view it.

You can verify the service is running and listening on the correct port using the following command:

# netstat -tulpn | grep :21

Here's the expected output:

tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN LISTEN 9734/vsftpd

Configure IPtables To Protect The FTP Server

In case IPTables are configured on the system, it will be necessary to edit the iptables file and open the ports used by FTP to ensure the service's operation.

To open file /etc/sysconfig/iptables, enter:

# vi /etc/sysconfig/iptables

Add the following lines, ensuring that they appear before the final LOG and DROP lines for the RH-Firewall-1-INPUT:

-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT

Next, open file /etc/sysconfig/iptables-config, and enter:

# vi /etc/sysconfig/iptables-config

Ensure that the space-separated list of modules contains the FTP connection-tracking module:

IPTABLES_MODULES="ip_conntrack_ftp"

Save and close the file and finally restart the firewall using the following commands:

# systemctl restart iptables.service
# systemctl restart ip6tables.service

Tip: View FTP Log File

Type the following command:

# tail -f /var/log/vsftpd.log

Tip: Restricting Access to Anonymous User Only

Edit the vsftpd configuration file /etc/vsftpd/vsftpd.conf and add the following:

local_enable=NO

Tip: To Disable FTP Uploads

Edit the vsftpd configuration file /etc/vsftpd/vsftpd.conf and add the following:

write_enable=NO

Tip: To Enable Disk Quota

Disk quota must be enabled to prevent users from filling a disk used by FTP upload services. Edit the vsftpd configuration file. Add or correct the following configuration options to represents a directory which vsftpd will try to change into after an anonymous login:

anon_root=/ftp/ftp/pub

The ftp users are the same users as those on the hosting machine.

You could have a separate group for ftp users, to help keep their privileges down (for example 'anonftpusers'). Knowing that, your script should do:

useradd -d /www/htdocs/hosted/bob -g anonftpusers -s /sbin/nologin bob

echo bobspassword | passwd --stdin bob

echo bob >> /etc/vsftpd/user_list

Be extremely careful with your scripts, as they will have to be run as root.

However, for this to work you will have to have the following options enabled in /etc/vsftpd/vsftpd.conf:

userlist_enable=YES
userlist_deny=NO

Security Tip: Place The FTP Directory On Its Own Partition

Separation of the operating system files from FTP users files may result into a better and secure system. Restricting the growth of certain file systems is possible using various techniques. For example, use /ftp partition to store all ftp home directories and mount ftp with nosuid, nodev and noexec options. A sample /etc/fstab entry:

/dev/sda5 /ftp ext3 defaults,nosuid,nodev,noexec,usrquota 1 2

Example File For vsftpd.conf

Following is an example for vsftpd.conf. It allows the users listed in the user_list file to log in, no anonymous users, and quite tight restrictions on what users can do:

# Allow anonymous FTP?

anonymous_enable=NO

# Allow local users to log in?

local_enable=YES

# Allow any form of FTP write command.

write_enable=YES

# To make files uploaded by your users writable by only

# themselves, but readable by everyone and if, through some

# misconfiguration, an anonymous user manages to upload a file, # the file will have no read, write or execute permission. Just to be # safe.

local_umask=0000

file_open_mode=0644

anon_umask=0777

# Allow the anonymous FTP user to upload files?

anon_upload_enable=NO

# Activate directory messages - messages given to remote users when they

# go into a certain directory.

dirmessage_enable=NO

# Activate logging of uploads/downloads?

xferlog_enable=YES

# Make sure PORT transfer connections originate from port 20 (ftp-data)?

connect_from_port_20=YES

# Log file in standard ftpd xferlog format?

xferlog_std_format=NO

# User for vsftpd to run as?

nopriv_user=vsftpd

# Login banner string:

ftpd_banner= NOTICE TO USERS - Use of this system constitutes consent to security monitoring and testing. All activity is logged with your host name and IP address.

# chroot local users (only allow users to see their directory)?

chroot_local_user=YES

# PAM service name?

pam_service_name=vsftpd

# Enable user_list (see next option)?

userlist_enable=YES

# Should the user_list file specify users to deny(=YES) or to allow(=NO)

userlist_deny=NO

# Standalone (not run through xinetd) listen mode?

listen=YES

tcp_wrappers=NO

# Log all ftp actions (not just transfers)?

log_ftp_protocol=YES

# Initially YES for trouble shooting, later change to NO

# Show file ownership as ftp:ftp instead of real users?

hide_ids=YES

# Allow ftp users to change permissions of files?

chmod_enable=NO

# Use local time?

use_localtime=YES

# List of raw FTP commands, which are allowed (some commands may be a security hazard):

cmds_allowed=ABOR,QUIT,LIST,PASV,RETR,CWD,STOR,TYPE,PWD,SIZE,NLST,PORT,SYST,PRET,MDTM,DEL,MKD,RMD

With this config, uploaded files are not readable or executable by anyone, so the server is acting as a 'dropbox'. Change the file_open_modeoption to change that.

Lastly, it is also advised to have a look at 'man vsftpd.conf' for a full list and description of all options.