How to configure FTP server with Vsftpd on CentOS 8
FTP (File Transfer Protocol) is a client-server network protocol that allows users to transfer files between a local client and a remote server.
There are many open source FTP servers available on Linux. The most popular and frequently used servers include PureFTPd, ProFTPD, and vsftpd.
In this guide, we will install vsftpd (Very Secure Ftp Daemon) on CentOS 8. It is a stable, secure, and fast FTP server. We will show you how to configure vsftpd to restrict users from accessing their home directories and use SSL/TLS to encrypt data transmission.
1. Install vsftpd on CentOS 8
The vsftpd package is available in the default CentOS source repository. To install it, run the following command as root or another user with sudo privileges:
sudo dnf install vsftpd
Once the package is installed, start the vsftpd daemon and enable automatic startup on boot:
sudo systemctl enable vsftpd --now
Verify server status:
sudo systemctl status vsftpd
The output will look like the following, showing that the vsftpd service is activated and running:
● vsftpd.service - Vsftpd ftp daemon
Loaded:loaded(/usr/lib/systemd/system/vsftpd.service; enabled; vendor preset: disabled)
Active:active(running) since Mon 2020-03-3015:16:51 EDT; 10s ago
Process:2880 ExecStart=/usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf(code=exited, status=0/SUCCESS)...
Two, configure vsftpd
The vsftpd settings are stored in the /etc/vsftpd/vsftpd.conf configuration file. Most of the settings in the file are detailed in the documentation. To see all the options, browse vsftpd official website page.
In the following chapters, we will take a look at some important settings related to configuring vsftpd security.
Open the vsftpd configuration file:
sudo nano /etc/vsftpd/vsftpd.conf
2.1 FTP Access
We only allow local users to access the FTP server, find the anonymous_enable and local_enable directives, and make sure your configuration looks like this:
anonymous_enable=NO
local_enable=YES
2.2 Allow upload
Uncomment write_enable to allow modification of the file system, such as uploading or deleting files.
write_enable=YES
2.3 Chroot Jail
By uncommenting the chroot command, FTP users are prevented from accessing any files outside of their home directories.
chroot_local_user=YES
By default, when chroot is enabled, if the user is not allowed to write to a folder, then vsftpd will refuse the user to upload files to that directory. This is to prevent security issues.
When chroot is enabled, use any of the following methods to allow uploading.
- Method 1-This is a recommended way to allow uploads by enabling chroot and configuring the FTP directory. In this guide, we will create an
ftpdirectory in the user's home directory. This directory will act as a chroot and a writableuploadsdirectory for uploading files.
user_sub_token=$USER
local_root=/home/$USER/ftp
- Method 2-Another option is to add the following command to the vsftpd configuration file. To use this option, you must authorize your user to write permissions to his home directory.
allow_writeable_chroot=YES
2.4 FTP passive mode###
vsftpd can use any port that FTP passive mode connects to. We will instruct a minimum port and maximum port, and later open this port range in the firewall.
Add the following line in the configuration file:
pasv_min_port=30000
pasv_max_port=31000
2.5 Restrict user login###
To allow specified users to log in to the FTP server, add the following configuration below the line userlist_enable=YES:
userlist_file=/etc/vsftpd/user_list
userlist_deny=NO
When this option is enabled, you need to explicitly specify which users can log in by adding the username to /etc/vsftpd/user_list (one user per line).
2.6 Use SSL/TLS encrypted transmission###
In order to use SSL/TLS encrypted FTP transfer, you need a SSL certificate, and configure the FTP server to use it.
You can use an SSL certificate issued by a trusted certificate authority or create a self-built certificate.
If you point to the public IP address of the FTP server by a domain name or a subdomain, you can easily generate a free Let's Encrypt SSL certificate.
In this guide, we will use openssl to generate a self-signed SSL certificate.
The following command will create a 2048-bit private key and a self-signed certificate with a 10-year validity period. Both the private key and the certificate are saved in the same file:
sudo openssl req -x509 -nodes -days 3650-newkey rsa:2048-keyout /etc/vsftpd/vsftpd.pem -out /etc/vsftpd/vsftpd.pem
Once the SSL certificate is created, open the vsftpd configuration file:
sudo nano /etc/vsftpd/vsftpd.conf
Find the rsa_cert_file and rsa_private_key_file commands, modify their values to the pam file path and set the ssl_enable command to YES:
rsa_cert_file=/etc/vsftpd/vsftpd.pem
rsa_private_key_file=/etc/vsftpd/vsftpd.pem
ssl_enable=YES
If no other is specified, the FTP server will only use TLS for secure connections.
2.7 Restart the vsftpd service###
Once you have finished editing, the vsftpd configuration file /etc/vsftpd/vsftpd.conf (exclude comments) should look like this:
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
chroot_local_user=YES
listen=NO
listen_ipv6=YES
pam_service_name=vsftpd
userlist_enable=YES
userlist_file=/etc/vsftpd/user_list
userlist_deny=NO
tcp_wrappers=YES
user_sub_token=$USER
local_root=/home/$USER/ftp
pasv_min_port=30000
pasv_max_port=31000
rsa_cert_file=/etc/vsftpd/vsftpd.pem
rsa_private_key_file=/etc/vsftpd/vsftpd.pem
ssl_enable=YES
Save the file and restart the vsftpd service to make the changes take effect:
sudo systemctl restart vsftpd
Third, open the firewall##
If you are running an FTP server, you need to allow FTP traffic through the firewall.
Open 21 port (FTP command port), 20 port (FTP data port) and 30000-31000 (passive mode port range), in your firewall, enter the following command:
sudo firewall-cmd --permanent --add-port=20-21/tcp
sudo firewall-cmd --permanent --add-port=30000-31000/tcp
Enter the following command to reload the firewall rules:
firewall-cmd --reload
Fourth, create an FTP user##
To test the FTP server, you need to create a new user.
- If you already have a user, you just need to give him access to FTP access, skip the first step.
- If you set
allow_writeable_chroot=YESin the configuration, skip the third part.
- Create a new user with the name
newftpuser:
sudo adduser newftpuser
Next, you need to set the user password:
sudo passwd newftpuser
- To add a user to the list of allowed FTP users:
echo "newftpuser"| sudo tee -a /etc/vsftpd/user_list
- Create an FTP directory tree and set the correct permissions:
sudo mkdir -p /home/newftpuser/ftp/upload
sudo chmod 550/home/newftpuser/ftp
sudo chmod 750/home/newftpuser/ftp/upload
sudo chown -R newftpuser:/home/newftpuser/ftp
As discussed earlier, users will be allowed to upload their files to the ftp/upload directory.
At this point, your FTP server is fully available, and you can use any FTP client that can configure TLS encryption, such as FileZilla to connect to your FTP server.
Five, disable shell access##
By default, when a user is created, if there is no obvious designation, the user will be able to access the server via SSH.
To disable shell access, we will create a new shell, which will simply print a message telling the user that they are only allowed to access FTP.
Run the following command to create the /bin/ftponly shell and make it executable:
echo -e '#!/bin/sh\necho "This account is limited to FTP access only."'| sudo tee -a /bin/ftponly
sudo chmod a+x /bin/ftponly
Append this new shell to the /etc/shells file:
echo "/bin/ftponly"| sudo tee -a /etc/shells
Modify this user shell to /bin/ftponly:
sudo usermod newftpuser -s /bin/ftponly
Use the same command to modify the shells of other users, restricting them to only access via FTP.
Six, summary##
We have shown you how to install and configure a secure and fast FTP server on CentOS 8.
For more secure and faster data transfer, you should use SCP or SFTP.
Recommended Posts