1. Home
  2. Tutorials
  3. Linux VsFTP Server Configuration
Yolinux.com Tutorial

Linux VsFTP Server Configuration Tutorial

How to enable file transfer for a Linux website server

An VsFTP (Very Secure FTP) server configuration allows users to access their home directory and to upload and download files with their account. The user will be denied access to the rest of the system as they will be chrooted to the user home directory.

Note that the FTP file transfer protocol is used and is unencrypted, thus relying on the security of your network. While ubiquitous at one time, this is no longer prefered. See out tutorial for encrypted file transfer using an sFTP chroot configuration.

VsFTPd:

Many FTP programs exist. This example covers the once popular vsftpd (once the default for Red Hat, Fedora Core, Suse). There are other FTP programs including proFtpd (supports LDAP authentication, Apache like directives), wu-ftpd, bftpd, pure-ftpd (once the default on free BSD and optional on Suse), etc ...

For hostile environments set up a chrooted environment for an sftp encrypted connection and the rssh restricted shell for OpenSSH. See the YoLinux.com internet security tutorial for Linux sftp and rssh configuration

Also see the preferred chrooted sftp configuration for OpenSSH 4.9+

FTPd and SELinux: To allow FTPd daemon access and FTP access to users home directories:

  • setsebool -P allow_ftpd_full_access=1
    Other wise you will get an error in /var/log/messages:
    SELinux is preventing the ftp daemon from writing files outside the home directory (./public_html).
  • setsebool -P ftp_home_dir 1

Follow with the command service vsftpd restart

vsFTPd and FTP user account configuration:

The vsFTPd ftp server was first made available in Red Hat 9.0. It has been adopted by Suse and OpenBSD as well. This is currently the recommended FTP daemon for use on FTP servers.

Enable vsftpd:

  • Red Hat/Fedora Core/CentOS: VsFTPd is a stand alone service and by the default Fedora Core installation, not controlled by xinetd as is the wu-ftpd default installation.
    Thus start service: service vsftpd start (or: /etc/init.d/vsftpd start)
    Configure vsftpd to start upon system boot: chkconfig --add vsftpd

  • SuSE: By default, the vsftpd is an xinetd controlled service. To enable FTP server services edit the file /etc/xinetd.d/vsftpd and change:
    disable = yes
    to:
    disable = no
    Restart the xinetd daemon: /etc/init.d/xinetd restart
    Note: vsftpd can also be run as a stand-alone service to achieve a faster response time.

  • Ubuntu (dapper/hardy/natty) / Debian:
    • Install: apt-get install vsftpd
    • VsFTPd is a stand alone service.
      • Start: /etc/init.d/vsftpd start
      • Stop: /etc/init.d/vsftpd stop
      • Restart: /etc/init.d/vsftpd restart
        (Use this command after making configuration file changes)

For more on starting/stopping/configuring Linux services, see the YoLinux tutorial on the Linux init process and service activation.

Configuration files:

  • vsFTPd configuration file:
    • Fedora Core / Red Hat: /etc/vsftpd/vsftpd.conf
    • S.u.S.e. / Ubuntu (dapper/hardy/natty) / Debian: /etc/vsftpd.conf
    Default for Fedora Core 3:
    anonymous_enable=YES            - Anonymous FTP allowed by default if you comment this out. 
                                      Default directory used: /var/ftp
    
    local_enable=YES                - Un-comment this to allow local users to log in with FTP.
                                      Must also set SELinux boolean: setsebool -P ftp_home_dir 1
    
    write_enable=YES                - Un-comment this to enable any form of FTP write or upload command.
    
    local_umask=022                 - Default is 077. Umask 022 is used by most other ftpd's.
    
    #anon_upload_enable=YES         - Un-comment to allow the anonymous FTP user to upload files. 
                                      Requires the above global write enabled. Directory must also be writable by user.
    #anon_mkdir_write_enable=YES    - Un-comment this to allow the anonymous FTP user to be able to create new directories.
    
    dirmessage_enable=YES           - Activate directory messages. 
                                      Messages given to remote users when they enter certain directories
    xferlog_enable=YES              - Activate logging of uploads/downloads.
    
    connect_from_port_20=YES        - PORT transfer connections originate from port 20 (ftp-data)
    
    #chown_uploads=YES              - Uploaded anonymous files set to a specified owner. (not root)
    #chown_username=whoever
    
    #xferlog_file=/var/log/vsftpd.log - Specify logfile explicitly. Default is /var/log/vsftpd.log
    
    xferlog_std_format=YES          - Output to log file in standard ftpd xferlog format
    
    #idle_session_timeout=600       - Set timing out for an idle session.
    
    #data_connection_timeout=120    - Set timing out for an idle data connection. Port 20
    
    #nopriv_user=ftpsecure          - Run ftp server as an isolated and unprivileged user.
    
    # Enable this and the server will recognize asynchronous ABOR requests. Not
    # recommended for security (the code is non-trivial). Not enabling it, may confuse older FTP clients.
    #async_abor_enable=YES
    
    #ascii_upload_enable=YES        - Improve performance by disabling ASCII mode. 
                                      Disables command "ascii" and "SIZE /big/file".
    #ascii_download_enable=YES
    
    #ftpd_banner=Welcome to YoLinux - Customize the login banner string.
    
    #deny_email_enable=YES          - Disallow specified anonymous e-mail addresses. Used to combat certain DDoS attacks.
    #banned_email_file=/etc/vsftpd.banned_emails  (Ubuntu default. Red Hat: /etc/vsftpd/banned_emails)
    
    #chroot_list_enable=YES         - List users chroot()'d to their home directory. If "NO", list users not chroot()'d.
    #chroot_list_file=/etc/vsftpd.chroot_list     (Ubuntu default. Red Hat: /etc/vsftpd/chroot_list)
    
    ls_recurse_enable=YES           - Allow "ls -R" recursive directory list. Default is disabled.
    
    pam_service_name=vsftpd
    
    userlist_enable=YES             - (Ubuntu Default) Deny users specified in file /etc/vsftpd.user_list
                                      If "userlist_enable=NO" then allow specified users.
                                      Red Hat: /etc/vsftpd/user_list
    #deny_email_enable=YES          - Disallow specified anonymous e-mail addresses. Used to combat certain DDoS attacks.
    
    listen=YES                      - Enable for standalone mode as opposed to an xinetd service.
                                      Must set SELinux boolean: setsebool -P ftpd_is_daemon 1
    tcp_wrappers=YES
        
    Restart the FTP service if the config file is changed: service vsftpd restart (or: /etc/init.d/vsftpd restart)

    [Potential Pitfall]: vsftp does NOT support comments on the same line as a directive. i.e.:

    directive=XXX    # comment
          

    vsftp.conf man page

  • Specify list of local users chrooted to their home directories:
    • Red Hat: /etc/vsftpd/vsftpd/chroot_list
    • Ubuntu: /etc/vsftpd/vsftpd.chroot_list
    (Requires: chroot_list_enable=NO)
        user1
    user2
    ...
    user-n
    If userlist_enable=YES, then specify users not to be chroot'd..

  • Specify list of users:
    • Red Hat: /etc/vsftpd/user_list
    • Ubuntu: /etc/vsftpd.user_list
    (Deny list of users requires: userlist_enable=YES)
    Also see PAM configuration below.
    root
    bin
    daemon
    adm
    lp
    sync
    shutdown
    halt
    ...
    If userlist_enable=NO, then specify valid users.

  • PAM configuration file Fedora Core 3: /etc/pam.d/vsftpd
    #%PAM-1.0
    auth       required     pam_listfile.so item=user sense=deny file=/etc/vsftpd.ftpusers onerr=succeed
    auth       required     pam_stack.so service=system-auth
    auth       required     pam_shells.so
    account    required     pam_stack.so service=system-auth
    session    required     pam_stack.so service=system-auth
        
    This causes PAM to check /etc/vsftpd.ftpusers for users who are denied. This duplicates /etc/vsftpd.user_list. Speciy user in both files as PAM is independent of vsftpd configuration.

    PAM authentication configuration file: ftpusers
    • Red Hat: /etc/vsftpd/ftpusers
    • Ubuntu: /etc/vsftpd.ftpusers
    root
    bin
    daemon
    adm
    lp
    sync
    shutdown
    halt
    ...
    ...
    ...
    user6     - Users to deny
    user8
    ...
    ...
        

  • Logrotate configuration file: /etc/logrotate.d/vsftpd.log
    /var/log/xferlog {
        # ftpd doesn't handle SIGHUP properly
        nocompress
        missingok
    }
        

Sample vsFTPd configurations:

  • Anonymous download FTP server configuration: /etc/vsftpd/vsftpd.conf
    # Access rights
    anonymous_enable=YES          - Turn on anonymous FTP
    chown_uploads=YES             - Uploaded files owned by an assigned user
    chown_username=ftp            - Uploaded files owned by this assigned user
    local_enable=NO
    write_enable=NO               - No upload of files system changes allowed
    anon_upload_enable=NO
    anon_mkdir_write_enable=NO
    anon_other_write_enable=NO
    # Security
    anon_world_readable_only=YES
    connect_from_port_20=YES
    force_dot_files=NO
    guest_enable=NO
    hide_ids=YES
    pasv_min_port=50000
    pasv_max_port=60000
    # Features
    xferlog_enable=YES
    ls_recurse_enable=NO
    ascii_download_enable=NO
    async_abor_enable=YES
    # Performance
    one_process_model=NO
    idle_session_timeout=120
    data_connection_timeout=300
    accept_timeout=60
    connect_timeout=60
    max_per_ip=4
    anon_max_rate=50000
    
    pam_service_name=vsftpd
    userlist_enable=YES
    #enable for standalone mode
    listen=YES
    tcp_wrappers=YES
    

    Anonymous logins use the login name "anonymous" and then the user supplies their email address as a password. Any password will be accepted. Used to allow the public to download files from an ftp server. Generally, no upload is permitted.

  • Web hosting configuration: /etc/vsftpd/vsftpd.conf
    # Access rights
    anonymous_enable=NO
    local_enable=YES                              - Allow users to ftp to their home directories
    write_enable=YES                              - Allow users to STOR,  DELE, RNFR, RNTO, MKD, RMD, APPE and SITE
    local_umask=022
    # Security
    connect_from_port_20=YES
    force_dot_files=NO
    guest_enable=NO                               - Don't remap user name
    ftpd_banner=Welcome to Super Duper Hosting    - Customize the login banner string.
    chroot_local_user=YES                         - Limit user to browse their own directory only
    chroot_list_enable=YES                        - Enable list of system / power users
    chroot_list_file=/etc/vsftpd.chroot_list      - Actual list of system / power users
    hide_ids=YES
    pasv_min_port=50000
    pasv_max_port=60000
    # Features
    xferlog_enable=YES
    ls_recurse_enable=NO
    ascii_download_enable=NO
    async_abor_enable=YES
    dirmessage_enable=YES                         - Message greeting held in file .message or specify with message_file=...
    # Performance
    one_process_model=NO
    idle_session_timeout=120
    data_connection_timeout=300
    accept_timeout=60
    connect_timeout=60
    max_per_ip=4
    #
    pam_service_name=vsftpd
    userlist_enable=YES
    #enable for standalone mode
    listen=YES
    tcp_wrappers=YES
    

    Specify list of local users chrooted to their home directories: /etc/vsftpd/vsftpd.chroot_list
    Ubuntu typically: /etc/vsftpd.chroot_list
    (Requires: chroot_list_enable=NO)

    user1
    user2
    ...
    user-n
    If userlist_enable=YES, then specify users not to be chroot'd..

[Potential Pitfall]: Misspelling a directive will cause vsftpd to fail with little warning.

File: .message

A NOTE TO USERS UPLOADING FILES:
   File names may consist of letters (a-z, A-Z), numbers (0-9),
   an under score ("_"), dash ("-") or period (".") only.
   The file name may not begin with a period or dash.

Test if vsftp is listening: netstat -a | grep ftp

[root]# netstat -a | grep ftp
tcp 0 0 *:ftp *:* LISTEN

Links:

FTP Pitfalls:

If you get the following ftp client user error:

ftp> ls
227 Entering Passive Mode (208,188,34,109,208,89)
ftp: connect: No route to host

This means you have firewall issues most probably on the FTP server itself. Start by removing the firewall "iptables" rules: iptables -F Add rules until you discover what is causing the problem.

Passive mode:

Passive mode can also help one past the rules:
ftp> passive
Passive mode on.
This toggles passive mode on and off. When on, FTP will be limited to ports specified in the vsftpd configuration file: vsftpd.conf with the parameters pasv_min_port and pasv_max_port

Firewall connection tracking module:

# cat /etc/sysconfig/iptables-config | grep ip_nat_ftp
IPTABLES_MODULES="ip_conntrack_ftp"

NAT firewall modules:

You can also try adding ip_nat_ftp to the list of auto-loaded modules: (This will also load the dependency: ip_conntrack_ftp.)
# cat /etc/sysconfig/iptables-config | grep ip_nat_ftp
IPTABLES_MODULES="ip_nat_ftp"
Then restart the firewall: /etc/init.d/iptables condrestart

FTP will change ports during use. The ip_conntrack_ftp module will consider each connection "RELATED". If iptables allows RELATED and ESTABLISHED connections then FTP will work. i.e. rule: /etc/sysconfig/iptables

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

FTP fails because it can not change to the users home directory:

Error:
[user1@nodex ~]$ ftp node.domain.com
Connected to XXX.XXX.XXX.XXX.
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (XXX.XXX.XXX.XXX:user1):
331 Please specify the password.
Password:
500 OOPS: cannot change directory:/home/user1
Login failed.
ftp> bye

This is often a result of SELinux preventing the vsftpd process from accessing the user's home directory. As root, grant access with the following command:
setsebool -P ftp_home_dir 1
Followed by: service vsftpd restart

Test your vsftpd SELinux settings: getsebool -a | grep ftp

allow_ftpd_anon_write --> off
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
allow_tftp_anon_write --> off
ftp_home_dir --> on
ftpd_disable_trans --> off
ftpd_is_daemon --> on
httpd_enable_ftp_server --> off
tftpd_disable_trans --> off

FTPd SELinux man page

FTP Linux clients:

  • FileZilla: FTP/sFTP client GUI
  • gftp: GUI GTK+ Multi-threaded client. File transfer directory browsing and compare. Multiple protocols: FTP, FTPS (control connection only), HTTP, HTTPS, SSH and FSP protocols. Proxy support. Comes with Red Hat / Fedora Core.
  • KFTPgrabber: GUI KDE based client.simultaneous FTP sessions in separate tabs. Ability to limit upload and download speed.
  • kbear: GUI KDE based client. Connect to multiple servers, transfer files, directory browsing, file content browsing. Comes with S.U.S.e. Linux.
  • ftp: (/usr/kerberos/bin/ftp) kerberos enabled console ftp client. (RPM package FC3: krb5-workstation)

Basic user security:

When hosting web sites, there is no need to grant a shell account which only allows the server to have more potential security holes. Current systems can specify the user to have only FTP access with no shell by granting them the "shell" /sbin/nologin provided with the system or the "ftponly" shell described below. The shell can be specified in the file /etc/passwd of when creating a user with the command adduser -s /sbin/nologin user-id

Note that VsFTP is unencrypted, by definition unsecure and is reliant on a secure network to provide security.

[Potential Pitfall]: Ubuntu - Setting the shell to the pre-configured shell /bin/false will NOT allow vsftp access. One must create the shell "ftponly" as defined below to allow vsftp access with no shell.

  1. Disable remote telnet login access allowing FTP access only:

    Change the shell for the user in /etc/passwd from /bin/bash to be /opt/bin/ftponly.

    ...
    user1:x:502:503::/home/user1:/opt/bin/ftponly
    ...
        

    Create file: /opt/bin/ftponly.
    Protection set to -rwxr-xr-x 1 root root
    with the command: chmod ugo+x /opt/bin/ftponly
    Contents of file:

    #!/bin/sh
    #
    # ftponly shell
    #
    trap "/bin/echo Sorry; exit 0" 1 2 3 4 5 6 7 10 15
    #
    Admin=root@your-domain.com
    #System=`/bin/hostname`@`/bin/domainname`
    #
    /bin/echo
    /bin/echo "********************************************************************"
    /bin/echo "    You are NOT allowed interactive access."
    /bin/echo
    /bin/echo "     User accounts are restricted to ftp and web access."
    /bin/echo
    /bin/echo "  Direct questions concerning this policy to $Admin."
    /bin/echo "********************************************************************"
    /bin/echo
    #
    # C'ya
    #
    exit 0
        

    The last step is to add this to the list of valid shells on the system.
    Add the line /opt/bin/ftponly to /etc/shells.

    Sample file contents: /etc/shells

    /bin/bash
    /bin/bash1
    /bin/tcsh
    /bin/csh
    /opt/bin/ftponly
        
    See man page on /etc/shells.

    An alternative would be to assign the shell /bin/false or /sbin/nologin which became available in later releases of Red Hat, Debian and Ubuntu. In this case the shell /bin/false or /sbin/nologin would have to be added to /etc/shells to allow them to be used as a valid shell for FTP while disabling ssh or telnet access.

  2. Set file quotas to limit user account.

For more on Linux security see the: YoLinux.com Internet web site Linux server security tutorial

technical book image Books:

Amazon book image "Ubuntu Unleashed 2017 edition:"
Covering 16.10 and 17.04, 17.10 (12th Edition)
by Matthew Helmke, Andrew Hudson and Paul Hudson
Sams Publishing, ISBN# 0134511182

Amazon.com
Amazon book image "Ubuntu Unleashed 2013 edition:"
Covering 12.10 and 13.04 (8th Edition)
by Matthew Helmke, Andrew Hudson and Paul Hudson
Sams Publishing, ISBN# 0672336243
(Dec 15, 2012)

Amazon.com
Amazon book image "Ubuntu Unleashed 2012 edition:"
Covering 11.10 and 12.04 (7th Edition)
by Matthew Helmke, Andrew Hudson and Paul Hudson
Sams Publishing, ISBN# 0672335786
(Jan 16, 2012)

Amazon.com
Amazon book image "Red Hat Enterprise Linux 7: Desktops and Administration"
by Richard Petersen
Surfing Turtle Press, ISBN# 1936280620
(Jan 13, 2017)

Amazon.com
Amazon book image "Fedora 18 Desktop Handbook"
by Richard Petersen
Surfing Turtle Press, ISBN# 1936280639
(Mar 6, 2013)

Amazon.com
Amazon book image "Fedora 18 Networking and Servers"
by Richard Petersen
Surfing Turtle Press, ISBN# 1936280698
(March 29, 2013)

Amazon.com
Amazon book image "Fedora 14 Desktop Handbook"
by Richard Petersen
Surfing Turtle Press, ISBN# 1936280167
(Nov 30, 2010)

Amazon.com
Amazon book image "Fedora 14 Administration and Security"
by Richard Petersen
Surfing Turtle Press, ISBN# 1936280221
(Jan 6, 2011)

Amazon.com
Amazon book image "Fedora 14 Networking and Servers"
by Richard Petersen
Surfing Turtle Press, ISBN# 1936280191
(Dec 26, 2010)

Amazon.com
Amazon book image "Practical Guide to Ubuntu Linux (Versions 8.10 and 8.04)"
by Mark Sobell
Prentice Hall PTR, ISBN# 0137003889
2 edition (January 9, 2009)

Amazon.com
Amazon book image "Fedora 10 and Red Hat Enterprise Linux Bible"
by Christopher Negus
Wiley, ISBN# 0470413395

Amazon.com
Amazon book image "Red Hat Fedora 6 and Enterprise Linux Bible"
by Christopher Negus
Sams, ISBN# 047008278X

Amazon.com
Amazon book image "Fedora 7 & Red Hat Enterprise Linux: The Complete Reference"
by Richard Petersen
Sams, ISBN# 0071486429

Amazon.com
Amazon book image "Red Hat Fedora Core 6 Unleashed"
by Paul Hudson, Andrew Hudson
Sams, ISBN# 0672329298

Amazon.com
Amazon book image "Red Hat Linux Fedora 3 Unleashed"
by Bill Ball, Hoyt Duff
Sams, ISBN# 0672327082

Amazon.com
Amazon book image "Red Hat Linux 9 Unleashed"
by Bill Ball, Hoyt Duff
Sams, ISBN# 0672325888
May 8, 2003

I have the Red Hat 6 version and I have found it to be very helpful. I have found it to be way more complete than the other Linux books. It is the most complete general Linux book in publication. While other books in the "Unleashed" series have dissapointed me, this book is the best out there.

Amazon.com
Amazon book image "Apache Server Bible 2"
by Mohammed J. Kabir
ISBN # 0764548212, Hungry Minds

This book is very complete covering all aspects in detail. It is not your basic reprint of the apache.org documents like so many others.

Amazon.com
Amazon book image "Pro DNS and Bind"
by Ronald Aitchison
Apress, ISBN# 1590594940
Amazon.com