While there are several modern and very secure network file sharing technologies, the good old File Transfer Protocol (FTP) remains one of the most widely used and popular protocols to share and transfer files between computers. There are a number of different FTP servers available in the Linux world. In this process, you will learn how to install and configure very secure FTP daemon (vsftpd), which is a well-known FTP server solution that supports a wide range of features and enables you to upload and distribute large files across a local network and the Internet. Here, we will show how to install the vsftpd daemon and provide some basic settings with the main goal being to increase the security of the daemon.
Note
After working on this process, you are advised to use SSL/TLS encryption to further strengthen your FTP server.
To Start With: What Do You Need?
To complete this process, you will require a working installation of the CentOS 7 operating system with root privileges, a console-based text editor of your choice, and a connection to the Internet in order to facilitate the downloading of additional packages. It is expected that your server will be using a static IP address and that it maintains one or more system user accounts.
The Process
vsftpd is not installed by default. For this reason, we must begin this process by installing the relevant packages and associated dependencies:
- To do this, log in as root and type the following command:
yum install vsftpd - After we have created a backup copy of it, open the main configuration file in your favorite text editor as follows:
cp /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf.BAK vi /etc/vsftpd/vsftpd.conf - To disable anonymous users, scroll down and find the following line: anonymous_enable=YES, and then change this as follows:
anonymous_enable=NO - Uncomment (remove # at beginning of the line) the following lines to enable the chroot environment for more security:
chroot_local_user=YES
chroot_list_enable=YES - Next, scroll down to the bottom of the file and add the following line:
use_localtime=YES - Finally, add the following line to enable local users to write to their home directories:
allow_writeable_chroot=YES - Save and close the file. Then create the following empty file:
touch /etc/vsftpd/chroot_list - Next, configure the firewall to allow incoming FTP connections to the server on port 21:
firewall-cmd --permanent --add-service=ftp
firewall-cmd --reload - Now, we allow SELinux to use the FTP home directory feature:
setsebool -P ftp_home_dir on - Enable vsftpd at boot:
systemctl enable vsftpd - To complete this process, type the following command to start the FTP service:
systemctl start vsftpd - Now, we can test the connection from any client computer in the same network that our FTP server is in. This computer needs a FTP client installed (if its a CentOS computer, install one using yum install ftp). Log in to this computer with any account and by typing in the following command that replaces <IPADDRESS> with the IP address of the server running your vsftpd service:
ftp <IPADDRESS> - On successful connection to the server, the FTP client program will ask you for a username and password. Here, enter a known system user (other than root) from the FTP server. If the login was successful, you will get a 230 login successful message and a ftp> prompt. Now to end our test, type the following FTP command to show all the files in your current ftp directory and check whether you have write-access on the remote server:
ls
mkdir test-dir
rmdir test-dir - Type the following command to end your FTP session:
exit
How Does It Work?
vsftpd is widely recognized as a fast, lightweight, and reliable FTP server. The purpose of this process was to show you how to build a basic FTP service that is optimized to provide excellent performance for any number of valid system users.
So what did we learn from this experience?
We began the process by installing the necessary YUM package called vsftpd. We then opened the main configuration file located at /etc/vsftpd/vsftpd.conf, after we made a backup copy of it. Next, we disabled anonymous FTP access and thereby secured our FTP service against unknown users. We then restricted users to their home directory by enabling a chroot jail.
Note
The chroot jail represents an essential security feature; once this is done, all the users will be restricted to access the files in their own home directory only.
We then required vsftpd to use local time for our server. Afterwards, we fixed the write permissions for our chrooted FTP users by enabling the allow_writeable_chroot option. Having saved our work, we created a new empty /etc/vsftpd/chroot_list file, which will hold all the user names that can leave their chroot jails. We have to create this file; otherwise, vsftpd will not let us log in to the system. However, you should remember that you must leave it empty all the time because chroot jails are an important protection mechanism for your FTP server.
Next, we added the standard FTP protocol’s port 21 to our firewall configuration to allow incoming connections. Then, we reloaded the firewall to apply these changes. After this, we activated our FTP home directories by setting the appropriate SELinux boolean variable ftp_home_dir to true. This will make the directories valid for SELinux. Please read, Working with SELinux to learn more about SELinux. Next, we enabled vsftpd on boot and started the service within systemd. At this point, vsftpd will now be operational and it can be tested with any regular FTP-based desktop software. Users can log in using a valid system username and password by connecting to the server’s name, domain, or IP address (depending on the server’s configuration).
The purpose of this process was to show you that vsftpd is not a difficult package to install and configure. There is always more to do but, by following this simple introduction, we have quickly enabled our server to run a standard FTP service.
There's more…
Having installed and configured a basic FTP service, you may wonder how to direct users to a specific folder within their home directory. To do this, open the main configuration file in an editor of your choice using /etc/vsftpd/vsftpd.conf.
Scroll down to the bottom of the file and add the following line by replacing the <users_local_folder_name> value with something more applicable to your own needs:local_root=<users_local_folder_name>
For example, if this FTP server is mainly for accessing and uploading content for a user’s private web pages hosted on the same server, you may configure Apache to use the user’s home directories in a folder called /home/<username>/public_html. For this reason, you may add the following reference at the bottom of your vsftpd configuration file:local_root=public_html
When finished, save and close the configuration file before restarting the vsftpd service. When testing this new feature make sure that the local_root location exists in the home directory of the user you want to login (for example, ~/public_html).
