Linux VsFTP Server Configuration Tutorial

VsFTPd:

Many FTP programs exist. This example covers the once popular vsftpd (once the default for Red Hat, Fedora Core, Suse). There are other FTP programs including proFtpd (supports LDAP authentication, Apache like directives), wu-ftpd, bftpd, pure-ftpd (once the default on free BSD and optional on Suse), etc ...

For hostile environments set up a chrooted environment for an sftp encrypted connection and the rssh restricted shell for OpenSSH. See the YoLinux.com internet security tutorial for Linux sftp and rssh configuration

Also see the preferred chrooted sftp configuration for OpenSSH 4.9+

FTPd and SELinux: To allow FTPd daemon access and FTP access to users home directories:

setsebool -P allow_ftpd_full_access=1
Other wise you will get an error in /var/log/messages:

SELinux is preventing the ftp daemon from writing files outside the home directory (./public_html).

setsebool -P ftp_home_dir 1

Follow with the command service vsftpd restart

vsFTPd and FTP user account configuration:

The vsFTPd ftp server was first made available in Red Hat 9.0. It has been adopted by Suse and OpenBSD as well. This is currently the recommended FTP daemon for use on FTP servers.

Enable vsftpd:

Red Hat/Fedora Core/CentOS: VsFTPd is a stand alone service and by the default Fedora Core installation, not controlled by xinetd as is the wu-ftpd default installation.
Thus start service: service vsftpd start (or: /etc/init.d/vsftpd start)
Configure vsftpd to start upon system boot: chkconfig --add vsftpd
SuSE: By default, the vsftpd is an xinetd controlled service. To enable FTP server services edit the file /etc/xinetd.d/vsftpd and change:
disable = yes
to:
disable = no
Restart the xinetd daemon: /etc/init.d/xinetd restart
Note: vsftpd can also be run as a stand-alone service to achieve a faster response time.
Ubuntu (dapper/hardy/natty) / Debian:
- Install: apt-get install vsftpd
- VsFTPd is a stand alone service.
  - Start: /etc/init.d/vsftpd start
  - Stop: /etc/init.d/vsftpd stop
  - Restart: /etc/init.d/vsftpd restart
    (Use this command after making configuration file changes)

For more on starting/stopping/configuring Linux services, see the YoLinux tutorial on the Linux init process and service activation.

Configuration files:

vsFTPd configuration file:

Fedora Core / Red Hat: /etc/vsftpd/vsftpd.conf
S.u.S.e. / Ubuntu (dapper/hardy/natty) / Debian: /etc/vsftpd.conf

Default for Fedora Core 3:

anonymous_enable=YES - Anonymous FTP allowed by default if you comment this out.
Default directory used: /var/ftp

local_enable=YES - Un-comment this to allow local users to log in with FTP.
Must also set SELinux boolean: setsebool -P ftp_home_dir 1

write_enable=YES - Un-comment this to enable any form of FTP write or upload command.

local_umask=022 - Default is 077. Umask 022 is used by most other ftpd's.

#anon_upload_enable=YES - Un-comment to allow the anonymous FTP user to upload files.
Requires the above global write enabled. Directory must also be writable by user.
#anon_mkdir_write_enable=YES - Un-comment this to allow the anonymous FTP user to be able to create new directories.

dirmessage_enable=YES - Activate directory messages.
Messages given to remote users when they enter certain directories
xferlog_enable=YES - Activate logging of uploads/downloads.

connect_from_port_20=YES - PORT transfer connections originate from port 20 (ftp-data)

#chown_uploads=YES - Uploaded anonymous files set to a specified owner. (not root)
#chown_username=whoever

#xferlog_file=/var/log/vsftpd.log - Specify logfile explicitly. Default is /var/log/vsftpd.log

xferlog_std_format=YES - Output to log file in standard ftpd xferlog format

#idle_session_timeout=600 - Set timing out for an idle session.

#data_connection_timeout=120 - Set timing out for an idle data connection. Port 20

#nopriv_user=ftpsecure - Run ftp server as an isolated and unprivileged user.

# Enable this and the server will recognize asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it, may confuse older FTP clients.
#async_abor_enable=YES

#ascii_upload_enable=YES - Improve performance by disabling ASCII mode.
Disables command "ascii" and "SIZE /big/file".
#ascii_download_enable=YES

#ftpd_banner=Welcome to YoLinux - Customize the login banner string.

#deny_email_enable=YES - Disallow specified anonymous e-mail addresses. Used to combat certain DDoS attacks.
#banned_email_file=/etc/vsftpd.banned_emails (Ubuntu default. Red Hat: /etc/vsftpd/banned_emails)

#chroot_list_enable=YES - List users chroot()'d to their home directory. If "NO", list users not chroot()'d.
#chroot_list_file=/etc/vsftpd.chroot_list (Ubuntu default. Red Hat: /etc/vsftpd/chroot_list)

ls_recurse_enable=YES - Allow "ls -R" recursive directory list. Default is disabled.

pam_service_name=vsftpd

userlist_enable=YES - (Ubuntu Default) Deny users specified in file /etc/vsftpd.user_list
If "userlist_enable=NO" then allow specified users.
Red Hat: /etc/vsftpd/user_list
#deny_email_enable=YES - Disallow specified anonymous e-mail addresses. Used to combat certain DDoS attacks.

listen=YES - Enable for standalone mode as opposed to an xinetd service.
Must set SELinux boolean: setsebool -P ftpd_is_daemon 1
tcp_wrappers=YES

Restart the FTP service if the config file is changed: service vsftpd restart (or: /etc/init.d/vsftpd restart)

[Potential Pitfall]: vsftp does NOT support comments on the same line as a directive. i.e.:

directive=XXX    # comment

vsftp.conf man page

Specify list of local users chrooted to their home directories:
- Red Hat: /etc/vsftpd/vsftpd/chroot_list
- Ubuntu: /etc/vsftpd/vsftpd.chroot_list
(Requires: chroot_list_enable=NO)
```
    user1
user2
...
user-n
    
```
If userlist_enable=YES, then specify users not to be chroot'd..
Specify list of users:
- Red Hat: /etc/vsftpd/user_list
- Ubuntu: /etc/vsftpd.user_list
(Deny list of users requires: userlist_enable=YES)
Also see PAM configuration below.
```
root
bin
daemon
adm
lp
sync
shutdown
halt
...
```
If userlist_enable=NO, then specify valid users.

PAM configuration file Fedora Core 3: /etc/pam.d/vsftpd

#%PAM-1.0
auth       required     pam_listfile.so item=user sense=deny file=/etc/vsftpd.ftpusers onerr=succeed
auth       required     pam_stack.so service=system-auth
auth       required     pam_shells.so
account    required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth

This causes PAM to check /etc/vsftpd.ftpusers for users who are denied. This duplicates /etc/vsftpd.user_list. Speciy user in both files as PAM is independent of vsftpd configuration.

PAM authentication configuration file: ftpusers

Red Hat: /etc/vsftpd/ftpusers
Ubuntu: /etc/vsftpd.ftpusers

root
bin
daemon
adm
lp
sync
shutdown
halt
...
...
...
user6     - Users to deny
user8
...
...

Logrotate configuration file: /etc/logrotate.d/vsftpd.log

/var/log/xferlog {
    # ftpd doesn't handle SIGHUP properly
    nocompress
    missingok
}

Sample vsFTPd configurations:

Anonymous download FTP server configuration: /etc/vsftpd/vsftpd.conf

# Access rights
anonymous_enable=YES          - Turn on anonymous FTP
chown_uploads=YES             - Uploaded files owned by an assigned user
chown_username=ftp            - Uploaded files owned by this assigned user
local_enable=NO
write_enable=NO               - No upload of files system changes allowed
anon_upload_enable=NO
anon_mkdir_write_enable=NO
anon_other_write_enable=NO
# Security
anon_world_readable_only=YES
connect_from_port_20=YES
force_dot_files=NO
guest_enable=NO
hide_ids=YES
pasv_min_port=50000
pasv_max_port=60000
# Features
xferlog_enable=YES
ls_recurse_enable=NO
ascii_download_enable=NO
async_abor_enable=YES
# Performance
one_process_model=NO
idle_session_timeout=120
data_connection_timeout=300
accept_timeout=60
connect_timeout=60
max_per_ip=4
anon_max_rate=50000

pam_service_name=vsftpd
userlist_enable=YES
#enable for standalone mode
listen=YES
tcp_wrappers=YES

Anonymous logins use the login name "anonymous" and then the user supplies their email address as a password. Any password will be accepted. Used to allow the public to download files from an ftp server. Generally, no upload is permitted.

Web hosting configuration: /etc/vsftpd/vsftpd.conf

# Access rights
anonymous_enable=NO
local_enable=YES                              - Allow users to ftp to their home directories
write_enable=YES                              - Allow users to STOR,  DELE, RNFR, RNTO, MKD, RMD, APPE and SITE
local_umask=022
# Security
connect_from_port_20=YES
force_dot_files=NO
guest_enable=NO                               - Don't remap user name
ftpd_banner=Welcome to Super Duper Hosting    - Customize the login banner string.
chroot_local_user=YES                         - Limit user to browse their own directory only
chroot_list_enable=YES                        - Enable list of system / power users
chroot_list_file=/etc/vsftpd.chroot_list      - Actual list of system / power users
hide_ids=YES
pasv_min_port=50000
pasv_max_port=60000
# Features
xferlog_enable=YES
ls_recurse_enable=NO
ascii_download_enable=NO
async_abor_enable=YES
dirmessage_enable=YES                         - Message greeting held in file .message or specify with message_file=...
# Performance
one_process_model=NO
idle_session_timeout=120
data_connection_timeout=300
accept_timeout=60
connect_timeout=60
max_per_ip=4
#
pam_service_name=vsftpd
userlist_enable=YES
#enable for standalone mode
listen=YES
tcp_wrappers=YES

Specify list of local users chrooted to their home directories: /etc/vsftpd/vsftpd.chroot_list
Ubuntu typically: /etc/vsftpd.chroot_list
(Requires: chroot_list_enable=NO)

user1
user2
...
user-n

If userlist_enable=YES, then specify users not to be chroot'd..

[Potential Pitfall]: Misspelling a directive will cause vsftpd to fail with little warning.

File: .message

A NOTE TO USERS UPLOADING FILES:
   File names may consist of letters (a-z, A-Z), numbers (0-9),
   an under score ("_"), dash ("-") or period (".") only.
   The file name may not begin with a period or dash.

Test if vsftp is listening: netstat -a | grep ftp

[root]# netstat -a | grep ftp
tcp        0      0 *:ftp                       *:*                         LISTEN

Links:

FTP Pitfalls:

If you get the following ftp client user error:

ftp> ls
227 Entering Passive Mode (208,188,34,109,208,89)
ftp: connect: No route to host

This means you have firewall issues most probably on the FTP server itself. Start by removing the firewall "iptables" rules: iptables -F Add rules until you discover what is causing the problem.

Passive mode:

Passive mode can also help one past the rules:

ftp> passive
Passive mode on.

This toggles passive mode on and off. When on, FTP will be limited to ports specified in the vsftpd configuration file: vsftpd.conf with the parameters pasv_min_port and pasv_max_port

Firewall connection tracking module:

# cat /etc/sysconfig/iptables-config | grep ip_nat_ftp
IPTABLES_MODULES="ip_conntrack_ftp"

NAT firewall modules:

You can also try adding ip_nat_ftp to the list of auto-loaded modules: (This will also load the dependency: ip_conntrack_ftp.)

# cat /etc/sysconfig/iptables-config | grep ip_nat_ftp
IPTABLES_MODULES="ip_nat_ftp"

Then restart the firewall: /etc/init.d/iptables condrestart

FTP will change ports during use. The ip_conntrack_ftp module will consider each connection "RELATED". If iptables allows RELATED and ESTABLISHED connections then FTP will work. i.e. rule: /etc/sysconfig/iptables

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

FTP fails because it can not change to the users home directory:

Error:

[user1@nodex ~]$ ftp node.domain.com
Connected to XXX.XXX.XXX.XXX.
530 Please login with USER and PASS.
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (XXX.XXX.XXX.XXX:user1):
331 Please specify the password.
Password:
500 OOPS: cannot change directory:/home/user1
Login failed.
ftp> bye

This is often a result of SELinux preventing the vsftpd process from accessing the user's home directory. As root, grant access with the following command:
setsebool -P ftp_home_dir 1
Followed by: service vsftpd restart

Test your vsftpd SELinux settings: getsebool -a | grep ftp

allow_ftpd_anon_write --> off
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
allow_tftp_anon_write --> off
ftp_home_dir --> on
ftpd_disable_trans --> off
ftpd_is_daemon --> on
httpd_enable_ftp_server --> off
tftpd_disable_trans --> off

FTPd SELinux man page

FTP Linux clients:

FileZilla: FTP/sFTP client GUI
gftp: GUI GTK+ Multi-threaded client. File transfer directory browsing and compare. Multiple protocols: FTP, FTPS (control connection only), HTTP, HTTPS, SSH and FSP protocols. Proxy support. Comes with Red Hat / Fedora Core.
KFTPgrabber: GUI KDE based client.simultaneous FTP sessions in separate tabs. Ability to limit upload and download speed.
kbear: GUI KDE based client. Connect to multiple servers, transfer files, directory browsing, file content browsing. Comes with S.U.S.e. Linux.
ftp: (/usr/kerberos/bin/ftp) kerberos enabled console ftp client. (RPM package FC3: krb5-workstation)

Basic user security:

When hosting web sites, there is no need to grant a shell account which only allows the server to have more potential security holes. Current systems can specify the user to have only FTP access with no shell by granting them the "shell" /sbin/nologin provided with the system or the "ftponly" shell described below. The shell can be specified in the file /etc/passwd of when creating a user with the command adduser -s /sbin/nologin user-id

Note that VsFTP is unencrypted, by definition unsecure and is reliant on a secure network to provide security.

[Potential Pitfall]: Ubuntu - Setting the shell to the pre-configured shell /bin/false will NOT allow vsftp access. One must create the shell "ftponly" as defined below to allow vsftp access with no shell.

Disable remote telnet login access allowing FTP access only:
Change the shell for the user in /etc/passwd from /bin/bash to be /opt/bin/ftponly.
```
...
user1:x:502:503::/home/user1:/opt/bin/ftponly
...
    
```
Create file: /opt/bin/ftponly.
Protection set to -rwxr-xr-x 1 root root
with the command: chmod ugo+x /opt/bin/ftponly
Contents of file:
```
#!/bin/sh
#
# ftponly shell
#
trap "/bin/echo Sorry; exit 0" 1 2 3 4 5 6 7 10 15
#
Admin=root@your-domain.com
#System=`/bin/hostname`@`/bin/domainname`
#
/bin/echo
/bin/echo "********************************************************************"
/bin/echo "    You are NOT allowed interactive access."
/bin/echo
/bin/echo "     User accounts are restricted to ftp and web access."
/bin/echo
/bin/echo "  Direct questions concerning this policy to $Admin."
/bin/echo "********************************************************************"
/bin/echo
#
# C'ya
#
exit 0
    
```
The last step is to add this to the list of valid shells on the system.
Add the line /opt/bin/ftponly to /etc/shells.

Sample file contents: /etc/shells
```
/bin/bash
/bin/bash1
/bin/tcsh
/bin/csh
/opt/bin/ftponly
    
```
See man page on /etc/shells.
An alternative would be to assign the shell /bin/false or /sbin/nologin which became available in later releases of Red Hat, Debian and Ubuntu. In this case the shell /bin/false or /sbin/nologin would have to be added to /etc/shells to allow them to be used as a valid shell for FTP while disabling ssh or telnet access.
Set file quotas to limit user account.

For more on Linux security see the: YoLinux.com Internet web site Linux server security tutorial

Books:

	"Ubuntu Unleashed 2017 edition:" Covering 16.10 and 17.04, 17.10 (12th Edition) by Matthew Helmke, Andrew Hudson and Paul Hudson Sams Publishing, ISBN# 0134511182
	"Ubuntu Unleashed 2013 edition:" Covering 12.10 and 13.04 (8th Edition) by Matthew Helmke, Andrew Hudson and Paul Hudson Sams Publishing, ISBN# 0672336243 (Dec 15, 2012)
	"Ubuntu Unleashed 2012 edition:" Covering 11.10 and 12.04 (7th Edition) by Matthew Helmke, Andrew Hudson and Paul Hudson Sams Publishing, ISBN# 0672335786 (Jan 16, 2012)
	"Red Hat Enterprise Linux 7: Desktops and Administration" by Richard Petersen Surfing Turtle Press, ISBN# 1936280620 (Jan 13, 2017)
	"Fedora 18 Desktop Handbook" by Richard Petersen Surfing Turtle Press, ISBN# 1936280639 (Mar 6, 2013)
	"Fedora 18 Networking and Servers" by Richard Petersen Surfing Turtle Press, ISBN# 1936280698 (March 29, 2013)
	"Fedora 14 Desktop Handbook" by Richard Petersen Surfing Turtle Press, ISBN# 1936280167 (Nov 30, 2010)
	"Fedora 14 Administration and Security" by Richard Petersen Surfing Turtle Press, ISBN# 1936280221 (Jan 6, 2011)
	"Fedora 14 Networking and Servers" by Richard Petersen Surfing Turtle Press, ISBN# 1936280191 (Dec 26, 2010)
	"Practical Guide to Ubuntu Linux (Versions 8.10 and 8.04)" by Mark Sobell Prentice Hall PTR, ISBN# 0137003889 2 edition (January 9, 2009)
	"Fedora 10 and Red Hat Enterprise Linux Bible" by Christopher Negus Wiley, ISBN# 0470413395
	"Red Hat Fedora 6 and Enterprise Linux Bible" by Christopher Negus Sams, ISBN# 047008278X
	"Fedora 7 & Red Hat Enterprise Linux: The Complete Reference" by Richard Petersen Sams, ISBN# 0071486429
	"Red Hat Fedora Core 6 Unleashed" by Paul Hudson, Andrew Hudson Sams, ISBN# 0672329298
	"Red Hat Linux Fedora 3 Unleashed" by Bill Ball, Hoyt Duff Sams, ISBN# 0672327082
	"Red Hat Linux 9 Unleashed" by Bill Ball, Hoyt Duff Sams, ISBN# 0672325888 May 8, 2003 I have the Red Hat 6 version and I have found it to be very helpful. I have found it to be way more complete than the other Linux books. It is the most complete general Linux book in publication. While other books in the "Unleashed" series have dissapointed me, this book is the best out there.
	"Apache Server Bible 2" by Mohammed J. Kabir ISBN # 0764548212, Hungry Minds This book is very complete covering all aspects in detail. It is not your basic reprint of the apache.org documents like so many others.
	"Pro DNS and Bind" by Ronald Aitchison Apress, ISBN# 1590594940