How to Install vsftpd on CentOS 8 for FTP With Security

Disclaimer: It is strongly recommended that you use SSH and SFTP (SSH File Transfer Protocol). Instead of FTPS (FTP with Security). FTPS is now obsolete. SFTP is installed by default on Unix, Linux and Mac systems overloaded Packaged and supported by almost all free and commercial file transfer tools. (meaning filezilla, cyberduck) If for some reason you still need to setup FTPS, you can follow this guide.

FTP is a protocol that facilitates the transfer of files between a client system and a remote server. For a long time, FTP was widely used as a reliable means of file transfer, but no longer. FTP is prone to security issues. FTP should only be used if you are not able to use SSH, SFTP, SCP, or rsync and even then, only with encryption enabled (FTPS).

vsftpd (Very Secure FTP Daemon) is the default FTP server for Ubuntu, CentOS, Fedora, NimbleX, Slackware and RHEL Linux. This tutorial will focus on how you can set up vsftpd server for FTPS connection. let’s begin.

install vsftpd

To start, fire up CentOS 8 and log in. After logging in, open a terminal window and execute the following command to install the vsftpd daemon.

$ sudo dnf install vsftpd

You can verify the existence of the vsftpd package by invoking the command:

$ rpm -qi | grep vsftpd

Excessive ‘-IThe flag prints additional information, as shown below.

Check if vsftpd is installed

vsftpd is a daemon, and we need to confirm whether it is running or not. By default, the vsftpd daemon is disabled or stopped, as shown below.

$ sudo systemctl status vsftpd

vsftpd check idle status

If marked asdisabled‘We need to set’capableso that it can act as an ftp server. To enable, then start the vsftpd daemon, execute the command:

$ sudo systemctl enable vsftpd
$ sudo systemctl start vsftpd

Again, we can verify its status:

$ sudo systemctl status vsftpd

create an ftp user

After successfully installing the vsftpd daemon, the next step we need to take is to create an ftp user. This is the user who will have login rights to the server. In this guide, we will create a user named user_vsftpd, as shown below.

$ sudo adduser user_vsftpd

Next, assign the user a password. When prompted, provide your preferred password and re-enter to confirm it.

$ sudo passwd user_vsftpd

Create and configure FTP directory

It is important that we create and configure an ftp directory that will serve as a repository for uploading and downloading files. We will create a directory called ftp_dir in the home directory of the newly created user using mkdir command with ‘-p’ option.

$ sudo mkdir /home/user_vsftpd/ftp_dir
$ sudo chmod -R 755 /home/user_vsftpd/ftp_dir
$ sudo chown -R user_vsftpd /home/user_vsftpd/ftp_dir

Next, add the user to User List file to give them access to the server. edit file /etc/vsftpd/user_list With your favorite text editor, add user_vsftpd to file.

configure vsftpd

Before we start using our vsftpd server, a few more changes are needed. We need to configure some options in this vsftpd.conf file. the path is /etc/vsftpd/vsftpd.conf. Open that file using your favorite text editor:

Make sure you have set the directive below to prevent unknown users from logging into the server:

anonymous_enable=NO

At the same time, grant access to the server to local users in the system:

local_enable=YES

anonymous enabled number

Next, allow users to execute FTP commands that allow them to upload or download files to and from the server:

write_enable=YES

To limit users to only their home directories and prevent them from accessing other users’ directories for security’s sake, don’t comment out the option below:

chroot_local_user=YES

Additionally, allow local users to access their respective home directories as shown:

allow_writeable_user=YES

We also need to allow passive connections to the server by specifying the required port, as shown below:

pasv_min_port=30000
pasv_max_port=31000

Next, we will instruct the vsftpd server to grant permissions to the users defined in User List Block the file and the rest using the instructions shown below:

userlist_enable=YES
userlist_deny=NO
userlist_file=/etc/vsftpd/user_list

Once you are sure that these parameters are defined correctly, save the configuration and exit the file. Then restart your vsftpd server to apply these changes.

$ sudo systemctl restart vsftpd

encrypt vsftpd with TLS

There are two main ways you can secure your server by using SSL/TLS. If you have a domain with an IP that points to it, you can secure the server by using a premium SSL certificate or a Let’s Encrypt SSL Certificate, which is a free and trusted SSL certificate. Alternatively, you can generate a self-signed certificate as shown:

$ sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/vsftpd/vsftpd.pem -out /etc/vsftpd/vsftpd.pem

The above command generates a 2048-bit private key as well as an SSL certificate, which is valid for a period of up to 10 years. This command will ask you to provide details like your country, city and company name.

Next, open the configuration file again/etc/vsftpd/vsftpd.conf And define the path where the private key is saved and enable SSL.

rsa_cert_file=/etc/vsftpd/vsftpd.pem
rsa_private_key_file=/etc/vsftpd/vsftpd.pem
ssl_enable=YES

The first two instructions specify the location of the RSA private key while the last option enables the SSL protocol on the FTP server. Again, restart the vsftpd server and verify that it is running. vsftpd server is now secured using SSL/TLS.

configure firewall

To allow remote user access to the server, we need to open some ports: port 21 for FTPS, port 20 for data connection in active mode, and required port for passive connection.

$ sudo firewall-cmd --permanent --add-port=20-21/tcp
$ sudo firewall-cmd --permanent --add-port=30000-31000/tcp

Then finally, reload the firewall for the changes made to take effect:

firewall-cmd --reload

You can verify the status of the firewall and open ports by calling:

$ sudo firewall-cmd --list-ports

Your vsftpd server is now fully configured, and you can access your server via the SFTP protocol, which is a secure option as opposed to legacy FTP.

Disabling SSH Access

Finally, remember that when creating a new user, that new user will be allowed SSH access to the server if not explicitly disabled. To disable ssh access in case of setting up FTPS for Developers, create a file named ftponly in the bin directory:

sudo nano /bin/ftponly

Add a message to the user explaining why they can’t log in:

#!/bin/sh
echo "SSH access is not allowed for this user."

After editing that file, change the permissions to make the file executable:

$ sudo chmod +x /bin/ftponly

next open /etc/shellsand add at the bottom:

/bin/ftponly

Update the vsftpd user’s shell with the following command:

sudo usermod user_vsftpd -s /bin/ftponly

That is, if that user tries to login via ssh, they won’t be able to. Instead, they will see the ftponly message we set above:

SSH access is not allowed for this user.

Leave a Comment