Disclaimer: It is strongly recommended that you use SSH and SFTP (SSH File Transfer Protocol). Instead of FTPS (FTP with Security). FTPS is now obsolete. SFTP is installed by default on Unix, Linux and Mac systems overloaded Packaged and supported by almost all free and commercial file transfer tools. (meaning filezilla, cyberduck) If for some reason you still need to setup FTPS, you can follow this guide.
FTP is a protocol that facilitates the transfer of files between a client system and a remote server. For a long time, FTP was widely used as a reliable means of file transfer, but no longer. FTP is prone to security issues. FTP should only be used if you are not able to use SSH, SFTP, SCP, or rsync and even then, only with encryption enabled (FTPS).
vsftpd (Very Secure FTP Daemon) is the default FTP server for Ubuntu, CentOS, Fedora, NimbleX, Slackware and RHEL Linux. This tutorial will focus on how you can set up vsftpd server for FTPS connection. let’s begin.
To start, fire up CentOS 8 and log in. After logging in, open a terminal window and execute the following command to install the vsftpd daemon.
$ sudo dnf install vsftpd
You can verify the existence of the vsftpd package by invoking the command:
$ rpm -qi | grep vsftpd
Excessive ‘-IThe flag prints additional information, as shown below.
vsftpd is a daemon, and we need to confirm whether it is running or not. By default, the vsftpd daemon is disabled or stopped, as shown below.
$ sudo systemctl status vsftpd
If marked asdisabled‘We need to set’capableso that it can act as an ftp server. To enable, then start the vsftpd daemon, execute the command:
$ sudo systemctl enable vsftpd $ sudo systemctl start vsftpd
Again, we can verify its status:
$ sudo systemctl status vsftpd
create an ftp user
After successfully installing the vsftpd daemon, the next step we need to take is to create an ftp user. This is the user who will have login rights to the server. In this guide, we will create a user named user_vsftpd, as shown below.
$ sudo adduser user_vsftpd
Next, assign the user a password. When prompted, provide your preferred password and re-enter to confirm it.
$ sudo passwd user_vsftpd
Create and configure FTP directory
It is important that we create and configure an ftp directory that will serve as a repository for uploading and downloading files. We will create a directory called ftp_dir in the home directory of the newly created user using mkdir command with ‘-p’ option.
$ sudo mkdir /home/user_vsftpd/ftp_dir $ sudo chmod -R 755 /home/user_vsftpd/ftp_dir $ sudo chown -R user_vsftpd /home/user_vsftpd/ftp_dir
Next, add the user to User List file to give them access to the server. edit file /etc/vsftpd/user_list With your favorite text editor, add
user_vsftpd to file.
Before we start using our vsftpd server, a few more changes are needed. We need to configure some options in this vsftpd.conf file. the path is /etc/vsftpd/vsftpd.conf. Open that file using your favorite text editor:
Make sure you have set the directive below to prevent unknown users from logging into the server:
At the same time, grant access to the server to local users in the system:
Next, allow users to execute FTP commands that allow them to upload or download files to and from the server:
To limit users to only their home directories and prevent them from accessing other users’ directories for security’s sake, don’t comment out the option below:
Additionally, allow local users to access their respective home directories as shown:
We also need to allow passive connections to the server by specifying the required port, as shown below:
Next, we will instruct the vsftpd server to grant permissions to the users defined in User List Block the file and the rest using the instructions shown below:
userlist_enable=YES userlist_deny=NO userlist_file=/etc/vsftpd/user_list
Once you are sure that these parameters are defined correctly, save the configuration and exit the file. Then restart your vsftpd server to apply these changes.
$ sudo systemctl restart vsftpd
encrypt vsftpd with TLS
There are two main ways you can secure your server by using SSL/TLS. If you have a domain with an IP that points to it, you can secure the server by using a premium SSL certificate or a Let’s Encrypt SSL Certificate, which is a free and trusted SSL certificate. Alternatively, you can generate a self-signed certificate as shown:
$ sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/vsftpd/vsftpd.pem -out /etc/vsftpd/vsftpd.pem
The above command generates a 2048-bit private key as well as an SSL certificate, which is valid for a period of up to 10 years. This command will ask you to provide details like your country, city and company name.
Next, open the configuration file again/etc/vsftpd/vsftpd.conf And define the path where the private key is saved and enable SSL.
rsa_cert_file=/etc/vsftpd/vsftpd.pem rsa_private_key_file=/etc/vsftpd/vsftpd.pem ssl_enable=YES
The first two instructions specify the location of the RSA private key while the last option enables the SSL protocol on the FTP server. Again, restart the vsftpd server and verify that it is running. vsftpd server is now secured using SSL/TLS.
To allow remote user access to the server, we need to open some ports: port 21 for FTPS, port 20 for data connection in active mode, and required port for passive connection.
$ sudo firewall-cmd --permanent --add-port=20-21/tcp $ sudo firewall-cmd --permanent --add-port=30000-31000/tcp
Then finally, reload the firewall for the changes made to take effect:
You can verify the status of the firewall and open ports by calling:
$ sudo firewall-cmd --list-ports
Your vsftpd server is now fully configured, and you can access your server via the SFTP protocol, which is a secure option as opposed to legacy FTP.
Disabling SSH Access
Finally, remember that when creating a new user, that new user will be allowed SSH access to the server if not explicitly disabled. To disable ssh access in case of setting up FTPS for Developers, create a file named ftponly in the bin directory:
sudo nano /bin/ftponly
Add a message to the user explaining why they can’t log in:
#!/bin/sh echo "SSH access is not allowed for this user."
After editing that file, change the permissions to make the file executable:
$ sudo chmod +x /bin/ftponly
next open /etc/shellsand add at the bottom:
Update the vsftpd user’s shell with the following command:
sudo usermod user_vsftpd -s /bin/ftponly
That is, if that user tries to login via ssh, they won’t be able to. Instead, they will see the ftponly message we set above:
SSH access is not allowed for this user.