The Very Secure FTP Daemon (VSFTP) is a well known FTP server solution that supports a wide range of features and enables you to upload and distribute large files across a local network
and the internet.
It is the preferred solution for the security concious and we look at why VSFTP represents the first choice for administrators
running a CentOS server.
You should be using a static IP address with one or more system
user accounts.
It is tested here using the Centos Live CD as my usual minimal Fluxbox version is still out of action.
If you are running a firewall, you will need to confirm that the firewall has been disabled, removed, or the appropriate ports are open. If you are running SELinux, then you should confirm that it has been disabled or it is now running in permissive mode.
First we need to install the relevant dependencies in order to set up VSFTPD
# yum -y install vsftpd ftp
Open the main configuration file in your favourite text editor
# vi /etc/vsftpd/vsftpd.conf
First disable anonymous users, by scrolling down and finding the following line
anonymous_enable=YES
Change it to read
anonymous_enable=NO
Now find the following line
xferlog_std_format=YES
To enable an independent log file change this line to read
xferlog_std_format=NO
Now scroll down to locate the following
#ascii_upload_enable=YES
#ascii_download_enable=YES
Enable ASCII mode, which is useful when transferring single-byte
character based text files. Uncomment the lines as follows
ascii_upload_enable=YES
ascii_download_enable=YES
Now scroll down to find the following for chroot
#chroot_local_user=YES
#chroot_list_enable=YES
# (default follows)
#chroot_list_file=/etc/vsftpd/chroot_list
Uncomment these lines to enable the chroot environment
chroot_local_user=YES
chroot_list_enable=YES
# (default follows)
chroot_list_file=/etc/vsftpd/chroot_list
Finally, scroll down to the bottom of the file and add the following line
use_localtime=YES
Save and exit the configuration file and then create a new file to manage the chroot settings and restrict user access to their home directories.
# vi /etc/vsftpd/chroot_list
Now add your local user(s) in the following way
username1
username2
username3
username4
Save and exit the chroot_list file, and enable VSFTPD at boot.
# chkconfig vsftpd on
Finally type the following command to start the FTP service
# service vsftpd start
At this point VSFTP will now be functional and it can be tested with any FTP-based desktop software. Log in using a valid system username and password by connecting to your server's name, domain, or IP address.
Check the status of your FTP service by typing
# service vsftpd status
So VSFTP is not a difficult package to install and
configure but you can expand upon the above by a few extra tasks.
After installing and configuring a basic FTP service you may wonder how to direct users to a specific folder.
First ensure it exists or create a new directory with
# mkdir ftpdir
Open up the config file again
vi /etc/vsftpd/vsftpd.conf
Scroll down to the bottom of the file and add the following line
substitututing <users_local_folder_name> with something more suited to your own needs.
local_root=<users_local_folder_name>
local_root=/home/centoslive/ftpdir
Save and exit the configuration file and restart the server.
# service vsftpd restart
Changing the default time-out
When dealing with a large number of users you may want to change the values for a default time-out in order to improve efficiency. To do this, again open the main configuration file in your favorite text editor
# vi /etc/vsftpd/vsftpd.conf
Now scroll down and find the following
# You may change the default value for timing out an idle session.
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#data_connection_timeout=120
Uncomment the idle_session and data_connection lines and substitute the numeric values as required
# You may change the default value for timing out an idle session.
idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
data_connection_timeout=120
Remember to restart the server
# service vsftpd restart
Banning a user from the FTP service
By enabling a chroot jail you will be restricting a user's access to the home folder, but if you wanted to ban a specific user from using the FTP service as a whole, you can add the user's name to
/etc/vsftpd/ftpusers.
Log in as root and type the following command
# echo username >> /etc/vsftpd/ftpusers
Remember to replace username with a value more appropriate
If you ever need to re-enable the user at any time, simply reverse the previous process by removing the user concerned from
/etc/vsftpd/ftpusers.
Customizing the banner
The default banner values will suit most purposes but sometimes you may want to consider customizing it.
To do this, open the main configuration file in your favorite text editor.
vi /etc/vsftpd/vsftpd.conf
Now scroll down and find the following line
#ftpd_banner=Welcome to blah FTP service
Uncomment this line and alter the message as required For example, you could use
ftpd_banner=Welcome to the new FTP server
Having done this, close any active connection and restart the VSFTPD service by typing
# service vsftpd restart
On the next successful login your users should see the following message
Welcome to the new FTP server
If you happen to encounter the 500 error then you must either disable SELinux or set the appropriate SELinux permissions.Labels: Centos 6/RHEL install and configure VSFTPD server