Vsftpd

In this tutorial, we will learn how to install, configure and use the vsFTPd Service on the CentOS Linux.

About vsFTPd and more details :
vsftpd, which stands for “Very Secure FTP Daemon”, is an FTP server for Unix-like systems, including Linux. It is licensed under the GNU General Public License. It supports IPv6 and SSL. vsftpd supports explicit (since 2.0.0) and implicit (since 2.1.0) FTPS. vsftpd is the default FTP server in the Ubuntu, CentOS, Fedora, NimbleX, Slackware and RHEL Linux distributions.

Additionnaly, vsftpd is one of the few FTP Service which can be chroot jail.

Topology used in this scenario:

1 Ethernet card (eth0) connected to a router, which :
 -  forward port 21 / TCP to 192.168.0.2
 -  forward port 2000 to 2050 TCP to 192.168.0.2
Internet IP : 1.2.3.4
Internal IP : 192.168.0.2
Existing Subnet: 192.168.0.0/24

User(s) that will be given right to FTP:
user1, user2 and user4

Installation :

To install vsftpd on your CentOS server, simply type the following command as root, accept and install vsftpd:

yum install vsftpd

Configuration : 

By default, the vsftpd configuration file is not very well suited for a “private” ftp. This is why we will edit this configuration file with our favorite text editor such as `nano` or `vi` :

nano /etc/vsftpd/vsftpd.conf

The file should look like this :

# General Options
ftpd_banner=Private FTP Service
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES

# Connections Options
connect_from_port_20=YES
max_clients=50
max_per_ip=3
tcp_wrappers=YES
listen=YES

# Passive transfer options
pasv_enable=YES
pasv_min_port=2000
pasv_max_port=2050
pasv_address=1.2.3.4

# User controls
userlist_enable=YES
userlist_deny=NO
userlist_file=/etc/vsftpd/user_list

# Security Options
chroot_list_enable=YES
chroot_local_user=YES
chroot_list_file=/etc/vsftpd/chroot_list

# Misc options
xferlog_std_format=YES
pam_service_name=vsftpd

Security Options

This configuration will by default chroot all local users so that users are lock to their home directory, except if you add their username in the file /etc/vsftpd/chroot_list which is not recommended and only suggested if you know what you are doing.

User(s) Control :

Since we specify in the configuration that we want to explicitly say which user(s) are allowed to use the FTP service, we need to edit the following file /etc/vsftpd/user_list and add the user1, user2, user4 using your favorite text editor such as `nano` or `vi` :

nano /etc/vsftpd/user_list

Then, if there something in the file, delete everything, and make it look like :

user1
user2
user4

Please take note that all other user(s), regardless of who they are, will not be allowed if they aren’t mentioned in this file.

Service Configuration :

Type the following command to make sure that vsftpd start at boot time :

chkconfig --level 345 vsftpd on

Firewall Configuration :

Assuming that you did correctly forward the port from your router to your CentOS server as required in the Topology, you will probably need to add some iptables firewall rules to allow the connections to come in and out.

Run the following commands to add the necessary rules :

/sbin/iptables -A OUTPUT -p tcp --sport 20 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 21 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m multiport --dports 2000:2050 -j ACCEPT
/sbin/service iptables save
/sbin/service iptables restart

Running the vsftpd Service and trying it :

Type the following command to start the service :

/sbin/service vsftpd start

To stop the vsftpd service, type this :

/sbin/service vsftpd stop

To test to see if the vsftpd work and listen, type the following command :

telnet localhost 21

This should output something similair to this :

Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 Private FTP Service

Additionnaly, if tested from outside (the Internet, outside our network), we should have a similar result when trying to telnet into our Internet IP on port 21 :

Trying 1.2.3.4...
Connected to server.hostname (1.2.3.4).
Escape character is '^]'.
220 Private FTP Service

Finally and important, if you use SELinux, run these commands to allow ftp activities on the server :

setsebool -P allow_ftpd_full_access 1
setsebool -P ftp_home_dir 1