Very secure FTP daemon (vsftpd) is a lightweight, safe, and easy-to-use FTP server software for Linux. This topic describes how to install and configure vsftpd on a Linux-based simple application server and how to test the connectivity to the FTP server.

Prerequisites

A Linux-based simple application server is created. For more information, see Create a simple application server by using the WordPress application image.

Background information

FTP is a protocol used to transfer files. FTP is based on a client-server model architecture and supports the following working modes:
  • Active mode: The client sends information of a port to the FTP server, and the server establishes a connection to the port.
  • Passive mode: The FTP server enables a port and sends the port information to the client. The client initiates a connection to the port, and the server accepts the connection.
FTP supports the following authentication modes:
  • Anonymous user mode: Users can log on to the FTP server without a username or password. This is the least secure authentication mode. In most cases, this mode is used to save unimportant public files. We recommend that you do not use this mode to save files in a production environment.
  • Local user mode: This mode uses information of local Linux users for logon authentication. This mode is more secure than anonymous user mode.
  • Virtual user mode: This mode uses the information of virtual users for logon authentication. Virtual users have access only to the FTP service that the Linux system provides them, and do not have access to other resources of the system. Virtual user mode is more secure than anonymous and local user modes. If you have high security requirements on server data, we recommend that you configure virtual user mode under the guidance of professionals.

This topic focuses on the easy-to-configure anonymous user mode and the more secure local user mode.

Step 1: Make preparations

FileZilla is an FTP client tool. In the example, FileZilla is used to connect to the FTP server. You must perform the following operations:
  1. Download and install FileZilla on your computer.

    To download FileZilla, visit FileZilla download center.

  2. Reset the password of the root user for the Linux server.

    For more information, see Reset the logon password of a simple application server.

Step 2: Install and configure vsftpd

  1. Connect to the Linux server.
    For more information, see Connect to a Linux server. In this example, the Simple Application Server console is used to connect to the Linux server and the root user is used to perform subsequent operations.
    Note When you connect to the Linux server by using the Simple Application Server console, you are connected as a regular user. If you do not switch to the root user, you may receive the Error: This command has to be run under the root user.message when you run specific commands.
    1. After you are connected to the Linux server, run the following command to switch to the root user:
      sudo su root
    2. Run the following command to return to the root directory of the root user:
      cd
      The following figure shows an example of how to run the command on the command line. su root
      Note After you switch to the root user by using the preceding command, you can run the exit command to switch back to the regular user.
  2. Run the following command to install vsftpd:
    yum install -y vsftpd
    If the command output includes the information of vsftpd as shown in the following figure, vsftpd is installed. Simple application server - install FTP
  3. Run the following command to enable the FTP service to automatically start on system startup:
    systemctl enable vsftpd.service
  4. Run the following command to start the FTP service:
    systemctl start vsftpd.service
  5. Run the following command to query the port of the FTP service:
    netstat -antup | grep ftp
    If the command output includes the port number of the FTP service as shown in the following figure, FTP is started. Simple application server - FTP status

Step 3: Configure the access mode of the FTP server

You can configure anonymous or local user mode for the FTP server. We recommend that you use the more secure local user mode.

  • Anonymous user mode:
    1. Run the following command to modify the /etc/vsftpd/vsftpd.conf configuration file.
      If you have installed vsftpd by running the apt install vsftpd command, the path of the configuration file is /etc/vsftpd.conf.
      vim /etc/vsftpd/vsftpd.conf
    2. Press the I key to enter the edit mode.
    3. Find the anon_upload_enable and anonymous_enable parameters. anon_upload_enable specifies the permission for anonymous users to upload files, and anonymous_enable specifies whether to enable anonymous user mode. Verify that both parameter are set to YES.
      The default settings in the configuration file may differ in different operating system versions. Make sure that the values of both parameters are YES after you modify the parameters.
      anonymous_enable=YES
      anon_upload_enable=YES
    4. Add the following parameters to the end of the file.
      Notice Copy the following parameters and paste them to the configuration file of the Linux server. Make sure that the parameters are not commented out with the number sign ( #). Make sure that the parameters are specified in valid formats. For example, an extra space may cause the service to fail to restart.
      #Enables passive mode. 
      pasv_enable=YES
      #Specifies the minimum port number of the port range that can be used to transmit data in passive mode. 
      We recommend that you use ports in a high number range, such as 50000 to 50010. These ports provide more secure access to the FTP server. 
      pasv_min_port=<port number>
      #Specifies the maximum port number of the port range that can be used to transmit data in passive mode. 
      pasv_max_port=<port number>
    5. Press the Esc key to exit the edit mode. Enter :wq and press the Enter key to save and close the file.
    6. Run the following command to change the permissions of the /var/ftp/pub directory and grant write permissions to FTP users:
      /var/ftp/pub is the default file directory of the FTP service.
      chmod o+w /var/ftp/pub/
    7. Run the following command to restart the FTP service:
      systemctl restart vsftpd.service
  • Local user mode:
    1. Run the following command to create a Linux user for the FTP service.
      In this example, the ftptest username is used.
      adduser ftptest
    2. Run the following command to modify the password of the ftptest user:
      passwd ftptest
      Follow the command line instructions to modify the password of the user.
    3. Run the following command to create a file directory for the FTP service:
      mkdir /var/ftp/test
    4. Run the following command to change the owner of the /var/ftp/test directory to ftptest:
      chown -R ftptest:ftptest /var/ftp/test
    5. Modify the vsftpd.conf configuration file.
      1. Run the following command to modify the /etc/vsftpd/vsftpd.conf configuration file.
        If you have installed vsftpd by running the apt install vsftpd command, the path of the configuration file is /etc/vsftpd.conf.
        vim /etc/vsftpd/vsftpd.conf
      2. Press the I key to enter the edit mode.
      3. Enable passive mode for the FTP server.
        Configure the following parameters:
        Notice Copy the following parameters and paste them to the configuration file of the Linux server. Make sure that the parameters are not commented out with the number sign ( #). Make sure that the parameters are specified in valid formats. For example, an extra space may cause the service to fail to restart.
        #Use the default values for all parameters except the following parameters: 
        
        #Modify the values of the following parameters:
        #Prohibits anonymous users from logging on to the FTP server. 
        anonymous_enable=NO
        #Allows local users to log on to the FTP server. 
        local_enable=YES
        #Listens to IPv4 sockets. 
        listen=YES
        
        #Add a number sign (#) to the beginning of the line to comment out the following parameter:
        #Disables listening to IPv6 sockets. 
        #listen_ipv6=YES
        
        #Add the following parameters to the end of the configuration file:
        #Specifies the directory to which to direct local users when they log on. 
        local_root=/var/ftp/test
        #Limits all users to the home directory after they log on. 
        chroot_local_user=YES
        #Uses a list to specify exception users. Exception users are users who are not limited to the home directory after they log on. 
        chroot_list_enable=YES
        #Specifies a file to contain the list of exception users. 
        chroot_list_file=/etc/vsftpd/chroot_list
        #Enables passive mode. 
        pasv_enable=YES
        allow_writeable_chroot=YES
        #Specifies the public IP address of the FTP server. The public IP address of the Linux server is used in this example. 
        pasv_address=<The public IP address of the Linux server>
        #Specifies the minimum port number of the port range that can be used to transmit data in passive mode. 
        We recommend that you use ports in a high number range, such as 50000 to 50010. These ports provide more secure access to the FTP server. 
        pasv_min_port=<port number>
        #Specifies the maximum port number of the port range that can be used to transmit data in passive mode. 
        pasv_max_port=<port number>
        For information about more parameters, see vsftpd configuration file and parameters.
      4. Press the Esc key to exit the edit mode. Enter :wq and press the Enter key to save and close the file.
    6. Create the chroot_list file, and write the list of exception users to the file.
      1. Run the following command to create the chroot_list file:
        vim /etc/vsftpd/chroot_list
      2. Press the I key to enter the edit mode.
      3. Enter the list of exception users. Exception users are not limited to the home directory and have access to other directories.
        Notice You must create the chroot_list file even if no exception users exist. The file can be empty.
      4. Press the Esc key to exit the edit mode. Enter :wq and press the Enter key to save and close the file.
    7. Run the following command to restart the FTP service:
      systemctl restart vsftpd.service

Step 4: Configure the firewall of the Linux server

After the FTP server is built, you must add rules in the firewall of the Linux server to allow traffic on the ports listed in the following table. For more information, see Add a firewall rule.

In passive mode, you must allow traffic on port 21 and all of the ports in the port range specified by pasv_min_port and pasv_max_port in the /etc/vsftpd/vsftpd.conf configuration file. The following table describes the configuration details.
Application type Protocol Port range
FTP TCP 21
Custom TCP pasv_min_port/pasv_max_port Example: 50000/50010.
After the firewall rules are added, they appear on the Firewall page, as shown in the following figure. FTP firewall

Step 5: Check whether you can access the FTP server from the FTP client

  1. Open the FileZilla client.
  2. In the top navigation bar, choose File > Site Manager.
  3. In the lower-left corner of the Site Manager dialog box, click New site.
  4. Enter a name for the new site and configure the new site.
    filezillaThe following list describes the parameters:
    • Name: a custom site name. Example, test-01.
    • Protocol: FTP.
    • Host: the public IP address of the FTP server. In this topic, the value is the public IP address of the Linux instance. For example, 121.43.XX.XX.
    • Port: 21.
    • Logon Type: Anonymous.

      In this example, an FTP client is used to connect to the FTP server in anonymous mode. If you want to manage access to the FTP server, set the logon type to normal and configure the username and password.

  5. Click Connect.
    After the FTP server is connected to, you can upload, download, and delete files. The FileZilla interface is shown in the following figure. filezillaThe following table describes the sections in the preceding interface.
    No. Description
    Commands, the connection status of the FTP server, and task execution results are shown.
    The section for the information about the local host, in which the directory information of the local host is shown.
    The section for the information about the remote server, in which the directory information of the FTP server is shown. In anonymous mode, the default directory is /pub.
    The section for records, in which the queues and logs of the FTP task is shown.

vsftpd configuration file and parameters

The following section describes the files under the /etc/vsftpd directory:
  • /etc/vsftpd/vsftpd.conf is the core configuration file of vsftpd.
  • /etc/vsftpd/ftpusers is the blacklist file. Users specified in this file are not allowed to access the FTP server.
  • /etc/vsftpd/user_list is the whitelist file. Users specified in this file are allowed to access the FTP server.
The following section describes the parameters in the vsftpd.conf configuration file.
  • The following table describes the parameters for logon control.
    Parameter setting Description
    anonymous_enable=YES Accepts anonymous users.
    no_anon_password=YES Anonymous users do not need a password to log on to the FTP server.
    anon_root= (none) Specifies the home directory of anonymous users.
    local_enable=YES Accepts local users.
    local_root= (none) Specifies the home directory of local users.
  • The following table describes the parameters that are used to manage the permissions of users.
    Parameter setting Description
    write_enable=YES Allows all users to upload files.
    local_umask=022 Grants local users the permission to upload files.
    file_open_mode=0666 Uses umask for permissions to upload files.
    anon_upload_enable=NO Allows anonymous users to upload files.
    anon_mkdir_write_enable=NO Allows anonymous users to create directories.
    anon_other_write_enable=NO Allows anonymous users to modify and delete files.
    chown_username=lightwiter Specifies the ownership of files that are uploaded by anonymous users.