vsftpd (very secure FTP daemon) is a light, safe, and easy-to-use File Transfer Protocol (FTP) server software for Linux. This topic describes how to install vsftpd on a Linux ECS instance.

Prerequisites

Background information

FTP is a protocol used for transferring files. It is built on a client-server model architecture and supports the following two modes:

  • Active mode: The client sends port information to the FTP server, and the server establishes a connection to the port.
  • Passive mode: FTP server opens a port and sends the port information to the client. The client connects to the port, and the server accepts the connection.
Note Most FTP clients are located in local area networks (LANs), have no independent public IP addresses, and are protected by firewalls. This causes problems for FTP servers in active mode to establish a connection to the client. Therefore, we recommend that you use the passive mode for the FTP server unless there are special requirements.

FTP supports the following three authentication modes:

  • Anonymous user mode: Anyone can log on to the FTP server without password verification. This is the least secure mode. We recommend that you use it to save only unimportant public files, but not files in a production environment.
  • Local user mode: This authentication mode requires users to have Linux local accounts. This mode is more secure compared with the anonymous user mode.
  • Virtual user mode: Virtual users are dedicated users of the FTP server. Virtual users can access only the FTP service provided by the Linux system and cannot access other resources of the system. This way, the security of the FTP server is further enhanced.
The following table lists the methods of configuring the FTP server.
Working mode Anonymous user Local user
Active mode Allow anonymous users to upload files to the FTP server in the active mode. Allow local users to access to the FTP server in the active mode.
Passive mode None. Allow local users to access to the FTP server in the passive mode.

Limits

Procedures in this topic are applicable to the following software versions:
  • Operating system: the CentOS 7.2 64-bit public image
  • vsftpd: 3.0.2
  • Internet Explorer: 11

The commands and parameters used in this topic may vary based on your software version.

Procedure

Step 1: install vsftpd

  1. Connect to the target Linux instance.
    For more information, see Methods to connect to a Linux instance.
  2. Run the following command to install vsftpd.
    yum install -y vsftpd
    If the following page appears, the installation succeeds.install_vsftp_successfully
  3. Run the following command to enable the FTP service to run at boot time:
    systemctl enable vsftpd.service
  4. Run the following command to start the FTP service:
    systemctl start vsftpd.service
  5. Run the following command to view the listening port of the FTP service:
    netstat -antup | grep ftp
    The following page appears, which indicates that the FTP service is started and is listening to port 21. The anonymous access function is enabled by default. You can log on to the FTP server without entering your username and password, but you do not have the permissions to modify or upload files.install_vsftpd_3

Step 2: configure vsftpd (anonymous user mode)

To configure the file upload permission for anonymous users in active mode, perform the following steps:

  1. Modify the configuration file /etc/vsftpd/vsftpd.conf.
    1. Run the vim /etc/vsftpd/vsftpd.conf command to open the configuration file.
    2. Press I to enter the edit mode.
    3. Set write_enable=YES.
    4. Set anon_upload_enable=YES.
    5. Press Esc to exit the edit mode. Enter :wq and press Enter to save and close the file.
    The following figure shows the modified configuration file. Permission 1 of anonymous users
  2. Run the following command to change the permissions of the /var/ftp/pub directory and grant write permissions to FTP users:
    chmod o+w /var/ftp/pub/
  3. Run the following command to reload the configuration file:
    systemctl restart vsftpd.service
    Permission 2 of anonymous users

Step 2: configure vsftpd (local user mode)

To configure the permission for local users to access the FTP server, perform the following steps:

  1. Run the following command to create a Linux user for the FTP service. In this example, the username is ftptest.
    useradd ftptest
  2. Run the following command to modify the password of the ftptest user:
    passwd ftptest
  3. Run the following command to create a file directory for the FTP service:
    mkdir /var/ftp/test
  4. Run the following command to change the owner of the /var/ftp/test directory to ftptest:
    chown -R ftptest:ftptest /var/ftp/test
  5. Modify the vsftpd.conf configuration file.
    1. Run the vim /etc/vsftpd/vsftpd.conf command to open the configuration file.
    2. Press I to enter the edit mode.
    3. Enable the active or passive mode for the FTP server as needed.
      • To enable the active mode for the FTP server, you need to set the following parameters:
        #Use the default values for all parameters except for the following parameters:
        
        #Modify the values of the following parameters:
        anonymous_enable=NO      #Disallows anonymous users to log on to the FTP server.
        local_enable=YES         #Allows local users to log on to the FTP server.
        listen=YES               #Listens to IPv4 sockets.
        
        #Add # to the beginning of the row to comment out the following parameter:
        #listen_ipv6=YES          #Disables listening to IPv6 sockets.
        
        #Add the following parameters:
        chroot_local_user=YES    #Specifies all users who log on are limited to the home directory.
        chroot_list_enable=YES   #Uses a list to specify users who are not limited to the home directory.
        chroot_list_file=/etc/vsftpd/chroot_list  #Specifies the list file to contain users who are not limited to the home directory.
        allow_writeable_chroot=YES  
        local_root=/var/ftp/test #Specifies the directory where local users reside after they log on.
      • To enable the passive mode for the FTP server, you need to set the following parameters:
        #Use the default values for all parameters except for the following parameters:
        
        #Modify the values of the following parameters:
        anonymous_enable=NO          #Disallows anonymous users from logging on to the FTP server.
        local_enable=YES             #Allows local users to log on to the FTP server.
        listen=YES                   #Listens to IPv4 sockets.
        #Add # to the beginning of the row to comment out the following parameter:
        #listen_ipv6=YES             #Disables listening to IPv6 sockets.
        
        #Add the following parameters:
        local_root=/var/ftp/test     #Specifies the directory where local users reside after they log on.
        chroot_local_user=YES        #Specifies all users who log on are limited to the home directory.
        chroot_list_enable=YES       #Uses a list to specify users who are not limited to the home directory.
        chroot_list_file=/etc/vsftpd/chroot_list  #Specifies the list file to contain users who are not limited to the home directory.
        allow_writeable_chroot=YES
        pasv_enable=YES                    #Enables the passive mode.
        pasv_address=<The public IP address of the FTP server>  #This topic uses the public IP address of a Linux instance.
        pasv_min_port=<port number>          #Specifies the minimum value of the port range available for data transfer in the passive mode.
        pasv_max_port=<port number>          #Specifies the maximum value of the port range available for data transfer in the passive mode.
        Note We recommend that you use a relatively high port range, such as 50000 to 50010, which improves the security of the FTP server.

      For more information about the parameters, see vsftpd configuration file and parameters.

    4. Press Esc to exit the edit mode. Enter :wq and press Enter to save and close the file.
  6. Create the chroot_list file, and write the exception user list to the file.
    1. Run the vim /etc/vsftpd/chroot_list command to create the chroot_list file.
    2. Press I to enter the edit mode.
    3. Enter the names of exception users. These users are not limited to the home directory and can access other directories.
    4. Press Esc to exit the edit mode. Enter :wq and press Enter to save and close the file.
    Note Even if no exception users exist, you must also create the chroot_list file. The file can be empty.
  7. Run the following command to restart vsftpd.
    systemctl restart vsftpd.service

Step 3: Set security groups

After building the FTP site, add inbound security group rules to the instance security group and allow the following FTP ports. For more information, see Add security group rules.
Note Most clients are located within LANs and their private IP addresses are converted into public IP addresses when the clients access or are accessed by external devices. Therefore, the IP addresses returned by the ipconfig or the ifconfig command may not be the actual public IP addresses of the clients. If you cannot log on to the FTP server on the client, verify the public IP address of your client is correct.
  • When the FTP server is in the active mode: allow port 21. The following table lists the configuration details:
    Rule direction Authorization policy Protocol Port range Authorization type Authorization object
    Inbound Allow Custom TCP 21/21 IPv4 CIDR block The CIDR blocks that contain the public IP addresses of all clients which need to access the FTP server. Separate multiple CIDR blocks with commas (,).

    To allow all clients to access the FTP server, authorize 0.0.0.0/0.

  • When the FTP server is in the passive mode: allow port 21 and all the ports between the pasv_min_port and the pasv_max_port parameters in the /etc/vsftpd/vsftpd.conf configuration file. The following table lists the configuration details:
    Rule direction Authorization policy Protocol Port range Authorization type Authorization object
    Inbound Allow Custom TCP 21/21 IPv4 CIDR block The CIDR blocks that contain the public IP addresses of all clients which need to access the FTP server. Separate multiple CIDR blocks with commas (,).

    To allow all clients to access the FTP server, authorize 0.0.0.0/0.

    Inbound Allow Custom TCP pasv_min_port/pasv_max_port IPv4 CIDR block The CIDR blocks that contain the public IP addresses of all clients which need to access the FTP server. Separate multiple CIDR blocks with commas (,).

    To allow all clients to access the FTP server, authorize 0.0.0.0/0.

Step 4: Test the client

FTP clients, Windows command-line tools, or browsers can be used to test FTP servers. This topic takes the IE browser that comes with Windows as an example to introduce the access steps when the FTP server is configured to the active mode or the passive mode.
Note If an error occurs when you use a browser to access the FTP server, clear the browser cache and try again.
  • When the FTP server runs in the active mode
    1. Open the IE browser of the client.
    2. Perform the following operations to set the browser to the active access mode: Choose Settings > Internet Options > Advanced. Select Enable FTP Folder View and clear Use Passive FTP.
    3. In the address bar, enter ftp://<The public IP address of the FTP server>:FTP port. In this topic, enter the public IP address of the Linux instance. For example: ftp://39.0.0.1:21.
    4. In the dialog box that appears, enter the username and password to access the FTP site and perform operations on the FTP file.
      Note These steps apply only to local users. Anonymous users can log on to the FTP server without entering the user name and password.
  • When the FTP server runs in the passive mode
    1. Open the IE browser of the client.
    2. Set the browser to the passive access mode. Choose Settings > Internet Options > Advanced. Select Enable FTP Folder View and Use Passive FTP.
    3. In the address bar, enter ftp://<The public IP address of the FTP server>:FTP port. In this topic, enter the public IP address of the Linux instance. For example: ftp://39.10.0.28:21.
    4. In the dialog box that appears, enter the username and password to access the FTP site and perform operations on the FTP file.
      Note These steps apply only to local users. Anonymous users can log on to the FTP server without entering the user name and password.

vsftpd configuration file and parameters

The files under the /etc/vsftpd directory:
  • /etc/vsftpd/vsftpd.conf is the core configuration file of vsftpd.
  • /etc/vsftpd/ftpusers is the blacklist file. Users in this file are not allowed to access the FTP server.
  • /etc/vsftpd/user_list is the whitelist file. Users in this file are allowed to access the FTP server.
The vsftpd.conf configuration file:
  • The following table describes the parameters for logon control.
    Parameter setting Description
    anonymous_enable=YES Accepts anonymous users.
    no_anon_password=YES No password is required when anonymous users log on to the FTP server.
    anon_root= (none) The home directory for anonymous users.
    local_enable=YES Accepts local users.
    local_root= (none) The home directory for local users.
  • The following table describes the parameters used to control permissions of users.
    Parameter setting Description
    write_enable=YES Allows users to upload files (global control).
    local_umask=022 Grants local users the permission to upload files.
    file_open_mode=0666 Uses umask for file upload permissions
    anon_upload_enable=YES Allows anonymous users to upload files.
    anon_mkdir_write_enable=YES Allows anonymous users to create directories.
    anon_other_write_enable=YES Allows anonymous users to modify and delete files.
    chown_username=lightwiter Specifies the username of anonymously uploaded files.

What to do next

Enhance the security of the FTP service. For more information, see Security enhancement solution.