All Products
Search
Document Center

Elastic Compute Service:Build an FTP site on a CentOS 7 instance

Last Updated:Jul 21, 2023

Very secure FTP daemon (vsftpd) is a lightweight, safe, and easy-to-use FTP server software for Linux. This topic describes how to install and configure vsftpd on an Elastic Compute Service (ECS) instance that runs CentOS 7.x.

Background information

FTP is a protocol that is used to transfer files. FTP is based on a client-server architecture and supports the following work modes:

  • Active mode: The client sends port information to the FTP server, and the server establishes a connection to the port.

  • Passive mode: The FTP server enables a port and sends the port information to the client. The client initiates a connection to the port, and the server accepts the connection.

Note

Most FTP clients are located in LANs, have no independent public IP addresses, and are protected by firewalls. As a result, FTP servers in active mode cannot easily establish connections to the clients. If you do not have special requirements, we recommend that you use passive mode for the FTP server.

FTP supports the following authentication modes:

  • Anonymous user mode: In this mode, users can log on to the FTP server without the need for a username or password. This is the least secure authentication mode. In most cases, this mode is used to save unimportant public files. We recommend that you do not use this mode to save files in a production environment

  • Local user mode: In this mode, users must have local Linux accounts. This mode is more secure than the anonymous user mode.

  • Virtual user mode: Virtual users are dedicated users of the FTP server. Virtual users can access only the FTP service that the Linux system provides and cannot access other resources of the system. This enhances the security of the FTP server.

In this topic, vsftpd is configured in passive and local user modes. For information about how to configure an FTP server to allow anonymous users to access the FTP server and how to use third-party FTP client tools, see the "FAQ" section of this topic.

Preparations

When you build an FTP site on an existing instance manually or by using the quick deployment method, the instance must meet the following requirements:

  • The instance has a public IP address assigned or an elastic IP address (EIP) bound.

  • The instance runs CentOS 7.x.

Procedure

Quick deployment

  1. Go to the Use New Resources (Standard) page in the Resource Orchestration Service (ROS) console.

  2. In the upper-left corner of the top navigation bar, select a region. Region
  3. On the Use New Resources (Standard) page, enter a stack name, select Use Existing ECS Instance or Create ECS Instance, and then enter the username and password that are used to access the FTP service.

    If you select Create ECS Instance, you must configure the Available Zone ID, Instance Type, System Disk Category, and Instance Password parameters.

    Important

    If you select Create ECS Instance, a pay-as-you-go CentOS 7.x instance and a pay-as-you-go EIP are created. For information about how ECS instances and EIPs are billed, see ECS billing overview and EIP billing overview.

  4. Click Create.

    On the Stack Information tab, check the value of the Status parameter. If the value is changed from Creating to Created, the FTP site is deployed.

  5. Click the Outputs tab and copy the link on the right side of FtpServerAddress.

  6. On your on-premises Windows client, enter the link copied in Step 5 in the address bar.

  7. In the Log on as dialog box, enter the FTP username and password that you configured, and then click Logon.

    After you log on to the FTP server, you can view the files in the specified directory on the FTP server. For example, you can view the test file named testfile.txt.ftp client

Manual deployment

Step 1: Install vsftpd

  1. Connect to a Linux instance.

    For more information, see Connection methods.

  2. Run the following command to install vsftpd:

    yum install -y vsftpd

    A command output similar to the following one indicates that vsftpd is installed.install_vsftp_successfully

  3. Run the following command to enable the FTP service to automatically start on system startup:

    systemctl enable vsftpd.service
  4. Run the following command to start the FTP service:

    systemctl start vsftpd.service
    Note

    If the system returns the Job for vsftpd.service failed because the control process exited with error code error message when the preceding command is run, check whether the following problems exist and troubleshoot them.

    • If the network environment does not support IPv6 addresses, change the value of listen_ipv6 in the /etc/vsftpd/vsftpd.conf configuration file from YES to NO.

    • If the MAC address that is specified in the /etc/sysconfig/network-scripts/ifcfg-xxx configuration file does not match the actual MAC address, run the ifconfig command to query the MAC address. Then, add HWADDR=<The actual MAC address> to the configuration file. You can replace the HWADDR value in the configuration file with the actual MAC address.

  5. Run the following command to query the listening port of the FTP service:

    netstat -antup | grep ftp

    A command output similar to the following one indicates that the FTP service is started and listens to port 21. By default, anonymous access is enabled in vsftpd. You can log on to the FTP server without a username or password. However, you do not have the permissions to modify or upload files.install_vsftpd_3

Step 2: Configure vsftpd

In this example, vsftpd is configured in passive and local user modes to ensure data security.

  1. Run the following command to create a Linux user for the FTP service.

    In this example, the ftptest user is created.

    adduser ftptest
  2. Run the following command to modify the password of the ftptest user:

    passwd ftptest

    Follow the command line instructions to modify the password of the user.

  3. Run the following command to create a file directory for the FTP service:

    mkdir /var/ftp/test
  4. Run the following command to create a test file.

    The test file is used when the FTP client accesses the FTP server.

    touch /var/ftp/test/testfile.txt
  5. Run the following command to change the owner of the /var/ftp/test directory to ftptest:

    chown -R ftptest:ftptest /var/ftp/test
  6. Modify the vsftpd.conf configuration file.

    1. Run the following command to open the configuration file of vsftpd.

      If vsftpd is installed by running the apt install vsftpd command, the path of the configuration file is /etc/vsftpd.conf.

      vim /etc/vsftpd/vsftpd.conf
    2. Press the I key to enter the Insert mode.

    3. Enable passive mode for the FTP server.

      Configure the following parameters:

      Important

      When you modify or add information in the configuration file, take note of the format. For example, an extra space may cause the service to fail to restart.

      #Use the default values for parameters other than the following parameters: 
      
      #Modify the values of the following parameters:
      #Disable anonymous users from logging on to the FTP server. 
      anonymous_enable=NO
      #Allow local users to log on to the FTP server. 
      local_enable=YES
      #Listen on IPv4 sockets. 
      listen=YES
      
      #Add a number sign (#) to the beginning of the line to comment out the following parameter:
      #Disable listening on IPv6 sockets. 
      #listen_ipv6=YES
      
      #Add the following parameters to the end of the configuration file:
      #Specify the directory of a local user after the local user logs on. 
      local_root=/var/ftp/test
      #Limit all users to the home directory after the users log on. 
      chroot_local_user=YES
      #Use a list to specify exception users. Exception users are not limited to the home directory after they log on. 
      chroot_list_enable=YES
      #Specify a file to store the list of exception users. 
      chroot_list_file=/etc/vsftpd/chroot_list
      #Enable passive mode. 
      pasv_enable=YES
      allow_writeable_chroot=YES
      #Enter the public IP address of the Linux instance that is used in this topic. 
      pasv_address=<Public IP address of the FTP server>
      #Specify the lowest possible port that is sent to the FTP clients for passive mode connections. 
      We recommend that you use ports in a high range, such as 50000 to 50010. These ports provide more secure access to the FTP server. 
      pasv_min_port=<port number>
      #Specify the highest possible port that is sent to the FTP clients for passive mode connections. 
      pasv_max_port=<port number>

      For information about more parameters, see the vsftpd configuration file and parameters section in this topic.

    4. Press the Esc key, enter :wq, and then press the Enter key to save and close the configuration file.

  7. Create the chroot_list file and write the list of exception users to the file.

    1. Run the following command to create the chroot_list file:

      vim /etc/vsftpd/chroot_list
    2. Press the I key to enter Insert mode.

    3. Enter the list of exception users. Exception users are not limited to the home directory and can access other directories.

    4. Press the Esc key, enter :wq, and then press the Enter key to save and close the configuration file.

    Important

    If exception users do not exist, you must still create the chroot_list file. The file can be empty.

  8. Run the following command to restart vsftpd:

    systemctl restart vsftpd.service

Step 3: Configure security groups

After you build the FTP site, add inbound rules to the security groups of the instance to allow traffic on the following FTP ports. For more information, see Add a security group rule.

Note

Most clients are located in LANs and can map private IP addresses to public IP addresses to communicate with external resources. Therefore, the IP addresses that are returned by the ipconfig or ifconfig command may not be the actual public IP addresses of the clients. If you cannot log on to the FTP server from a client, check the public IP address of the client.

In passive mode, you must allow traffic on port 21 and all ports in the port range that is specified by pasv_min_port and pasv_max_port in the /etc/vsftpd/vsftpd.conf configuration file. The following table describes how to configure inbound security group rules.

Rule direction

Action

Protocol type

Port range

Authorization object

Inbound

Allow

Custom TCP

21/21

The public IP addresses of all clients that want to access the FTP server. Separate the IP addresses with commas (,).

To allow all clients to access the FTP server, specify 0.0.0.0/0 as an authorization object.

Inbound

Allow

Custom TCP

pasv_min_port/pasv_max_port. Example: 50000/50010.

The public IP addresses of all clients that want to access the FTP server. Separate the IP addresses with commas (,).

To allow all clients to access the FTP server, specify 0.0.0.0/0 as an authorization object.

Step 4: Check whether you can access the FTP server from the client

You can use FTP clients, Windows command-line tools, or browsers to check whether the FTP server is reachable. In this example, an on-premises host that runs a Windows Server 2012 R2 64-bit operating system is used as an FTP client to show how to access the FTP server.

  1. On the on-premises host, open This Computer.

  2. In the address bar, enter ftp://<Public IP address of the FTP server>:<FTP port>. In this example, the public IP address of the Linux instance is used. Example: ftp://121.43.XX.XX:21.

  3. In the Log on as dialog box, enter the FTP username and password that you configured and then click Logon.

    After you log on to the FTP server, you can view the files in the specified directory on the FTP server. For example, you can view the test file named testfile.txt.ftp client

vsftpd configuration file and parameters

The following section describes the files in the /etc/vsftpd directory:

  • /etc/vsftpd/vsftpd.conf is the core configuration file of vsftpd.

  • /etc/vsftpd/ftpusers is the blacklist file. Users specified in this file are not allowed to access the FTP server.

  • /etc/vsftpd/user_list is the whitelist file. Users specified in this file are allowed to access the FTP server.

The following tables describe the parameters that are used in the vsftpd.conf configuration file.

  • The following table describes the parameters for logon control.

    Parameter

    Description

    anonymous_enable=YES

    Accepts anonymous users.

    no_anon_password=YES

    Anonymous users do not need a password to log on to the FTP server.

    anon_root= (none)

    Specifies the home directory of anonymous users.

    local_enable=YES

    Accepts local users.

    local_root= (none)

    Specifies the home directory of local users.

  • The following table describes the parameters that are used to manage the permissions of users.

    Parameter

    Description

    write_enable=YES

    Allows all users to upload files.

    local_umask=022

    Grants local users permissions to upload files.

    file_open_mode=0666

    Uses umask to grant permissions to upload files.

    anon_upload_enable=NO

    Allows anonymous users to upload files.

    anon_mkdir_write_enable=NO

    Allows anonymous users to create directories.

    anon_other_write_enable=NO

    Allows anonymous users to modify and delete files.

    chown_username=lightwiter

    Specifies the ownership of files that are uploaded by anonymous users.

FAQ

  • Q1: What do I do if I am unable to download files from the FTP server when the on-premises host runs a Windows operating system?

    A: Perform the following operations to enable the download permission in Internet Explorer:

    1. Open Internet Explorer on your on-premises host.

    2. Click the IE图标 icon in the upper-right corner of the browser, and then click Internet Options.

    3. In the upper part of the Internet Options dialog box, click the Security tab.

    4. In the Select a zone to view or change security settings section, click Internet, and then click Custom level... in the Security level for this zone section.

    5. Choose Download > File Download > Enable, and then click OK.

    6. Click Apply and then click OK.

  • Q2: What do I do if an error is reported when I use a command-line tool or a browser to connect to an FTP server on Windows?

    A: You can troubleshoot the problem based on the error message that is related to the FTP server. If the problem is difficult to troubleshoot, we recommend that you use a third-party FTP client connection tool such as FileZilla. To download the FileZilla client, visit FileZilla. In this example, FileZilla is used to connect to an FTP server in anonymous mode.

    1. On the FTP server on Linux, install vsftpd.

      For more information, see the "Step 1: Install vsftpd" section of this topic. If vsftpd is installed, skip this step.

    2. Configure vsftpd in anonymous mode.

      1. Run the following command to modify the /etc/vsftpd/vsftpd.conf configuration file.

        If you installed vsftpd by running the apt install vsftpd command, the path of the configuration file is /etc/vsftpd.conf.

        vim /etc/vsftpd/vsftpd.conf
      2. Press the I key to enter the Insert mode.

      3. Comment out the permissions and set anon_upload_enable to YES to allow anonymous users to upload files.

      4. Press the Esc key to exit the Insert mode. Enter :wq and press the Enter key to save and close the file.

        The following figure shows a sample modified configuration file.vsftpd配置文件

      5. Run the following command to change the permissions of the /var/ftp/pub directory and grant write permissions to FTP users.

        /var/ftp/pub is the default file directory of the FTP service.

        chmod o+w /var/ftp/pub/
      6. Run the following command to reload the configuration file:

        systemctl restart vsftpd.service
    3. Download and install FileZilla.

    4. Use FileZilla to connect to the FTP server in anonymous mode.

      1. Open the FileZilla client.

      2. In the top navigation bar, choose File > Site Manager.

      3. In the lower-left corner of the Site Manager dialog box, click New site (N).

      4. Enter a name for the new site and configure the new site.

        Note

        In this example, FileZilla 3.64.0 is used. The actual interface may vary based on your FileZilla version.

        filezillaThe following list describes the parameters:

        • Name: a custom site name. Example: test-01.

        • Protocol: FTP.

        • Host: the public IP address of the FTP server. In this topic, the value is the public IP address of the Linux instance. Example: 121.43.XX.XX.

        • Port: 21.

        • Logon Type: Anonymous.

          In this example, an FTP client is used to connect to the FTP server in anonymous mode. If you want to manage access to the FTP server, set the logon type to normal and configure the username and password.

      5. Click Connect.

        After you connect to the FTP server, you can upload, download, and delete files. The following figure shows a sample FileZilla interface. filezillaThe following table describes the sections in the preceding interface.

        No.

        Description

        Commands, the connection status of the FTP server, and task execution results are shown.

        The section that displays the information about the on-premises host, including the directory information of the host.

        The section that displays the information about the remote server, including the directory information of the FTP server. In anonymous mode, the default directory is /pub.

        The section that displays records, including the queues and logs of the FTP task.