All Products
Search

This Product

    Simple Application Server:Set up an FTP server (Linux)

    Document Center

    Simple Application Server:Set up an FTP server (Linux)

    Last Updated:Apr 01, 2026

    Very Secure FTP Daemon (vsftpd) is a lightweight FTP server for Linux. This topic walks you through installing and configuring vsftpd on a Linux-based Simple Application Server, then verifying the connection using FileZilla.

    Note

    FTP transmits data—including credentials—in plaintext. For production workloads that require encryption, consider SFTP or FTPS instead. This guide covers vsftpd for use cases where FTP is a specific requirement.

    Prerequisites

    Before you begin, ensure that you have:

    FTP connection and authentication modes

    FTP operates in two connection modes:

    • Active mode: The client sends its port information to the server, and the server initiates the data connection.

    • Passive mode: The server opens a port and sends the port information to the client, which then initiates the connection. This guide configures passive mode, which works better through firewalls and NAT.

    FTP supports three authentication modes:

    ModeSecurityDescription
    Anonymous user modeLowestNo username or password required. Suitable only for public file transfers. Avoid in production.
    Local user modeMediumAuthenticates against local Linux users. Covered in this guide.
    Virtual user modeHighestUses virtual users isolated from the system. Requires professional configuration.

    This guide covers local user mode (recommended) and anonymous user mode.

    Step 1: Install vsftpd

    1. Connect to your Linux server.

    2. Check whether vsftpd is already installed. Some servers deployed with application images include vsftpd pre-installed—reinstalling it may cause conflicts.

      vsftpd -v

      If the output shows a version number, vsftpd is already installed:

      vsftpd: version 3.0.2

      If vsftpd is already installed, get the FTP credentials from your application image documentation, then skip to Step 3: Open firewall ports.

    3. Install vsftpd. This example uses CentOS 7. For other distributions, see Build an FTP site on an ECS instance.

      sudo yum install -y vsftpd

      A success message confirms the installation.

    4. Enable vsftpd to start automatically on boot:

      sudo systemctl enable vsftpd.service

    5. Start vsftpd:

      sudo systemctl start vsftpd.service
      Note

      If the service fails to start with the error Job for vsftpd.service failed because the control process exited with error code, port 21 may already be in use. Run lsof -i:21 to identify the process, then run kill -9 <PID> to stop it before restarting vsftpd.

    6. Verify vsftpd is running:

      sudo netstat -antup | grep ftp

      If the FTP service port appears in the output, vsftpd is running.

    Step 2: Configure the access mode

    Choose one of the following modes. Local user mode is recommended for better security.

    Local user mode (recommended)

    1. Create a dedicated Linux user for FTP access. This example uses ftptest.

      sudo adduser ftptest

    2. Set a password for the user:

      sudo passwd ftptest

      Follow the prompts to enter and confirm the password.

    3. Create the FTP directory:

      sudo mkdir /var/ftp/test

    4. Assign ownership of the directory to ftptest:

      sudo chown -R ftptest:ftptest /var/ftp/test

    5. Back up the vsftpd configuration file before editing:

      sudo cp /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf.bak

    6. Open the configuration file for editing:

      Note

      If you installed vsftpd with apt install vsftpd, the configuration file is at /etc/vsftpd.conf instead.

      sudo vim /etc/vsftpd/vsftpd.conf

      Press i to enter edit mode.

    7. Update the following parameters. Make sure none of these lines are commented out with #, and avoid trailing spaces—extra spaces cause vsftpd to fail on restart. /etc/vsftpd/vsftpd.conf

      # Disable anonymous login
anonymous_enable=NO
# Allow local users to log in
local_enable=YES
# Listen on IPv4
listen=YES

      Comment out the IPv6 listener by adding # at the start of the line:

      #listen_ipv6=YES

    8. Add the following parameters at the end of the file. Replace 39.105.xx.xx with your server's public IP address. /etc/vsftpd/vsftpd.conf

      # Set the home directory for local users after login
local_root=/var/ftp/test
# Restrict users to their home directory
chroot_local_user=YES
# Enable a list of users exempt from the chroot restriction
chroot_list_enable=YES
# Path to the exemption list file
chroot_list_file=/etc/vsftpd/chroot_list
# Enable passive mode
pasv_enable=YES
allow_writeable_chroot=YES
# Public IP address of the server
pasv_address=39.105.xx.xx
# Passive mode port range (high-numbered ports reduce exposure)
pasv_min_port=50000
pasv_max_port=50010

      Press Esc, then type :wq and press Enter to save and close.

    9. Create the chroot exemption list file. Users listed here are not confined to the home directory. The file is required even if it is empty.

      sudo vim /etc/vsftpd/chroot_list

      Press i to enter edit mode. Add any exempt usernames, one per line (leave the file blank if no exemptions are needed). Press Esc, then type :wq and press Enter to save and close.

    10. Stop the system firewall. vsftpd manages port access through the Simple Application Server firewall configured in Step 3.

       sudo systemctl stop firewalld

    11. Enable password authentication in the SSH configuration:

       sudo vi /etc/ssh/sshd_config

      Find PasswordAuthentication at the end of the file and set it to yes. Press Esc, then type :wq! and press Enter to save and close.

    12. Restart vsftpd to apply all changes:

       sudo systemctl restart vsftpd.service

    Anonymous user mode

    Important

    Anonymous mode allows anyone to connect without a password. Use this only for public file transfers in non-production environments.

    1. Open the vsftpd configuration file:

      Note

      If you installed vsftpd with apt install vsftpd, the configuration file is at /etc/vsftpd.conf instead.

      sudo vim /etc/vsftpd/vsftpd.conf

      Press i to enter edit mode.

    2. Set the following parameters. The exact defaults vary by Linux distribution—verify that both values are YES after editing. Make sure none of these lines are commented out with #, and avoid trailing spaces. /etc/vsftpd/vsftpd.conf

      anonymous_enable=YES
anon_upload_enable=YES
listen=YES
listen_ipv6=NO

    3. Add the following parameters at the end of the file. Replace 39.105.xx.xx with your server's public IP address. /etc/vsftpd/vsftpd.conf

      # Enable passive mode
pasv_enable=YES
# Passive mode port range
pasv_min_port=50000
pasv_max_port=50010
# Public IP address of the server
pasv_address=39.105.xx.xx

      Press Esc, then type :wq and press Enter to save and close.

    4. Grant write permissions on the default FTP directory (/var/ftp/pub):

      sudo chmod o+w /var/ftp/pub/

    5. Restart vsftpd:

      sudo systemctl restart vsftpd.service

    Step 3: Open firewall ports

    Add inbound rules in the Simple Application Server firewall to allow FTP traffic. Passive mode requires port 21 and the passive port range. See Manage a firewall for instructions.

    Application typeProtocolPort range
    FTPTCP21
    CustomTCPpasv_min_portpasv_max_port (example: 50000/50010)

    After adding the rules, they appear on the Firewall page:

    image.png

    Step 4: Verify the FTP connection

    Use FileZilla to confirm the FTP server is accessible.

    Note

    This example uses FileZilla 3.64.0. The interface may differ in other versions.

    1. Open FileZilla.

    2. Go to File > Site Manager.

    3. Click New site (N) in the lower-left corner of the Site Manager dialog.

    4. Enter a name for the new site and configure the connection:

      filezilla

      ParameterValue
      NameA custom site name. Example: test-01.
      ProtocolFTP
      HostPublic IP address of the server (example: 121.43.XX.XX)
      Port21
      Logon typeAnonymous (for anonymous mode) or Normal (for local user mode)

      For local user mode, set Logon type to Normal and enter the FTP username and password.

    5. Click Connect.

    After connecting, use FileZilla to upload, download, or delete files. The interface is divided into four sections:

    filezilla
    SectionDescription
    Connection status, commands, and task results
    Local machine: directory and file listing
    Remote server: FTP directory listing. In anonymous mode, the default directory is /pub.
    Transfer queue and task logs

    vsftpd configuration reference

    The /etc/vsftpd directory contains three key files:

    • /etc/vsftpd/vsftpd.conf: the main configuration file

    • /etc/vsftpd/ftpusers: users in this file are denied FTP access (blacklist)

    • /etc/vsftpd/user_list: users in this file are allowed FTP access (whitelist)

    Login control parameters

    ParameterDescription
    anonymous_enable=YESAccept anonymous users
    no_anon_password=YESSkip password prompt for anonymous users
    anon_root=Home directory for anonymous users
    local_enable=YESAccept local users
    local_root=Home directory for local users

    Permission parameters

    ParameterDescription
    write_enable=YESAllow all users to upload files
    local_umask=022File permission mask for local user uploads
    file_open_mode=0666Apply umask to uploaded file permissions
    anon_upload_enable=NOAllow anonymous users to upload files
    anon_mkdir_write_enable=NOAllow anonymous users to create directories
    anon_other_write_enable=NOAllow anonymous users to modify or delete files
    chown_username=lightwiterOwner assigned to files uploaded by anonymous users