VSFTP install on CENTOS7

1. using yum
yum -y install vsftpd db4-utils

2. config
vi /etc/vsftpd/vsftpd.conf

We need to adjust some basic parameters in this file to increase security and establish our connection options.

The first thing we will do is disable anonymous users. While this option may make sense for a large, public facing file dump (like public software repositories), for a personal FTP server, this is almost never a good idea.
Since we are disabling anonymous users, we need to provide a way for our system to authenticate our users. We will allow local users, meaning that vsftpd will use our Linux system users and authentication to determine who can sign in.

To enable this, make sure that this option is set:
We will also allow them write access, so that they can upload material and modify content:
We also want to confine our users to their respective home directories. The option for that is:
This is enough for a basic (non-SSL) FTP configuration. We will add the SSL functionality later.

Save and close the file.

This file contains many directives which help to strengthen the security of ftp server, the following are the important directives that already placed in the file.

In Vsftpd.conf



Controls whether anonymous logins are permitted or not. If       enabled, both the usernames ftp and anonymous are recognised as Anonymous logins.


Controls whether local logins are permitted or not. If enabled,              normal user accounts in /etc/passwd (or wherever your PAM config references) may be used to log in. This must be enabling for any non-anonymous login to work, including virtual users.


This controls whether any FTP commands which change the file system are allowed or not. These commands are:  STOR,  DELE,  RNFR,RNTO, MKD, RMD, APPE and SITE.


The  value  that the umask for file creation is set to for local




But it commented on file, need to uncomment it.

If set to YES, anonymous users will be permitted to upload files Under certain conditions. For this to work, the option   write_enable must be activated, and the anonymous ftp user must   have write permission on desired upload locations. This setting              is also required or virtual users to upload; by default, virtual   users   are   treated with anonymous (i.e.  Maximally restricted) privilege.



But it commented on file, need to uncomment it.

If set to YES, anonymous users will be permitted to  create  new Directories under certain conditions.  For this to work, the option write_enable must be activated, and the anonymous ftp user must have write permission on the parent directory.


If enabled, vsftpd will run in standalone mode. This means that Vsftpd must not be run from an inetd of some kind. Instead, the

Vsftpd executable is run once directly. Vsftpd itself will then take care of listening for and handling incoming connections.
The following are the some other options which you can add it in the file for more security.




If enabled, vsftpd will load a list of usernames, from the file name given by userlist_file. If a user tries to log in using a name in this file, they will be denied before they are asked for a password. This may be useful in preventing cleartext passwords being transmitted. See also userlist_deny.


If set to YES, local users will be  (by  default)  placed  in  a chroot()  jail  in  their  home directory after login.  Warning: This option has security plications, especially if the users have upload permission, or shell access. Only enable if you know What you are doing.  Note that these security implications are Not vsftpd specific. They apply to all FTP daemons which offer To put local users in chroot() jails.

In kb



The maximum data transfer rate permitted, in bytes per second, for local authenticated users.              Default: 0 (unlimited)

in kb



The maximum data transfer rate permitted, in bytes per second, for anonymous clients.              Default: 0 (unlimited)


When  enabled, this prevents vsftpd from asking for an anonymous password – the anonymous user will log straight

Create an FTP User


We have selected to use local users and to confine them to their home directories with a chroot environment.

Create a new user with this command:
sudo adduser ftpuser
Assign a password to the new user by typing:
sudo passwd ftpuser
The version of vsftpd in CentOS 6.4 is older, so this portion of the setup is easier than some newer versions.


Configure SSL with vsftpd


The first step towards getting vsftpd to operate with SSL is to create our SSL certificate. We will actually be using TLS, which is a protocol that is a successor to SSL and more secure.

We will create a subdirectory within the SSL directory to store our files:
sudo mkdir /etc/ssl/private
To create the certificate and the key in a single file, we can use this command:
openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem
Fill out the questions that it asks. The most important being the “Common Name” of your server, which will be the IP address or domain name that you will use to connect.

Add the SSL Details to the vsftpd Configuration File


Now, we need to alter our configuration to point to the new keys and configure the secure connection.

Open the vsftpd configuration file as root again:
sudo nano /etc/vsftpd/vsftpd.conf
Scroll to the bottom of the file. We will add our SSL/TLS information here.

We need to specify the location of our certificate and key files. We actually combined both pieces of information into a single file, so we will point both options to the same file:
Next, we need enable the use of these files and disable anonymous users. We should also force the use of SSL for both data transfer and login routines. This will make the security mandatory:
Next, we will restrict the type of connection to TLS, which is more secure than SSL. We will do this by explicitly allowing TLS and denying the use of SSL:
We’ll add a few more configuration options before finishing:
Save and close the file.

We need to restart vsftpd to enable our changes:
sudo /etc/init.d/vsftpd restart
We will also configure it to start automatically with every reboot:
sudo chkconfig vsftpd on
** 설정 다 했는데 로그인이 안되는 경우.. 특히 useradd시에 user shell을 /sbin/nologin 으로 한 경우는
로그인이 실패를 한다.
이유는 user check시에 /etc/passwd의 shell을 checking 하기 때문..
이를 막기 위해서는
옵션을 사용 한다.
( 반드시 /sbin/nologin 사용  다른건 로그인이 안됨 )


1. 공유기에는 TCP 20, 21번 포트 2가지만 서버로 포워딩

2. vsftpd.conf 파일 편집기로 열고 패시브모드 관련 설정 아래와 같이 추가

패시브포트를 50000~50005까지 쓰게끔 하는 옵션입니다. 서버에 FTP 동시접속자가 그리 많지 않다면 이 정도 범위로 충분합니다. 패시브포트는 5만번대에서 6만번대까지가 좋다고 합니다.

3. iptables 방화벽에서 위 패시브포트로 설정한 포트 범위를 개방