Knowledge Base

    How to setup vsftpd FTP server on CentOS 6

    This tutorial will guide you through the process of setting up vsftpd to allow a user to upload files to his or her home directory using FTP.


    All commands in this guide are to be performed by a user with root privileges. To elevate privileges use:

    sudo su -

    Check values of the SELinux policy booleans related to FTP:

    getsebool -a | egrep 'ftp_home_dir|passive|ftpd_full_access'

    If the values are 'off':

    allow_ftpd_full_access --> off ftp_home_dir --> off ftpd_use_passive_mode --> off

    Set them to 'on' by executing:

    /etc/sysconfig/selinux setsebool -P allow_ftpd_full_access on setsebool -P ftp_home_dir on setsebool -P ftpd_use_passive_mode on

    Edit iptables config (/etc/sysconfig/iptables) to open FTP-specific TCP ports:

    /etc/sysconfig/iptables # Allow FTP connections @ port 21 -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT # Allow Active FTP Connections -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT # Allow Passive FTP Connections -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT

    Apply changes:

    iptables-restore /etc/sysconfig/iptables

    Installation of vsftpd

    Install vsftpd from the standard CentOS repo:

    yum install vsftpd -y

    Configuration of vsftpd

    After installation, you need to edit /etc/vsftpd/vsftpd.conf according to your need. We recommend you make the following changes:

    /etc/vsftpd/vsftpd.conf # Controls whether anonymous logins are permitted or not. If enabled, both the usernames ftp and anonymous are recognised as anonymous logins. anonymous_enable=NO # Controls whether local logins are permitted or not. If enabled, normal user accounts in /etc/passwd (or wherever your PAM config references) may be used to log in. This must be enable for any non-anonymous login to work, including virtual users. local_enable=YES # This controls whether any FTP commands which change the filesystem are allowed or not. These commands are: STOR, DELE, RNFR, RNTO, MKD, RMD, APPE and SITE. write_enable=YES # If set to YES, local users will be (by default) placed in a chroot() jail in their home directory after login. chroot_local_user=YES # The value that the umask for file creation is set to for local users. local_umask=022 # If activated, files and directories starting with . will be shown in directory listings even if the "a" flag was not used by the client. force_dot_files=YES # If enabled, vsftpd will load a list of usernames, from the filename given by userlist_file. userlist_enable=YES # This option is examined if userlist_enable is activated. If you set this setting to NO, then users will be denied login unless they are explicitly listed in the file specified by userlist_file. When login is denied, the denial is issued before the user is asked for a password. userlist_deny=NO # This option is the name of the file loaded when the userlist_enable option is active. userlist_file=/etc/vsftpd.userlist

    Enable the vsftpd service and start it:

    chkconfig vsftpd on service vsftpd start

    To allow access to vsftpd from the specific IPs, edit /etc/hosts.allow:

    /etc/hosts.allow vsftpd : : allow vsftpd : : allow vsftpd : ALL : deny

    Use 'ALL' to allow access from any IP:

    vsftpd : ALL : allow

    User addition

    Add a local user with disabled shell and the home dir set:

    useradd user_name --shell /sbin/nologin --home-dir /path_to_directory

    Set password:

    passwd user_name

    Add the same user to the vsftpd's user list:

    echo "user_name" | tee -a /etc/vsftpd.userlist

    To create a user with the same UID and GID as an existing user, use:

    useradd user_name -o -u UID_client -g GID_client --shell /sbin/nologin --home-dir /path_to_directory

    You can find UID and GID of an existing user by running:

    id user_name