loader
image/svg+xml
  • Data centers and network
  • Products and services
  • Industries
  • Support
  • News
  • About us

Knowledge Base

How to setup vsftpd FTP server on CentOS 6

This tutorial will guide you through the process of setting up vsftpd to allow a user to upload files to his or her home directory using FTP.

Prerequisites 

All commands in this guide are to be performed by a user with root privileges. To elevate privileges use:

sudo su -

Check values of the SELinux policy booleans related to FTP:

getsebool -a | egrep 'ftp_home_dir|passive|ftpd_full_access'

If the values are 'off':

allow_ftpd_full_access --> off ftp_home_dir --> off ftpd_use_passive_mode --> off

Set them to 'on' by executing:

/etc/sysconfig/selinux setsebool -P allow_ftpd_full_access on setsebool -P ftp_home_dir on setsebool -P ftpd_use_passive_mode on

Edit iptables config (/etc/sysconfig/iptables) to open FTP-specific TCP ports:

/etc/sysconfig/iptables # Allow FTP connections @ port 21 -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT # Allow Active FTP Connections -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT # Allow Passive FTP Connections -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT

Apply changes:

iptables-restore /etc/sysconfig/iptables

Installation of vsftpd

Install vsftpd from the standard CentOS repo:

yum install vsftpd -y

Configuration of vsftpd

After installation, you need to edit /etc/vsftpd/vsftpd.conf according to your need. We recommend you make the following changes:

/etc/vsftpd/vsftpd.conf # Controls whether anonymous logins are permitted or not. If enabled, both the usernames ftp and anonymous are recognised as anonymous logins. anonymous_enable=NO # Controls whether local logins are permitted or not. If enabled, normal user accounts in /etc/passwd (or wherever your PAM config references) may be used to log in. This must be enable for any non-anonymous login to work, including virtual users. local_enable=YES # This controls whether any FTP commands which change the filesystem are allowed or not. These commands are: STOR, DELE, RNFR, RNTO, MKD, RMD, APPE and SITE. write_enable=YES # If set to YES, local users will be (by default) placed in a chroot() jail in their home directory after login. chroot_local_user=YES # The value that the umask for file creation is set to for local users. local_umask=022 # If activated, files and directories starting with . will be shown in directory listings even if the "a" flag was not used by the client. force_dot_files=YES # If enabled, vsftpd will load a list of usernames, from the filename given by userlist_file. userlist_enable=YES # This option is examined if userlist_enable is activated. If you set this setting to NO, then users will be denied login unless they are explicitly listed in the file specified by userlist_file. When login is denied, the denial is issued before the user is asked for a password. userlist_deny=NO # This option is the name of the file loaded when the userlist_enable option is active. userlist_file=/etc/vsftpd.userlist

Enable the vsftpd service and start it:

chkconfig vsftpd on service vsftpd start

To allow access to vsftpd from the specific IPs, edit /etc/hosts.allow:

/etc/hosts.allow vsftpd : 127.0.0.1 : allow vsftpd : 10.0.0.0/8 : allow vsftpd : ALL : deny

Use 'ALL' to allow access from any IP:

vsftpd : ALL : allow

User addition

Add a local user with disabled shell and the home dir set:

useradd user_name --shell /sbin/nologin --home-dir /path_to_directory

Set password:

passwd user_name

Add the same user to the vsftpd's user list:

echo "user_name" | tee -a /etc/vsftpd.userlist

To create a user with the same UID and GID as an existing user, use:

useradd user_name -o -u UID_client -g GID_client --shell /sbin/nologin --home-dir /path_to_directory

You can find UID and GID of an existing user by running:

id user_name