vsftpd (Very Secure FTP Daemon) is a lightweight, high-performance FTP server for Linux/Unix systems, renowned for its security features (e.g., chroot jail, SSL/TLS support) and stability. It is the default FTP server for many distributions (e.g., Ubuntu, CentOS).
Installation varies by distribution. Use your package manager to install vsftpd:
sudo apt update && sudo apt install vsftpd
sudo yum install vsftpd
After installation, start the service and enable it to launch at boot:
sudo systemctl start vsftpd
sudo systemctl enable vsftpd
Verify status with:
sudo systemctl status vsftpd
```.
## 3. Basic Configuration
The main configuration file is `/etc/vsftpd.conf`. Edit it with a text editor (e.g., `nano`):
```bash
sudo nano /etc/vsftpd.conf
Key parameters to configure:
anonymous_enable=NO
local_enable=YES
write_enable=YES
chroot_local_user=YES
allow_writeable_chroot=YES # Required if chroot is enabled and users need to write
pasv_enable=YES
pasv_min_port=40000
pasv_max_port=50000
pasv_address=YOUR_PUBLIC_IP # Replace with your server’s public IP
Save changes and restart vsftpd:
sudo systemctl restart vsftpd
```.
## 4. User Management
### 4.1 Create FTP Users
Create dedicated FTP users (no shell access) to limit system privileges:
```bash
sudo useradd -m -d /home/ftpuser -s /sbin/nologin ftpuser
sudo passwd ftpuser # Set a strong password
Set directory permissions (750 for home, 770 for upload folders):
sudo chown ftpuser:ftpuser /home/ftpuser
sudo chmod 750 /home/ftpuser
sudo mkdir /home/ftpuser/upload
sudo chown ftpuser:ftpuser /home/ftpuser/upload
sudo chmod 770 /home/ftpuser/upload
```.
### 4.2 Virtual Users (Advanced)
Virtual users are not tied to system accounts, offering better security. Steps:
1. **Create User Database**:
```bash
sudo bash -c 'echo -e "ftp_vuser1\npassword123\nftp_vuser2\nsecurepass" > /etc/vsftpd/virtual_users.txt'
sudo db_load -T -t hash -f /etc/vsftpd/virtual_users.txt /etc/vsftpd/virtual_users.db
sudo chmod 600 /etc/vsftpd/virtual_users.*
/etc/pam.d/vsftpd and replace all content with:auth required pam_userdb.so db=/etc/vsftpd/virtual_users
account required pam_userdb.so db=/etc/vsftpd/virtual_users
sudo mkdir -p /var/ftp/virtual_users/ftp_vuser1
sudo chown ftp_vuser1:ftp_vuser1 /var/ftp/virtual_users/ftp_vuser1
guest_enable=YES
guest_username=virtual
virtual_use_local_privs=YES
user_config_dir=/etc/vsftpd/user_configs
/etc/vsftpd/user_configs/ftp_vuser1 with:local_root=/var/ftp/virtual_users/ftp_vuser1
write_enable=YES
Restart vsftpd after changes.
Generate a self-signed certificate (or use Let’s Encrypt for a trusted one):
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/certs/vsftpd.pem
Edit /etc/vsftpd.conf:
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
rsa_cert_file=/etc/ssl/certs/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem
Restart vsftpd.
Allow FTP ports (21 for control, passive mode range for data) using ufw (Ubuntu) or firewalld (CentOS):
sudo ufw allow 21/tcp
sudo ufw allow 40000:50000/tcp # Passive mode ports
sudo ufw enable
sudo firewall-cmd --permanent --add-service=ftp
sudo firewall-cmd --permanent --add-port=40000-50000/tcp
sudo firewall-cmd --reload
```.
Use a client like FileZilla (GUI) or command line:
ftp YOUR_SERVER_IP
Enter credentials to verify login and file transfer.
Check active connections:
sudo netstat -tulnp | grep ftp
View vsftpd logs (default: /var/log/vsftpd.log):
sudo tail -f /var/log/vsftpd.log
```.
## 7. Troubleshooting Common Issues
- **Cannot Connect**: Verify vsftpd is running (`systemctl status vsftpd`) and firewall allows port 21.
- **Permission Denied**: Ensure the user’s home directory has correct permissions (750) and `chroot` is configured properly.
- **Passive Mode Fails**: Confirm `pasv_address` is set to the server’s public IP and passive ports are open in the firewall.