Back to main index

vsftpd

Very secure FTP Daemon - lightweight, stable and secure FPT server for UNIX-like systems.

Install the server with:

yum install vsftpd

Before configuring this ftp service understand the difference between:

(1) Active FTP and (2) Passive FTP from here

The following configuration goes explicit for Passive FTP + handling the firewall rules on the server's iptables.

Configuration for anonymous only ( inspired from gentoo ) plus additional Passive parameters to match iptables opened ports 40000 to 40099 (100 ports).

cat /etc/vsftpd/vsftpd.conf

anonymous_enable=YES
no_anon_password=YES
anon_root=/srv/ftp

local_enable=NO
write_enable=NO
local_umask=022
anon_upload_enable=NO
anon_mkdir_write_enable=NO
dirlist_enable=YES
dirmessage_enable=YES
chown_uploads=NO
xferlog_enable=YES
connect_from_port_20=YES
idle_session_timeout=600
data_connection_timeout=120
ascii_upload_enable=NO
ascii_download_enable=NO
ftpd_banner=--[ftp service]--
chroot_local_user=NO
chroot_list_enable=NO
# (default follows)
#chroot_list_file=/etc/vsftpd/vsftpd.chroot_list
background=YES
listen=YES
ls_recurse_enable=NO
listen=NO
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES


# passive FTP (PASV command)
pasv_enable=YES
port_enable=YES
ftp_data_port=20
listen_port=21
max_clients=100
max_per_ip=100
max_login_fails=3
pasv_min_port=40000
pasv_max_port=40099

Start server (watch the errors related to /etc/vsftpd/vsftpd.conf content)

systemctl  start  vsftpd.service
systemctl  enable vsftpd.service

Configure iptables firewall rules (TCP is a new chain where all tcp traffic is forwarded from INPUT chain)

iptables -A TCP -p tcp --dport 20 -j ACCEPT
iptables -A TCP -p tcp --dport 21 -j ACCEPT
iptables -A TCP -p tcp --dport 40000:40099 -j ACCEPT

FTP does not implement udp protocol

Check if the server is running and accesible (check DSL router also for port forwarding).

You can use FTP service to transfer files between 2 computers on the same SECURE network. You simply need to allow existing users in /etc/passwd to connect to FTP service. The authentication requires user+pass and the FTP will redirect the client to own $HOME directory. !!!Do not use this configuration on the servers facing the Internet!!!

cat /etc/vsftpd/vsftpd.conf
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
listen=NO
listen_ipv6=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES

# passive FTP (PASV command)
pasv_enable=YES
port_enable=YES
ftp_data_port=20
listen_port=21
max_clients=100
max_per_ip=100
max_login_fails=3
pasv_min_port=40000
pasv_max_port=40099

Back to main index