How to Set Up VSFTP, Samba, NFS, and iSCSI File Sharing on Linux

VSFTPD File Transfer

VSFTPD is a hardened FTP server for Linux that runs under a non‑privileged user, supports chroot isolation and provides built‑in FTP commands, making it more secure than the classic FTP daemon.

Key Features

Runs as a normal user, reducing process privileges.

High‑privilege commands require explicit permission.

All essential FTP commands are built‑in, avoiding external dependencies.

Supports chroot to restrict users to their home directories.

Connection Types

Control connection (TCP 21) carries FTP commands; data connection (TCP 20) transfers file payloads.

Active vs Passive Mode

Passive mode (client initiates the data connection) is required when firewalls block inbound connections. Active mode (server connects back to the client) may fail for clients behind NAT because the server cannot reach the client’s high‑port data socket.

Anonymous FTP Server Configuration

# Anonymous configuration parameters
anonymous_enable=YES          # enable anonymous access
anon_umask=022               # permission mask for uploaded files
anon_root=/var/ftp           # FTP root for anonymous users
anon_upload_enable=YES      # allow uploads
anon_mkdir_write_enable=YES  # allow directory creation
anon_other_write_enable=YES # allow other write operations
anon_max_rate=0             # no bandwidth limit
pasv_enable=YES             # enable passive mode
pasv_min_port=10000         # passive mode port range start
pasv_max_port=15000         # passive mode port range end

Install VSFTPD: yum install -y vsftpd Edit /etc/vsftpd/vsftpd.conf and add the parameters above (remove any leading #).

Open the passive port range in the firewall if needed:

firewall-cmd --add-port=10000-15000/tcp --permanent
firewall-cmd --reload

Start and enable the service:

systemctl start vsftpd && systemctl enable vsftpd

Local‑User FTP Server Configuration

# Local‑user configuration parameters
local_enable=YES            # enable local system users
local_umask=022            # permission mask for uploads
local_root=/var/ftp        # FTP root for local users
chroot_local_user=YES      # jail users to their home directory
local_max_rate=0           # no bandwidth limit
ftpd_banner=Welcome to FTP service
userlist_enable=YES
userlist_deny=YES          # deny users listed in /etc/vsftpd/user_list
pasv_enable=YES
pasv_min_port=10000
pasv_max_port=15000

Install VSFTPD (same command as above).

Create a system user, e.g.

useradd -s /sbin/nologin -d /ghost/lyshark lyshark && passwd lyshark

.

Restart and enable the service:

systemctl restart vsftpd && systemctl enable vsftpd

Mixed Anonymous and Local FTP

Combine the anonymous and local sections in vsftpd.conf so that anonymous users can browse a public share while authenticated users have private home directories.

Virtual‑User FTP Server

# Virtual‑user configuration parameters
anon_world_readable_only=NO
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES

Install libdb-utils and vsftpd.

Create a plain‑text login file (e.g. /etc/vsftpd/vlogin) with alternating username and password lines.

Convert it to a Berkeley DB file:

db_load -T -t hash -f /etc/vsftpd/vlogin /etc/vsftpd/vlogin.db

Set restrictive permissions: chmod 600 /etc/vsftpd/{vlogin,vlogin.db} Configure PAM to use the DB by editing /etc/pam.d/vsftpd.pam:

auth required   /lib64/security/pam_userdb.so db=/etc/vsftpd/vlogin
account required /lib64/security/pam_userdb.so db=/etc/vsftpd/vlogin

Create a system user that will own the virtual sessions, e.g. useradd -s /sbin/nologin -d /home/ftp virtual.

Update vsftpd.conf to enable guest_enable=YES, set guest_username=virtual, and map the virtual user directory via user_config_dir=/etc/vsftpd_user_conf.

Restart and enable the service.

FTPS (SSL/TLS) Encryption

Verify OpenSSL is installed: rpm -q openssl.

Generate a self‑signed certificate:

openssl req -new -x509 -nodes -out /etc/ssl/certs/vsftpd.pem -keyout /etc/ssl/certs/vsftpd.pem

Restrict permissions: chmod 500 /etc/ssl/certs/vsftpd.pem.

Add the following to vsftpd.conf:

ssl_enable=YES
ssl_tlsv1=YES
ssl_sslv2=YES
ssl_sslv3=YES
allow_anon_ssl=YES
force_anon_logins_ssl=YES
force_anon_data_ssl=YES
force_local_logins_ssl=YES
force_local_data_ssl=YES
rsa_cert_file=/etc/ssl/certs/vsftpd.pem

Restart and enable the service.

Samba File Sharing

Samba implements the SMB/CIFS protocol, enabling Windows, macOS and Linux clients to share files and printers across the network.

Differences to FTP

Samba allows in‑place editing of files without downloading.

Linux‑to‑Linux sharing typically uses NFS; Windows‑to‑Windows uses NetBIOS; mixed environments use SMB/CIFS.

Anonymous Share Configuration (Server)

# /etc/samba/smb.conf (global section)
[global]
   workgroup = SAMBA
   security = user
   map to guest = Bad User   # enable guest access without a password

# Share definition
[smb_file]
   comment = hello guest
   path = /smb_file
   browseable = yes
   guest ok = yes
   writable = yes
   public = yes

Install Samba: yum install -y samba samba-client.

Create the share directory and set permissions: mkdir -p /smb_file && chmod 755 /smb_file.

Edit /etc/samba/smb.conf with the snippet above.

Restart and enable the SMB service: systemctl restart smb && systemctl enable smb.

Linux Client Access

# Install client tools
yum install -y samba-client
# List shares on a server
smbclient -L //SERVER_IP
# Access a share
smbclient //SERVER_IP/smb_file

Windows Client Access

Open the Run dialog (Win+R) and enter \\SERVER_IP\smb_file. Use net use * /delete to clear cached connections if needed.

Password‑Protected Share

# /etc/samba/smb.conf (additional share)
[smb_file]
   comment = hello admin
   path = /smb_file
   browseable = yes
   guest ok = no
   writable = yes

Create a system user: useradd -M -s /sbin/nologin admin.

Add the user to Samba: smbpasswd -a admin.

Restart and enable the SMB service.

Mounting Samba Shares on Linux

# Mount a share to /mnt
mount -t cifs //192.168.1.20/smb_file /mnt -o username=admin,password=123123
# Verify with df -h

NFS File Sharing

NFS (Network File System) enables Unix‑like systems to share directories over the network.

Daemons

rpcbind – maps RPC program numbers to ports (port 111).

nfsd – core NFS service.

mountd – handles mount requests.

Export Syntax

# Example entries in /etc/exports
/nfs 192.168.1.1(rw) localhost(rw) *(ro,sync)
/nfs 192.168.1.0/24(rw) localhost(rw) *(ro,sync)
/nfs 192.168.1.1(rw) 192.168.1.2(ro) 192.168.1.3(ro,sync)

NFS Server Configuration

Open firewall ports:

firewall-cmd --add-service=nfs --permanent
firewall-cmd --add-service=mountd --permanent
firewall-cmd --add-service=rpc-bind --permanent
firewall-cmd --reload

Install required packages: yum install -y rpcbind nfs-utils.

Create the export directory and set SELinux context:

mkdir -p /public
chmod o+rw /public
chcon -R -t public_content_t /public

Edit /etc/exports and add a line such as: /public 192.168.1.0/24(rw,sync) Restart services and enable them at boot:

systemctl restart nfs rpcbind
systemctl enable nfs rpcbind
systemctl restart nfs-server
systemctl enable nfs-server

NFS Client Configuration

Install client utilities: yum install -y rpcbind nfs-utils.

Create a mount point and set SELinux type:

mkdir -p /mnt/nfsmount
chcon -R -t public_content_t /mnt/nfsmount

Mount manually:

mount -t nfs -o rw,sync 192.168.1.5:/public /mnt/nfsmount

Optional: add to /etc/fstab for automatic mounting:

192.168.1.5:/public /mnt/nfsmount nfs defaults,_netdev 0 0

Useful NFS utilities: nfsstat, rpcinfo, showmount, exportfs.

iSCSI Disk Sharing

iSCSI transports SCSI commands over TCP/IP, providing block‑level storage that appears as a local disk on the initiator.

Target (Server) Configuration

Install target packages: yum install -y targetd targetcli.

Start and enable the target daemon: systemctl restart targetd && systemctl enable targetd.

Enter the interactive targetcli shell and create a block backstore: /backstores/block> create disk0 /dev/sdb Create a target and associate the backstore:

/iscsi> create
/iscsi/iqn.2003-01.org.linux-iscsi.localhost.x8664:sn.8c7dcc63aea8> cd tpg1/luns
/iscsi/.../tpg1/luns> create /backstores/block/disk0

Define an ACL for the initiator:

/iscsi/.../tpg1/acls> create iqn.2003-01.org.linux-iscsi.localhost.x8664:sn.8c7dcc63aea8:client

Set the portal to the server’s IP (replace the default 0.0.0.0):

/iscsi/.../tpg1/portals> delete 0.0.0.0 3260
/iscsi/.../tpg1/portals> create 192.168.1.20

Save the configuration and exit the shell: exit Restart the target daemon to apply changes.

Initiator (Linux) Configuration

Install initiator utilities (usually pre‑installed on RHEL/CentOS):

yum install -y iscsi-initiator-utils iscsi-initiator-utils-iscsiuio

Set the initiator name to match the server ACL:

echo "InitiatorName=iqn.2003-01.org.linux-iscsi.localhost.x8664:sn.8c7dcc63aea8:client" > /etc/iscsi/initiatorname.iscsi

Restart and enable the iSCSI daemon: systemctl restart iscsid && systemctl enable iscsid.

Discover targets on the server: iscsiadm -m discovery -t st -p 192.168.1.20 Log in to the discovered target:

iscsiadm -m node -T iqn.2003-01.org.linux-iscsi.localhost.x8664:sn.8c7dcc63aea8 -p 192.168.1.20 --login

After login a new block device appears (e.g., /dev/sdb). Format and mount it:

mkfs.xfs /dev/sdb
mkdir /network-disk
mount /dev/sdb /network-disk

Add an entry to /etc/fstab for automatic mounting (include _netdev):

UUID=ff233cc4-2255-4973-a686-9d394384faf6 /network-disk xfs defaults,_netdev 0 0

Initiator (Windows) Configuration

Open Control Panel → Administrative Tools → iSCSI Initiator.

In the Targets tab, enter the server IP and click “Quick Connect”.

On the Configuration tab, edit the target name to append :client (matching the server ACL).

Click “Connect” on the Targets tab.

Open Disk Management, initialize the new disk, create a partition, format it, and assign a drive letter.