Master FTP: Configure, Secure, and Manage Linux File Transfers

FTP Protocol Overview

FTP (File Transfer Protocol) is a client‑server protocol that supports uploading and downloading files. It uses TCP ports 20 for data transfer and 21 for command exchange.

Operation Modes

Active mode: the client contacts the server on port 21, then the server opens a data connection from its port 20 to the client. Passive mode: the client requests the server to open a random high‑numbered port for data transfer.

# Example netstat output showing the FTP service listening on port 21 and an established data connection
tcp6       0      0 :::21                   :::*                    LISTEN      4946/vsftpd
tcp6       0      0 192.168.5.101:21        192.168.5.8:62972       ESTABLISHED 7208/vsftpd   # command port
tcp6       0      0 192.168.5.101:18502    192.168.5.102:52025    TIME_WAIT   -       # data port

FTP supports three authentication modes: anonymous users, local Linux system users, and virtual users defined in vsftpd.

Downloading Files with wget

wget ftp://user1:[email protected]/1.txt

Local User Mode Setup

Install and start the vsftpd service: systemctl restart vsftpd.service Create a Linux user: useradd user1 Set a password for the new user.

From a client, connect with lftp 192.168.5.101 and use commands such as ls, pwd, put /etc/passwd, and get passwd to upload and download files.

Anonymous Login

Enable anonymous access in /etc/vsftpd/vsftpd.conf by setting anonymous_enable=YES. After connecting with ftp 192.168.5.101, the default anonymous directory is /var/ftp/pub.

Allowing Anonymous Upload

Set anon_upload_enable=YES in the configuration file.

Adjust directory permissions, e.g., chmod 777 /var/ftp/pub.

From the client, change to the pub directory and upload with put.

Anonymous Delete Permissions

To permit deletion of files, add the following lines to vsftpd.conf:

anon_mkdir_write_enable=YES
anon_other_write_enable=YES

After reloading vsftpd, the anonymous user can create directories, delete files, and perform other write operations.

Changing Roots for Local and Anonymous Users

Define separate root directories for both user types:

anon_root=/mnt
local_root=/mnt

Set appropriate permissions, for example chmod 777 /mnt/data/, so that users can read and write within the designated area.

Downloading Files Uploaded by Anonymous Users

Configure the umask to allow the anonymous user to retrieve files they have uploaded: anon_umask=022 Then use lftp to navigate to the upload directory and run get filename.

Restricting Login to a Single User

Enable user‑list checking:

userlist_enable=YES
userlist_deny=NO

List allowed usernames in /etc/vsftpd/user_list, for example adding user1. Only users present in this file will be permitted to log in.

Chroot Configuration (Jailing Users)

Prevent all users from leaving their FTP root by setting: chroot_local_user=YES If certain users should be allowed to escape the jail, enable the chroot list:

chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list

List those users (e.g., user1) in chroot_list.

Virtual Users with vsftpd

Configure virtual users by adding the following to vsftpd.conf:

guest_enable=YES
guest_username=vuser666
allow_writeable_chroot=YES

Create a plain‑text password file, for example /etc/vsftpd/logins.txt, containing username‑password pairs. Build a Berkeley DB file with:

db_load -T -t hash -f /etc/vsftpd/logins.txt /etc/vsftpd/user.db

Adjust PAM configuration ( /etc/pam.d/vsftpd) to use the DB:

auth required pam_userdb.so db=/etc/vsftpd/user
account required pam_userdb.so db=/etc/vsftpd/user

After restarting vsftpd, virtual users can log in, change directories, upload, and download files within their designated home directories.

Source: https://www.cnblogs.com/cloudwangsa/p/18563731