Master FTP Server Setup: vsftpd Configuration, Modes, and User Management

FTP Introduction

FTP (File Transfer Protocol) is an application‑layer protocol based on a client‑server model used to transfer files between two computers over a network.

It uses TCP and operates with two separate channels: a command channel (fixed to port 21) for control messages and a data channel (dynamic port) for actual file transfer.

Command channel handles instructions between client and server.

Data channel carries uploaded or downloaded files.

The dual‑channel design isolates control traffic from data traffic, improving efficiency and allowing different security measures for each channel.

FTP supports two connection modes:

Active mode – the server opens data connection from port 20 to a random client port.

Passive mode – the client initiates a data connection to a random server port.

Passive mode is preferred in modern clients because it works better with firewalls.

vsftpd Installation

On Linux, install the vsftpd package (e.g., sudo apt install vsftpd -y). The main configuration file is typically /etc/vsftpd.conf or /etc/vsftpd/vsftpd.conf. Sub‑configuration files can be placed in a directory defined by user_config_dir (e.g., /etc/vsftpd.d).

Key Configuration Items

listen_port – changes the command‑channel listening port (default 21).

connect_from_port_20 – enables/disables the use of port 20 for active mode.

ftp_data_port – sets a custom data‑channel port for active mode.

pasv_min_port and pasv_max_port – define the port range for passive mode.

use_localtime – set to YES to use local time in logs.

chroot_local_user – restricts users to their home directory.

allow_writeable_chroot – permits write access inside a chrooted directory (effective for non‑anonymous users).

Logging

xferlog_file

– custom log file path (default /var/log/vsftpd.log). xferlog_enable – enable file‑transfer logging. xferlog_std_format – set to NO for detailed logs. log_ftp_protocol – logs full FTP session dialogue.

Connection Settings

pasv_promiscuous – when YES, allows data and command channels to originate from different IPs (useful behind load balancers).

pasv_address – specifies the external IP address for passive mode when the server is behind NAT.

Access Control

Blacklists deny listed users; whitelists allow only listed users. Relevant options: userlist_enable – enable user list checking. userlist_file – path to the file containing usernames. userlist_deny – YES denies listed users, NO allows only listed users.

Anonymous User Configuration

Enable anonymous access with anonymous_enable=YES and no_anon_password=YES. Typical permissions:

write_enable=YES

anon_upload_enable=YES

anon_mkdir_write_enable=YES

anon_other_write_enable=YES

anon_world_readable_only=YES

Set the anonymous root directory with anon_root and enforce chroot with chroot_local_user=YES. Since anonymous users cannot write to the chrooted home, create a subdirectory with write permission if needed.

Local System User Configuration

Enable system users with local_enable=YES. Permissions are controlled mainly by write_enable. Set the home directory via local_root and enforce chroot as above.

Virtual User Configuration

Virtual users are defined in a Berkeley DB file (e.g., /etc/vsftpd/vusers.db) created from a plain‑text file of username/password pairs using db_load -T -t hash -f ~/vusers /etc/vsftpd/vusers.db. PAM authentication is configured in /etc/pam.d/vsftpd with:

auth    required        pam_userdb.so   db=/etc/vsftpd/vusers
account required        pam_userdb.so   db=/etc/vsftpd/vusers

Map virtual users to a local system account using guest_enable=YES and guest_username=ftpuser. Permissions can be:

Same as system users – set virtual_use_local_privs=YES.

Same as anonymous users – default virtual_use_local_privs=NO.

Per‑user custom permissions – define a user_config_dir and create files named after each virtual user with specific options.

Client Tools

Linux Command‑Line

Use the built‑in ftp client (default port 21) or wget for simple downloads. Common FTP commands include ls, cd, get, put, mkdir, delete, binary, ascii, passive, etc.

Windows GUI

Popular graphical clients: FileZilla (supports FTP, FTPS, SFTP) and WinSCP (supports SFTP, SCP, FTP).