Master FTP Server Setup with vsftpd: From Basics to Advanced Configurations

FTP Overview

FTP (File Transfer Protocol) is an application‑layer protocol based on a client‑server (CS) model that transfers files between two computers over a network. It uses TCP and operates with two separate channels: a command channel (default port 21) for control messages and a data channel for the actual file transfer, which may use varying ports.

Why Dual Channels?

Isolation: Separates control information from data, ensuring efficient command transmission even during large data transfers.

Security: Allows different security measures to be applied to each channel.

Active vs Passive Modes

In active mode the server opens a data connection from its port 20 to a random client port; firewalls on the client side can block this. In passive mode the client initiates the data connection to a random server port, which works better with most firewalls, so modern clients default to passive mode.

Installing vsftpd

sudo apt install vsftpd -y

vsftpd is a fast, stable FTP daemon that can handle thousands of concurrent connections.

vsftpd Configuration File

The main configuration file is typically /etc/vsftpd.conf or /etc/vsftpd/vsftpd.conf. Sub‑configuration files can be placed in a directory specified by user_config_dir (e.g., /etc/vsftpd.d).

Key Configuration Options

listen_port : Change the command‑channel listening port (default 21).

connect_from_port_20 / ftp_data_port : Control the port used by the server in active mode.

pasv_min_port / pasv_max_port : Define the port range for passive mode data connections.

use_localtime : Set to YES to use the server’s local time instead of GMT.

chroot_local_user : YES confines a user to their home directory.

allow_writeable_chroot : YES permits write access inside a chrooted directory (effective for non‑anonymous users).

xferlog_enable , xferlog_file , log_ftp_protocol : Enable detailed logging of FTP sessions.

pasv_promiscuous : YES allows the data channel to originate from a different IP than the command channel (useful behind load balancers).

pasv_address : Specify the external IP address for passive connections when the server is behind NAT.

userlist_enable , userlist_file , userlist_deny : Configure whitelist/blacklist of allowed users.

Anonymous User Configuration

Enable anonymous access:

anonymous_enable=YES
no_anon_password=YES
write_enable=YES
anon_upload_enable=YES
anon_umask=022
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
anon_world_readable_only=YES
anon_root=/ftp_data
chroot_local_user=YES
allow_writeable_chroot=YES
pasv_promiscuous=YES
pasv_address=47.104.130.81
xferlog_enable=YES
xferlog_std_format=NO
log_ftp_protocol=YES

Because anonymous users cannot write to their home directory, create a subdirectory (e.g., /ftp_data/anon_data) with appropriate permissions for uploads.

Local System User Configuration

Enable local users to log in and set a custom data directory:

local_enable=YES
write_enable=YES
local_root=/data
chroot_local_user=YES
allow_writeable_chroot=YES
xferlog_enable=YES
log_ftp_protocol=YES
pasv_promiscuous=YES
pasv_address=47.104.130.81

Create the system user with a restricted shell for security:

useradd -m -s /usr/bin/rbash -d /data/ ftpadmin
passwd ftpadmin

Virtual User Configuration

Virtual users are defined in a Berkeley DB file. Create a plain‑text file with alternating username and password lines, then generate the DB:

# Create user list file
sudo vim ~/vusers
# Example content
tom
Abc123
bob
123456
alice
redhat

# Generate DB file
sudo db_load -T -t hash -f ~/vusers /etc/vsftpd/vusers.db

Configure PAM to use this DB:

sudo vim /etc/pam.d/vsftpd
auth    required        pam_userdb.so   db=/etc/vsftpd/vusers
account required        pam_userdb.so   db=/etc/vsftpd/vusers

Enable virtual‑user mode in the main config:

local_enable=YES
guest_enable=YES
guest_username=ftpuser
user_config_dir=/etc/vsftpd.d
pam_service_name=vsftpd

Three permission strategies are possible:

Match system‑user privileges: set virtual_use_local_privs=YES and configure write_enable=YES, local_umask=022, etc.

Match anonymous‑user privileges: leave virtual_use_local_privs at its default NO and use the same options as for anonymous users.

Per‑user custom permissions: place individual config files in /etc/vsftpd.d named after each virtual user (e.g., tom) and specify options such as write_enable=YES, local_root=/ftp_data, chroot_local_user=YES, etc.

FTP Client Tools

Linux Command‑Line Clients

The built‑in ftp client (installed with vsftpd) supports basic commands. Example to connect: ftp server_host [port] Common commands include ls, cd, get, put, mget, mput, binary, ascii, quit, and passive to switch to passive mode.

For scripted downloads, wget can fetch FTP resources:

wget ftp://user:[email protected]/file.zip

Windows Graphical Clients

Popular GUI clients include FileZilla (supports FTP, FTPS, SFTP) and WinSCP (supports SFTP, SCP, FTP). Both provide intuitive interfaces for managing connections, transfers, and permissions.