Master FTP Server Setup with vsftpd: From Basics to Advanced Configurations

FTP Overview

FTP (File Transfer Protocol) is an application‑layer client‑server protocol that transfers files over TCP. It uses two separate channels: a command channel (default port 21) for control messages and a data channel (dynamic ports) for the actual file transfer.

Active and Passive Modes

In active mode the server opens a data connection from its port 20 to a random client port, which can be blocked by client‑side firewalls. In passive mode the client initiates the data connection to a random server port, making it compatible with most firewalls; modern clients default to passive mode.

Installing vsftpd

sudo apt install vsftpd -y

vsftpd Main Configuration

Configuration File

The primary configuration file is /etc/vsftpd.conf or /etc/vsftpd/vsftpd.conf. Edit this file to enable the desired features.

Port Settings

listen_port

– command channel port (default 21). connect_from_port_20=NO and ftp_data_port – change the active‑mode data port (default 20). pasv_min_port and pasv_max_port – define the passive‑mode port range.

Time Configuration

Use local time in logs with use_localtime=YES.

User Confinement (Chroot)

Enable chroot_local_user=YES to jail users to their home directory. Allow write access inside the chroot with allow_writeable_chroot=YES (effective for non‑anonymous users).

Data Directories

Set the default directory for local users with local_root and for anonymous users with anon_root.

local_root=/data
anon_root=/data

Logging

xferlog_file

– custom log file path (default /var/log/vsftpd.log). xferlog_enable=YES – enable transfer logging. xferlog_std_format=NO – use detailed log format. log_ftp_protocol=YES – log full FTP session dialogue.

Connection Settings

pasv_promiscuous=NO

(default) requires the data and command channels to originate from the same IP; set to YES for load‑balanced environments. pasv_address can specify the external IP when the server is behind NAT.

Access Control Lists

userlist_enable=YES

– enable user list. userlist_deny=NO – only users listed in userlist_file are allowed. userlist_file – path to the file containing allowed usernames.

Anonymous User Configuration

anonymous_enable=YES
no_anon_password=YES
write_enable=YES
anon_upload_enable=YES
anon_umask=022
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
anon_world_readable_only=YES

Local System User Configuration

local_enable=YES
write_enable=YES
local_root=/data
chroot_local_user=YES
allow_writeable_chroot=YES

Virtual User Configuration

Virtual users are stored in a Berkeley DB file. Create a plain‑text file with alternating username and password lines, then build the DB:

# Create user list file
sudo vim ~/vusers
# Example content
bob
secret123
alice
passwd456

# Build DB
sudo db_load -T -t hash -f ~/vusers /etc/vsftpd/vusers.db

Configure PAM to authenticate against this DB:

# /etc/pam.d/vsftpd
auth required pam_userdb.so db=/etc/vsftpd/vusers
account required pam_userdb.so db=/etc/vsftpd/vusers

Enable virtual‑user mapping in vsftpd.conf:

local_enable=YES
guest_enable=YES
guest_username=ftpuser
pam_service_name=vsftpd

Permission Strategies

Give virtual users the same rights as system users with virtual_use_local_privs=YES.

Give them the same rights as anonymous users (default, virtual_use_local_privs=NO).

Assign per‑user permissions via a user_config_dir directory containing files named after each virtual user.

FTP Client Tools

Linux Command‑Line Clients

Connect with the built‑in ftp command (default port 21): ftp server_host [port] Common FTP commands include ls, get, put, mkdir, delete, passive, and quit. Use !command to run a local shell command.

For scripted downloads, wget also supports FTP URLs:

wget ftp://user:[email protected]/file.zip

Windows Graphical Clients

Popular GUI clients include FileZilla (supports FTP, FTPS, SFTP) – URL: https://filezilla-project.org/ and WinSCP (supports SFTP, SCP, FTP) – URL: https://winscp.net/.