Master FTP with vsftpd: Full Setup, Config, and User Management

FTP Basics

FTP (File Transfer Protocol) is an application‑layer protocol that uses a client‑server model to transfer files between two computers over TCP. It operates with two separate channels: a command channel (fixed to port 21) for control messages and a data channel (port varies) for the actual file transfer.

Two working modes exist:

Active mode: the server opens a data connection from its port 20 to a random client port.

Passive mode: the client opens a data connection to a random server port; this mode is preferred behind firewalls.

Installing vsftpd

On most Linux distributions, vsftpd can be installed via the package manager: sudo apt install vsftpd -y vsftpd is known for high speed, stability, and the ability to handle thousands of concurrent connections.

Configuration File Locations

The primary configuration file is typically /etc/vsftpd.conf or /etc/vsftpd/vsftpd.conf. Sub‑configuration files for individual users can be placed in a directory defined by user_config_dir (e.g., /etc/vsftpd.d).

Key Configuration Options

Port Settings

listen_port

– changes the command‑channel listening port (default 21). connect_from_port_20 – set to NO to disable the default active‑mode data port 20. ftp_data_port – specifies a custom data‑port for active mode. pasv_min_port / pasv_max_port – define the passive‑mode port range.

Time Settings

Set use_localtime=YES to log timestamps in the server’s local time zone instead of GMT.

Chroot and Write Permissions

chroot_local_user=YES

– locks users to their home directory. allow_writeable_chroot=YES – permits write access inside a chrooted directory (effective for non‑anonymous users).

Logging

xferlog_file

– custom log file path (default /var/log/vsftpd.log). xferlog_enable=YES – enables transfer logging. xferlog_std_format=NO – uses a detailed log format. log_ftp_protocol=YES – records the full FTP session dialogue.

Connection Settings

pasv_promiscuous

controls whether the data channel must originate from the same IP as the command channel (default NO). Setting it to YES helps when the client sits behind a load balancer. pasv_address can be used to specify the external IP address for passive mode when the server is behind NAT.

User Types and Their Configurations

Anonymous Users

Enable with anonymous_enable=YES and no_anon_password=YES. Common permission options include:

write_enable=YES

anon_upload_enable=YES

anon_umask=022

anon_mkdir_write_enable=YES

anon_other_write_enable=YES

anon_world_readable_only=YES

The data root is set with anon_root=/path/to/dir. Because anonymous users cannot write to their chrooted home, create a sub‑directory with write permissions if needed.

Local System Users

Enable with local_enable=YES. Permissions are typically granted via write_enable=YES. The home directory can be changed with local_root=/desired/path, and chrooting is controlled with chroot_local_user and allow_writeable_chroot.

Virtual Users

Virtual users are mapped to a real system account using:

guest_enable=YES

guest_username=ftpuser

user_config_dir=/etc/vsftpd.d

(optional for per‑user files).

Authentication is performed via PAM with a Berkeley DB file. Example steps:

# Create a text file with username/password pairs (odd lines = usernames, even lines = passwords)
sudo vim ~/vusers
# Generate the DB file
sudo db_load -T -t hash -f ~/vusers /etc/vsftpd/vusers.db
# Add PAM rules
sudo vim /etc/pam.d/vsftpd
auth    required        pam_userdb.so   db=/etc/vsftpd/vusers
account required        pam_userdb.so   db=/etc/vsftpd/vusers

Virtual‑user permissions can follow one of three patterns:

Same as system users – set virtual_use_local_privs=YES and configure write_enable, local_umask, etc.

Same as anonymous users – leave virtual_use_local_privs at its default NO and use the anonymous‑user options.

Per‑user custom permissions – place individual config files in user_config_dir named after each virtual user.

Typical Configuration Workflows

Anonymous User Setup

Install vsftpd.

Create a data directory (e.g., /ftp_data/anon_data) and set appropriate ownership and permissions.

Edit /etc/vsftpd.conf to enable anonymous login and set the desired permission flags.

Restart the service: sudo systemctl restart vsftpd.service.

Local System User Setup

Create a system user with a restricted shell (e.g., rbash) and a dedicated home directory.

Adjust /etc/vsftpd.conf to enable local_enable, set local_root, and configure logging.

Optionally create a whitelist file ( userlist_file) and enable userlist_enable.

Restart the service.

Virtual User Setup

Create the Berkeley DB file as described above.

Configure PAM rules for vsftpd.

Enable guest_enable and set guest_username in the main config.

Choose a permission model (system‑like, anonymous‑like, or per‑user) and adjust the relevant options.

Restart the service.

FTP Client Tools

Linux Command‑Line

The built‑in ftp client supports basic operations (e.g., get, put, ls, cd). Use help for a full command list.

# Connect to a server (default port 21)
ftp server_host [port]

For scripted downloads, wget can retrieve files via FTP URLs.

wget ftp://user:[email protected]/file.zip

Graphical Clients (Windows)

FileZilla – free, supports FTP/FTPS/SFTP.

WinSCP – free, supports SFTP, SCP, and FTP.

These tools provide a user‑friendly interface for uploading, downloading, and managing remote directories.

Service Management

After any configuration change, reload or restart the vsftpd service to apply the new settings: sudo systemctl restart vsftpd.service Use systemctl cat vsftpd.service to inspect the generated systemd unit file if troubleshooting is required.