BestHub
Sign in
Operations 23 min read

Master FTP with vsftpd: Install, Configure, and Secure Linux Transfers

This guide provides a comprehensive overview of the FTP protocol and its lightweight counterpart TFTP, then walks through installing, configuring, and securing the vsftpd service on Linux, covering active and passive modes, authentication options—including anonymous, local, and virtual users via text files or MySQL—and essential SELinux and firewall adjustments.

Open Source Linux
Open Source Linux
Open Source Linux
Master FTP with vsftpd: Install, Configure, and Secure Linux Transfers

Table of Contents

1 FTP Protocol

2 vsftpd Service Program

3 vsftpd Authentication Modes

1 FTP Protocol

FTP is a TCP‑based client/server file‑transfer protocol that uses ports 20 (data) and 21 (command). TFTP is a UDP‑based simplified version that uses port 69, lacks directory traversal, and is less secure but more efficient.

1.1 FTP Overview

File transfer is essential for obtaining data across diverse operating systems such as Windows, Linux, UNIX, and macOS. FTP operates in a client/server model, defaulting to ports 20 and 21.

FTP uses a command connection for control messages and a data connection for transferring files, which can be text or binary.

1.2 FTP Working Modes

Two modes exist: active mode, where the server initiates the data connection to the client, and passive mode, where the client initiates the data connection. Active mode may be blocked by client firewalls; passive mode requires opening additional ports on the server.

1.3 FTP Server Programs

Common FTP daemons include wu‑ftpd, proftpd, pureftp, vsftpd (very secure FTP daemon), and Serv‑U for Windows.

Server Programs

wu‑ftpd – powerful, widely used daemon.

proftpd – open‑source, supports GUI front‑ends.

pureftp – free, security‑focused.

vsftpd – highly secure, default on many Linux distributions.

Serv‑U – Windows‑oriented FTP server.

Client Programs

Command‑line: ftp, lftp, wget, curl (ftps/sftp for encrypted transfers).

Graphical: FileZilla, gFTP, gProFTPd, FlashFXP, CuteFTP.

FTP Response Codes

1xx – informational.

2xx – success.

3xx – further information required.

4xx – client error.

5xx – server error.

2 vsftpd Service Program

vsftpd (Very Secure FTP Daemon) is an open‑source, free FTP server for Linux with strong security, high performance, and support for virtual users.

2.1 Installing the Service

# yum install vsftpd
# yum install ftp

2.2 Disabling the Local Firewall (for testing)

# iptables -F

2.3 Configuring vsftpd

# cat /etc/vsftpd/vsftpd.conf
anonymous_enable=YES
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
listen=NO
listen_ipv6=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES

2.4 Configuration Files

Main configuration: /etc/vsftpd/vsftpd.conf Additional config files: /etc/vsftpd/*.conf Init script: /etc/rc.d/init.d/vsftpd PAM file: /etc/pam.d/vsftpd Anonymous shared directory: /var/ftp User home directory: user's own home.

Virtual user directory: mapped system user home.

2.5 Common Configuration Parameters

Examples of anonymous user settings and system user settings are shown in the following diagrams.

3 vsftpd Authentication Modes

vsftpd supports three authentication modes: anonymous, local system users, and virtual users (via text file or MySQL).

3.1 Anonymous Access Mode

# vim /etc/vsftpd/vsftpd.conf
anonymous_enable=YES
anon_umask=022
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
listen=NO
listen_ipv6=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES

Restart and enable the service:

# systemctl restart vsftpd
# systemctl enable vsftpd

Anonymous users log in as “anonymous” with an empty password and are chrooted to /var/ftp. SELinux may require setsebool -P ftpd_full_access=on to allow directory creation.

3.2 Local User Mode

# vim /etc/vsftpd/vsftpd.conf
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
connect_from_port_20=YES
listen=NO
listen_ipv6=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES

Restart and enable the service as above. Root login is disabled by default via /etc/vsftpd/ftpusers and /etc/vsftpd/user_list.

3.3 Virtual User Mode (Text File)

# Create a plain‑text user list
zhangsan
redhat
lisi
redhat
# Convert to Berkeley DB
db_load -T -t hash -f vuser.list vuser.db
chmod 600 vuser.db
rm -f vuser.list
# Add a system user to own the FTP root
useradd -d /var/ftproot -s /sbin/nologin virtual
chmod 755 /var/ftproot
# Create PAM file /etc/pam.d/vsftpd.vu
auth required pam_userdb.so db=/etc/vsftpd/vuser
account required pam_userdb.so db=/etc/vsftpd/vuser
# Update /etc/vsftpd/vsftpd.conf
anonymous_enable=NO
pam_service_name=vsftpd.vu
user_config_dir=/etc/vsftpd/vusers_dir
local_enable=YES
guest_enable=YES
guest_username=virtual
allow_writeable_chroot=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
listen=NO
listen_ipv6=YES
userlist_enable=YES
tcp_wrappers=YES

Per‑user permission files can be placed in /etc/vsftpd/vusers_dir (e.g., a file named zhangsan containing anon_upload_enable=YES).

3.4 Virtual User Mode (MySQL)

# Install required packages
yum -y install vsftpd mysql-server mysql-devel pam_mysql
# Create database and table
mysql> CREATE DATABASE vsftpd;
mysql> GRANT SELECT ON vsftpd.* TO vsftpd@localhost IDENTIFIED BY 'www.escapelife.com';
mysql> CREATE TABLE users (
  id INT UNSIGNED AUTO_INCREMENT NOT NULL,
  name VARCHAR(50) BINARY NOT NULL,
  password CHAR(48) BINARY NOT NULL,
  PRIMARY KEY(id)
);
# Insert users (password stored with PASSWORD())
mysql> INSERT INTO users(name,password) VALUES('tom', PASSWORD('escapelife'));
mysql> INSERT INTO users(name,password) VALUES('bob', PASSWORD('escapelife'));
# Create PAM file /etc/pam.d/vsftpd.mysql
auth required /lib64/security/pam_mysql.so user=vsftpd passwd=www.escapelife.com host=localhost db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2
account required /lib64/security/pam_mysql.so user=vsftpd passwd=www.escapelife.com host=localhost db=vsftpd table=users usercolumn=name passwdcolumn=password crypt=2
# Adjust vsftpd.conf for MySQL authentication
guest_enable=YES
guest_username=vuser
pam_service_name=vsftpd.mysql
anonymous_enable=YES
local_enable=YES
write_enable=YES
anon_upload_enable=NO
anon_mkdir_write_enable=NO
chroot_local_user=YES

Virtual users are mapped to the system account vuser and can have individual configuration files via user_config_dir.

4 Additional Considerations

SELinux policies must allow FTP access (e.g., setsebool -P ftpd_full_access=on).

Firewall rules should permit ports 20, 21, and the passive range if using passive mode.

Use systemctl enable vsftpd to start the service on boot.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

linuxAuthenticationServer ConfigurationFTPvsftpd
Open Source Linux
Written by

Open Source Linux

Focused on sharing Linux/Unix content, covering fundamentals, system development, network programming, automation/operations, cloud computing, and related professional knowledge.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment