Master vsftpd Configuration: 21 Essential Settings for Secure FTP

1. Change command port

Set listen_port=2121 (default is 21) and connect with lftp 10.4.7.1 -p 2121 or ftp 10.4.7.1 2121.

2. Active mode port

Enable active mode on port 20 with connect_from_port_20=YES and ftp_data_port=20 (default).

3. Passive mode port range

Define the passive port range using pasv_min_port=6000 and pasv_max_port=6010. Linux clients use passive mode by default, while Windows clients use active mode.

4. Use local time

Enable local time in logs with use_localtime=YES (default is NO, which uses GMT).

5. Anonymous login

Allow anonymous users with anonymous_enable=YES and skip password checks with no_anon_password=YES.

6. Anonymous upload

Permit anonymous uploads and directory creation using anon_upload_enable=YES and anon_mkdir_write_enable=YES. Ensure the filesystem grants write permission only to sub‑directories, not the FTP root.

7. Default owner and permissions for anonymous uploads

Set chown_uploads=YES, specify the owner with chown_username=lzj, and define the file mode with chown_upload_mode=0644.

8. Linux system users

Enable local Linux users to log in and upload files with local_enable=YES, write_enable=YES, and set default permissions using local_umask=022.

9. Map system users to a guest account

Activate guest mapping with guest_enable=YES, set the guest username via guest_username=ftp, and define the guest’s home directory with local_root=/ftproot.

10. Chroot all local users

Restrict all local users to their home directories by setting chroot_local_user=YES.

11. Chroot whitelist/blacklist

Enable chroot_list_enable=YES and specify the list file with chroot_list_file=/etc/vsftpd/chroot_list. When chroot_local_user=YES, users in the list are exempt (whitelist); when chroot_local_user=NO, users in the list are restricted (blacklist).

12. Logging

Enable wu‑ftp style logging with xferlog_enable=YES, xferlog_std_format=YES, and xferlog_file=/var/log/xferlog. For vsftpd‑specific logs, set dual_log_enable=YES and vsftpd_log_file=/var/log/vsftpd.log.

13. Login banner

Customize the login message using ftpd_banner="welcome to mage ftp server" or point to a file with banner_file=/etc/vsftpd/ftpbanner.txt.

14. Directory access message

Enable directory messages with dirmessage_enable=YES and specify the file name via message_file=.message.

15. PAM authentication

Set pam_service_name=vsftpd and edit /etc/pam.d/vsftpd to change pam_listfile.so from sense=deny to sense=allow for whitelist behavior.

16. User list control

Activate the user list with userlist_enable=YES. By default userlist_deny=YES creates a blacklist; set to NO for a whitelist. The list file is /etc/vsftpd/users_list.

17. Run vsftpd as a specific user

Specify the unprivileged user with nopriv_user=nobody.

18. Connection limits

Control concurrent connections using max_clients=0 (no limit) and per‑IP limits with max_per_ip=0. Exceeding limits triggers error messages shown in the images.

19. Transfer rate limits

Set maximum transfer rates (bytes/second) with anon_max_rate=0 for anonymous users and local_max_rate=0 for local users (0 means unlimited).

20. Timeouts (seconds)

Configure various timeouts: connect_timeout=60 (active data), accept_timeout=60 (passive data), data_connection_timeout=300 (idle data), and idle_session_timeout=60 (no command).

21. Prefer ASCII transfer

Enable ASCII mode with ascii_upload_enable=YES and ascii_download_enable=YES, though binary mode is recommended to avoid data corruption.

Note: Using ASCII mode may corrupt binary files.