Mastering vsftpd: Black/White Lists, Internal‑External Access, and Virtual Users
This guide walks through configuring vsftpd on Linux, covering how to set up black and white lists, differentiate internal and external network access, and create virtual users with proper permissions and SELinux contexts, all illustrated with step‑by‑step screenshots.
Black List
To prevent specific local users from logging in via FTP, add them to the blacklist located under /etc/vsftpd/ftpusers. The article demonstrates adding the user westos to this file, restarting the service (and clearing firewall rules), and verifying that the user cannot log in.
After adding westos to ftpusers, the service is restarted and the login attempt fails, confirming the blacklist entry.
Adding the same user to user_list shows the effect of the userlist_deny setting: when set to NO, the list acts as a whitelist; when YES, it behaves as a blacklist. The default is YES.
White List
To enable a whitelist, edit vsftpd.conf and set userlist_deny=NO. After adjusting the configuration and restarting the service, the previously blocked user can log in successfully.
Internal and External Network Access
For scenarios where both internal and external users need FTP access with different permissions, configure separate network interfaces. Add an additional NIC for the external network and create distinct configuration files ( vsftpd.conf for internal and vsftpd1.conf for external) to bind each interface appropriately.
To enhance security, restrict users from changing directories and limit them to the FTP root. Adjust the configuration accordingly.
Virtual Users
External users may not have local system accounts, so virtual users are created. In the vsftpd directory, define virtual users (e.g., user1 and user2) with passwords (both set to 123), generate hashed password files, and configure PAM authentication files under /etc/pam.d.
Set up password verification and username verification files, then configure anonymous login if needed.
After configuring virtual users and permissions, verify that the vsftpd service starts correctly.
Create a dedicated directory for virtual users under /etc/vsftpd/config, add files such as user1, and set appropriate SELinux contexts.
Adjust the SELinux security context for the user’s default directory.
Restart the vsftpd service to apply all changes.
Finally, virtual users such as user1 can log in; the server runs the session with the permissions of the underlying system user (e.g., westos) while applying the virtual user’s restrictions, greatly enhancing FTP functionality.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
MaGe Linux Operations
Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.