Mastering vsftpd: Essential Configuration Settings for Secure FTP

Table of Contents

1. Change command port

2. Active mode port

3. Passive mode port range

4. Use local time

5. Anonymous user login

6. Anonymous user upload

7. Default owner and permissions for anonymous uploads

8. Linux system users

9. Map system users to a guest user

10. Chroot all users to their home directories

11. Selective chroot (whitelist/blacklist)

12. Logging

13. Login banner

14. Directory access message

15. PAM module for access control

16. Enable user list file for login control

17. Run vsftpd as a specific user

18. Connection limits

19. Transfer rate (bytes/second)

20. Connection timeout settings

21. Prefer ASCII (text) transfer

1. Change command port

listen_port=2121  # default is 21

Clients connect with the new port, e.g. lftp 10.4.7.1 -p 2121 or ftp 10.4.7.1 2121.

2. Active mode port

connect_from_port_20=YES   # active mode uses port 20
ftp_data_port=20            # default active data port

3. Passive mode port range

pasv_min_port=6000   # 0 means random; range affects concurrency
pasv_max_port=6010

4. Use local time

use_localtime=YES   # use local time instead of GMT (default NO)

5. Anonymous user login

anonymous_enable=YES        # allow anonymous users (CentOS 8 disables by default)
no_anon_password=YES        # skip password check for anonymous (default NO)

6. Anonymous user upload

anon_upload_enable=YES          # enable anonymous upload (filesystem permissions must allow)
anon_mkdir_write_enable=YES    # allow anonymous directory creation

Note: the FTP root directory must not be writable; only sub‑directories should have write permission, otherwise the server returns an error.

$ ftp 10.4.7.1
Connected to 10.4.7.1 (10.4.7.1).
220 (vsFTPd 3.0.3)
Name (10.4.7.1:root): ftp
331 Please specify the password.
Password:
500 OOPS: vsftpd: refusing to run with writable root inside chroot()
Login failed.
421 Service not available, remote server has closed connection

7. Default owner and permissions for anonymous uploads

chown_uploads=YES            # default NO
chown_username=lzj          # user must exist beforehand
chown_upload_mode=0644

8. Linux system users

local_enable=YES            # allow Linux users to log in
write_enable=YES            # allow Linux users to upload files
local_umask=022             # default permission mask for uploaded files

9. Map system users to a guest user

guest_enable=YES            # map all system users to the guest user
guest_username=ftp          # effective only when guest_enable is YES
local_root=/ftproot         # home directory for the guest user

10. Chroot all users to their home directories

chroot_local_user=YES       # enable chroot for all local users (default NO)

11. Selective chroot (whitelist/blacklist)

chroot_list_enable=YES      # enable user list (default NO)
chroot_list_file=/etc/vsftpd/chroot_list

When chroot_local_user=YES and chroot_list_enable=YES, users listed are not chrooted (whitelist).

When chroot_local_user=NO and chroot_list_enable=YES, listed users are chrooted (blacklist).

12. Logging

# wu‑ftp style logging (default enabled)
xferlog_enable=YES
xferlog_std_format=YES
xferlog_file=/var/log/xferlog

# vsftpd style logging (default disabled)
dual_log_enable=YES
vsftpd_log_file=/var/log/vsftpd.log

13. Login banner

ftpd_banner="welcome to mage ftp server"
banner_file=/etc/vsftpd/ftpbanner.txt

14. Directory access message

dirmessage_enable=YES       # default YES
message_file=.message       # file displayed after a directory change

15. PAM module for access control

pam_service_name=vsftpd
# PAM config file: /etc/pam.d/vsftpd
# /etc/vsftpd/ftpusers contains a blacklist (can be turned into a whitelist)

16. Enable user list file for login control

userlist_enable=YES        # default YES
userlist_deny=YES          # YES = blacklist (no prompt), NO = whitelist
userlist_file=/etc/vsftpd/users_list

17. Run vsftpd as a specific user

nopriv_user=nobody        # default

18. Connection limits

max_clients=0            # maximum concurrent connections (0 = unlimited)
max_per_ip=0             # maximum connections per IP (0 = unlimited)

When limits are exceeded the server returns an error image:

19. Transfer rate (bytes/second)

anon_max_rate=0          # max rate for anonymous users (0 = unlimited)
local_max_rate=0         # max rate for local users (0 = unlimited)

20. Connection timeout settings

connect_timeout=60               # active mode data connection timeout
accept_timeout=60                # passive mode data connection timeout
data_connection_timeout=300    # timeout when no data is transferred
idle_session_timeout=60         # timeout for idle sessions

21. Prefer ASCII (text) transfer

ascii_upload_enable=YES
ascii_download_enable=YES

Note: Using ASCII mode is not recommended because it can corrupt binary files.