Mastering VSFTPD on CentOS: Complete Guide to FTP Setup, Users, and Firewall

1. VSFTPD Environment Installation

Check if VSFTPD is installed: rpm -qa | grep vsftpd. If not, install with yum install vsftpd -y. Start the service with service vsftpd start, stop with service vsftpd stop, and restart with service vsftpd restart.

2. Basic VSFTPD Configuration

The main configuration files located in /etc/vsftpd/ are ftpusers, user_list, and vsftpd.conf. ftpusers is a blacklist of users prohibited from FTP access. user_list works with userlist_enable and userlist_deny to act as either a blacklist or a whitelist depending on the settings.

Key points: when userlist_enable=YES and userlist_deny=YES, user_list is a blacklist; when userlist_enable=YES and userlist_deny=NO, it is a whitelist (anonymous login is disabled unless explicitly allowed in the list).

After editing vsftpd.conf, restart the service with service vsftpd restart.

3. Common vsftpd.conf Settings

Anonymous upload/write: anon_upload_enable=NO, anon_mkdir_write_enable=NO, anonymous_enable=NO Port settings: port_enable=YES, connect_from_port_20=YES, ftp_data_port=20 Transfer mode: ascii_upload_enable=YES, ascii_download_enable=YES (default ASCII; set to NO for binary‑only transfers)

4. Adding FTP Users and Directories

Create a system user for FTP and set a password:

useradd -d /var/ftp -s /sbin/nologin ftp
passwd pwftp
chmod -R 755 /var/ftp
chown -R ftp /var/ftp

Login control can also be managed via user_list.

5. Active vs Passive FTP Modes

FTP uses two TCP connections: a control connection on port 21 and a data connection on port 20. In active mode, the client opens a random high port N (>1024), tells the server to connect back to N+1 for data transfer. In passive (PASV) mode, the server opens a random high port P (>1024) and the client connects to it after sending the PASV command.

6. Firewall Settings for FTP

When the Linux firewall is enabled, allow the following traffic:

Active mode

Any high port (>1024) → server port 21 (client initiates control connection)

Server port 21 → any high port (>1024) (server replies)

Server port 20 → any high port (>1024) (server initiates data connection)

Any high port (>1024) → server port 20 (client ACK)

Passive mode

Any high port (>1024) → server port 21

Server port 21 → any high port (>1024)

Any high port (>1024) → server high port (data connection)

Server high port → remote high port (>1024)

Example passive‑mode firewall configuration (modify /etc/vsftpd/vsftpd.conf):

pasv_enable=YES
pasv_min_port=10020
pasv_max_port=11020

Corresponding iptables rules (edit /etc/sysconfig/iptables):

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 10020:11020 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 20 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT

If the FTP server is behind NAT or in a cloud environment, set the public address in vsftpd.conf:

pasv_address=111.111.111.111
pasv_addr_resolve=yes
pasv_promiscuous=yes

Note: Do not disable PASV merely because of the “200 PORT command successful. Consider using PASV.” error; instead investigate the PASV configuration and network environment.