Linux FTP Server Configuration and Management Guide (Using vsftpd)

1. Introduction to vsftpd

vsftpd (Very Secure FTP Daemon) is a lightweight, high-performance FTP server for Linux/Unix systems, renowned for its security features (e.g., chroot jail, SSL/TLS support) and stability. It is the default FTP server for many distributions (e.g., Ubuntu, CentOS).

2. Installation

Installation varies by distribution. Use your package manager to install vsftpd:

• Ubuntu/Debian:

  sudo apt update &
      &
       sudo apt install vsftpd
  

• CentOS/RHEL:

  sudo yum install vsftpd
  

After installation, start the service and enable it to launch at boot:

sudo systemctl start vsftpd
sudo systemctl enable vsftpd

Verify status with:

sudo systemctl status vsftpd
```.


## 3. Basic Configuration
The main configuration file is `/etc/vsftpd.conf`. Edit it with a text editor (e.g., `nano`):  
```bash
sudo nano /etc/vsftpd.conf

Key parameters to configure:

• Disable Anonymous Access (recommended for security):

  anonymous_enable=NO
  

• Allow Local Users (system users can log in):

  local_enable=YES
  

• Enable File Uploads:

  write_enable=YES
  

• Restrict Users to Home Directories (chroot jail):

  chroot_local_user=YES
  allow_writeable_chroot=YES  # Required if chroot is enabled and users need to write
  

• Passive Mode (for NAT/firewall environments):

  pasv_enable=YES
  pasv_min_port=40000
  pasv_max_port=50000
  pasv_address=YOUR_PUBLIC_IP  # Replace with your server’s public IP
  

Save changes and restart vsftpd:

sudo systemctl restart vsftpd
```.


## 4. User Management
### 4.1 Create FTP Users
Create dedicated FTP users (no shell access) to limit system privileges:  
```bash
sudo useradd -m -d /home/ftpuser -s /sbin/nologin ftpuser
sudo passwd ftpuser  # Set a strong password

Set directory permissions (750 for home, 770 for upload folders):

sudo chown ftpuser:ftpuser /home/ftpuser
sudo chmod 750 /home/ftpuser
sudo mkdir /home/ftpuser/upload
sudo chown ftpuser:ftpuser /home/ftpuser/upload
sudo chmod 770 /home/ftpuser/upload
```.

### 4.2 Virtual Users (Advanced)
Virtual users are not tied to system accounts, offering better security. Steps:  
1. **Create User Database**:  
   ```bash
   sudo bash -c 'echo -e "ftp_vuser1\npassword123\nftp_vuser2\nsecurepass" >
     /etc/vsftpd/virtual_users.txt'
   sudo db_load -T -t hash -f /etc/vsftpd/virtual_users.txt /etc/vsftpd/virtual_users.db
   sudo chmod 600 /etc/vsftpd/virtual_users.*

1. Configure PAM Authentication:
   Edit /etc/pam.d/vsftpd and replace all content with:

   auth required pam_userdb.so db=/etc/vsftpd/virtual_users
   account required pam_userdb.so db=/etc/vsftpd/virtual_users
   

2. Create Virtual User Directories:

   sudo mkdir -p /var/ftp/virtual_users/ftp_vuser1
   sudo chown ftp_vuser1:ftp_vuser1 /var/ftp/virtual_users/ftp_vuser1
   

3. Modify vsftpd.conf:
   Add at the end:

   guest_enable=YES
   guest_username=virtual
   virtual_use_local_privs=YES
   user_config_dir=/etc/vsftpd/user_configs
   

   Create /etc/vsftpd/user_configs/ftp_vuser1 with:

   local_root=/var/ftp/virtual_users/ftp_vuser1
   write_enable=YES
   

Restart vsftpd after changes.

5. Security Hardening

5.1 Enable SSL/TLS Encryption

Generate a self-signed certificate (or use Let’s Encrypt for a trusted one):

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/certs/vsftpd.pem

Edit /etc/vsftpd.conf:

ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
rsa_cert_file=/etc/ssl/certs/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem

Restart vsftpd.

5.2 Firewall Configuration

Allow FTP ports (21 for control, passive mode range for data) using ufw (Ubuntu) or firewalld (CentOS):

• UFW:

  sudo ufw allow 21/tcp
  sudo ufw allow 40000:50000/tcp  # Passive mode ports
  sudo ufw enable
  

• Firewalld:

  sudo firewall-cmd --permanent --add-service=ftp
  sudo firewall-cmd --permanent --add-port=40000-50000/tcp
  sudo firewall-cmd --reload
  ```.
  
  
  

6. Testing and Monitoring

6.1 Test Connection

Use a client like FileZilla (GUI) or command line:

ftp YOUR_SERVER_IP

Enter credentials to verify login and file transfer.

6.2 Monitor Connections

Check active connections:

sudo netstat -tulnp | grep ftp

View vsftpd logs (default: /var/log/vsftpd.log):

sudo tail -f /var/log/vsftpd.log
```.


## 7. Troubleshooting Common Issues
- **Cannot Connect**: Verify vsftpd is running (`systemctl status vsftpd`) and firewall allows port 21.  
- **Permission Denied**: Ensure the user’s home directory has correct permissions (750) and `chroot` is configured properly.  
- **Passive Mode Fails**: Confirm `pasv_address` is set to the server’s public IP and passive ports are open in the firewall.

声明：本文内容由网友自发贡献，本站不承担相应法律责任。对本内容有异议或投诉，请联系2913721942#qq.com核实处理，我们将尽快回复您，谢谢合作！