How to install vsftpd on CentOS 8 for FTP with Security

August 31, 2020 by , in Blog Linux

Disclaimer: It’s strongly recommended that you use SSH and SFTP (SSH File Transfer Protocol) instead of FTPS (FTP with Security). FTPS is now obsolete. SFTP is installed by default on Unix, Linux, and Mac systems as part of the OpenSSH package and is supported by almost all free and commercial file transfer tools. (i.e. Filezilla, Cyberduck) If for some reason you still need to setup FTPS, then you can follow this guide. 

FTP is a protocol that facilitates the transfer of files between a client system and a remote server. For a long time, FTP was widely used as a reliable means of file transfer, but not anymore. FTP is plagued with security issues. FTP should only be used if you are not able to use SSH, SFTP, SCP, or rsync and even then, only with encryption enabled (FTPS).

vsftpd (very secure FTP daemon) is the default FTP server for Ubuntu, CentOS, Fedora, NimbleX, Slackware, and RHEL Linux. This tutorial will focus on how you can install vsftpd server for FTPS connections. Let’s begin.

 

Install vsftpd

To begin, fire up CentOS 8 and log in. Once logged in, open the terminal window and invoke the following command to install the vsftpd daemon.

$ sudo dnf install vsftpd

Install vsftpd on centos8

You can confirm the existence of the vsftpd package by invoking the command:

$ rpm -qi | grep vsftpd

The extra ‘-I‘ flag prints out the additional information, as shown below.

check if vsftpd is installed

vsftpd is a daemon, and we need to confirm whether it is running. By default, the vsftpd daemon is inactive or stopped, as shown below.

$ sudo systemctl status vsftpd

check status of vsftpd inactive

If marked as ‘disabled‘ We need to set to ‘enabled‘ so that it can function as an ftp server. To enable, then start the vsftpd daemon, execute the commands:

$ sudo systemctl enable vsftpd
$ sudo systemctl start vsftpd

Again, we can verify its status:

$ sudo systemctl status vsftpd

 

Create an FTP user

Having installed the vsftpd daemon successfully, the next step we need to take is to create an FTP user. This is the user that will have the login rights to the server. In this guide, we will create a user called user_vsftpd, as shown below.

$ sudo adduser user_vsftpd

Next, assign a password to the user. When prompted, provide your preferred password and re-enter to confirm it.

$ sudo passwd user_vsftpd

 

Create and configure the FTP directory

It’s crucial that we create and configure an FTP directory that will serve as the repository for uploading and downloading files. We will create a directory called ftp_dir in the home directory of the newly created user using the mkdir command with the ‘-p’ option.

$ sudo mkdir /home/user_vsftpd/ftp_dir
$ sudo chmod -R 755 /home/user_vsftpd/ftp_dir
$ sudo chown -R user_vsftpd /home/user_vsftpd/ftp_dir

Next, add the user to the user_list file to grant them access to the server. Edit the file /etc/vsftpd/user_list with your preferred text editor, the add user_vsftpd to the file.

 

Configure vsftpd

Before we can begin using our vsftpd server, a few further tweaks are needed. We need to configure a few options in the vsftpd.conf file. The path is /etc/vsftpd/vsftpd.conf. Open that file using your preferred text editor:

Ensure you have set the directive below to block anonymous users from logging in to the server:

anonymous_enable=NO

At the same time, grant local users in the system access to the server:

local_enable=YES

anonymous enable no

Next, allow users to execute FTP commands that permit them to upload or download files from the server:

write_enable=YES

To confine users to their home directories only and prevent them from accessing other users’ directories for security’s sake, uncomment the option below:

chroot_local_user=YES

Additionally, allow local users to access their respective home directories as shown:

allow_writeable_user=YES

We also need to allow passive connections to the server by specifying the required ports, as shown below:

pasv_min_port=30000
pasv_max_port=31000

Next, we will instruct the vsftpd server to allow the users stipulated in the user_list file and block the rest using the directives shown below:

userlist_enable=YES
userlist_deny=NO
userlist_file=/etc/vsftpd/user_list

Once you have ensured that these parameters are correctly defined, save the configurations and exit the file. Then restart your vsftpd server to apply these tweaks.

$ sudo systemctl restart vsftpd

 

Encrypt vsftpd with TLS

There are two main ways that you can secure your server using SSL/TLS. If you have a domain with an IP pointing to it, you can secure the server using a premium SSL certificate or a Let’s Encrypt SSL certificate, which is a free and trusted SSL certificate. Alternatively, you can generate a self-signed certificate as shown:

$ sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/vsftpd/vsftpd.pem -out /etc/vsftpd/vsftpd.pem

The command above creates a 2048-bit private key as well as an SSL certificate, which is valid for a period of up to 10 years. This command will ask you to provide details such as your country, city, and Company name.

Next, reopen the configuration file/etc/vsftpd/vsftpd.conf and define the path to where the private key is saved and enable SSL.

rsa_cert_file=/etc/vsftpd/vsftpd.pem
rsa_private_key_file=/etc/vsftpd/vsftpd.pem
ssl_enable=YES

The first two directives specify the location of the RSA private key while the last option enables the SSL protocol on the FTP server. Again, restart the vsftpd server and verify that it is running. The vsftpd server is now secured using SSL/TLS.

 

Configure the firewall

To allow the remote user to access the server, we need to open a few ports: port 21 for FTPS, port 20 for data connection in an active mode, and the ports required for passive connections.

$ sudo firewall-cmd --permanent --add-port=20-21/tcp
$ sudo firewall-cmd --permanent --add-port=30000-31000/tcp

Then finally, reload the firewall to effect the changes made:

firewall-cmd --reload

You can verify the status of the firewall and the open ports by invoking:

$ sudo firewall-cmd --list-ports

Your vsftpd server is now fully configured, and you can access your server via the SFTP protocol, which is a secure option, unlike the legacy FTP.

 

Disabling SSH access

Lastly, remember that when creating a new user, that new user will also be allowed SSH access to the server if not explicitly disabled. To disable ssh access in the case of setting up FTPS for a developer, create a file called ftponly in the bin directory:

sudo nano /bin/ftponly

Add a message telling the user why they are unable to log in:

#!/bin/sh
echo "SSH access is not allowed for this user."

After editing that file, change the permissions to make the file executable:

$ sudo chmod +x /bin/ftponly

Next open /etc/shells, and at the bottom add:

/bin/ftponly

Update the vsftpd user’s shell with the following command:

sudo usermod user_vsftpd -s /bin/ftponly

That’s it, if that user tries to login via SSH, they will not be able to. Instead, they will see the ftponly message we set above:

SSH access is not allowed for this user.

Tags: , , ,