Disclaimer: It’s strongly recommended that you use SSH and SFTP (SSH File Transfer Protocol) instead of FTPS (FTP with Security). FTPS is now obsolete. SFTP is installed by default on Unix, Linux, and Mac systems as part of the OpenSSH package and is supported by almost all free and commercial file transfer tools. (i.e. Filezilla, Cyberduck) If for some reason you still need to setup FTPS, then you can follow this guide.
FTP is a protocol that facilitates the transfer of files between a client system and a remote server. For a long time, FTP was widely used as a reliable means of file transfer, but not anymore. FTP is plagued with security issues. FTP should only be used if you are not able to use SSH, SFTP, SCP, or rsync and even then, only with encryption enabled (FTPS).
vsftpd (very secure FTP daemon) is the default FTP server for Ubuntu, CentOS, Fedora, NimbleX, Slackware, and RHEL Linux. This tutorial will focus on how you can install vsftpd server for FTPS connections. Let’s begin.
To begin, fire up CentOS 8 and log in. Once logged in, open the terminal window and invoke the following command to install the vsftpd daemon.
$ sudo dnf install vsftpd
You can confirm the existence of the vsftpd package by invoking the command:
$ rpm -qi | grep vsftpd
The extra ‘-I‘ flag prints out the additional information, as shown below.
vsftpd is a daemon, and we need to confirm whether it is running. By default, the vsftpd daemon is inactive or stopped, as shown below.
$ sudo systemctl status vsftpd
If marked as ‘disabled‘ We need to set to ‘enabled‘ so that it can function as an ftp server. To enable, then start the vsftpd daemon, execute the commands:
$ sudo systemctl enable vsftpd $ sudo systemctl start vsftpd
Again, we can verify its status:
$ sudo systemctl status vsftpd
Create an FTP user
Having installed the vsftpd daemon successfully, the next step we need to take is to create an FTP user. This is the user that will have the login rights to the server. In this guide, we will create a user called user_vsftpd, as shown below.
$ sudo adduser user_vsftpd
Next, assign a password to the user. When prompted, provide your preferred password and re-enter to confirm it.
$ sudo passwd user_vsftpd
Create and configure the FTP directory
It’s crucial that we create and configure an FTP directory that will serve as the repository for uploading and downloading files. We will create a directory called ftp_dir in the home directory of the newly created user using the mkdir command with the ‘-p’ option.
$ sudo mkdir /home/user_vsftpd/ftp_dir $ sudo chmod -R 755 /home/user_vsftpd/ftp_dir $ sudo chown -R user_vsftpd /home/user_vsftpd/ftp_dir
Next, add the user to the user_list file to grant them access to the server. Edit the file /etc/vsftpd/user_list with your preferred text editor, the add
user_vsftpd to the file.
Before we can begin using our vsftpd server, a few further tweaks are needed. We need to configure a few options in the vsftpd.conf file. The path is /etc/vsftpd/vsftpd.conf. Open that file using your preferred text editor:
Ensure you have set the directive below to block anonymous users from logging in to the server:
At the same time, grant local users in the system access to the server:
Next, allow users to execute FTP commands that permit them to upload or download files from the server:
To confine users to their home directories only and prevent them from accessing other users’ directories for security’s sake, uncomment the option below:
Additionally, allow local users to access their respective home directories as shown:
We also need to allow passive connections to the server by specifying the required ports, as shown below:
Next, we will instruct the vsftpd server to allow the users stipulated in the user_list file and block the rest using the directives shown below:
userlist_enable=YES userlist_deny=NO userlist_file=/etc/vsftpd/user_list
Once you have ensured that these parameters are correctly defined, save the configurations and exit the file. Then restart your vsftpd server to apply these tweaks.
$ sudo systemctl restart vsftpd
Encrypt vsftpd with TLS
There are two main ways that you can secure your server using SSL/TLS. If you have a domain with an IP pointing to it, you can secure the server using a premium SSL certificate or a Let’s Encrypt SSL certificate, which is a free and trusted SSL certificate. Alternatively, you can generate a self-signed certificate as shown:
$ sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/vsftpd/vsftpd.pem -out /etc/vsftpd/vsftpd.pem
The command above creates a 2048-bit private key as well as an SSL certificate, which is valid for a period of up to 10 years. This command will ask you to provide details such as your country, city, and Company name.
Next, reopen the configuration file/etc/vsftpd/vsftpd.conf and define the path to where the private key is saved and enable SSL.
rsa_cert_file=/etc/vsftpd/vsftpd.pem rsa_private_key_file=/etc/vsftpd/vsftpd.pem ssl_enable=YES
The first two directives specify the location of the RSA private key while the last option enables the SSL protocol on the FTP server. Again, restart the vsftpd server and verify that it is running. The vsftpd server is now secured using SSL/TLS.
Configure the firewall
To allow the remote user to access the server, we need to open a few ports: port 21 for FTPS, port 20 for data connection in an active mode, and the ports required for passive connections.
$ sudo firewall-cmd --permanent --add-port=20-21/tcp $ sudo firewall-cmd --permanent --add-port=30000-31000/tcp
Then finally, reload the firewall to effect the changes made:
You can verify the status of the firewall and the open ports by invoking:
$ sudo firewall-cmd --list-ports
Your vsftpd server is now fully configured, and you can access your server via the SFTP protocol, which is a secure option, unlike the legacy FTP.
Disabling SSH access
Lastly, remember that when creating a new user, that new user will also be allowed SSH access to the server if not explicitly disabled. To disable ssh access in the case of setting up FTPS for a developer, create a file called ftponly in the bin directory:
sudo nano /bin/ftponly
Add a message telling the user why they are unable to log in:
#!/bin/sh echo "SSH access is not allowed for this user."
After editing that file, change the permissions to make the file executable:
$ sudo chmod +x /bin/ftponly
Next open /etc/shells, and at the bottom add:
Update the vsftpd user’s shell with the following command:
sudo usermod user_vsftpd -s /bin/ftponly
That’s it, if that user tries to login via SSH, they will not be able to. Instead, they will see the ftponly message we set above:
SSH access is not allowed for this user.