Ubuntu 24.04.1 LTS & 22.04 LTS
Update packages and install vsftpd
$ sudo apt update && sudo apt upgrade
$ sudo apt install vsftpd
$ vsftpd -version
Add FTP user
$ sudo adduser username -m
$ sudo passwd username
OR
$ sudo vim /etc/vsftpd.user
username
username1
username2
...
Configure vsftpd
$ sudo vim /etc/vsftpd.conf
listen=NO
listen_ipv6=YES
connect_from_port_20=YES
ftpd_banner=Welcome to blah FTP service.
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
file_open_mode=0755
pasv_enable=YES
pasv_min_port=10190
pasv_max_port=10200
ascii_upload_enable=YES
ascii_download_enable=YES
userlist_enable=YES
userlist_file=/etc/vsftpd.user
userlist_deny=NO
chroot_local_user=YES
allow_writeable_chroot=YES
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
xferlog_file=/var/log/vsftpd.log
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
ssl_enable=NO
Restart vsftpd Service
$ sudo systemctl enable/disable vsftpd
$ sudo systemctl start/stop/restart/statussud vsftpd
CentOs 7
$ wget https://security.appspot.com/downloads/vsftpd-3.0.3.tar.gz
$ tar -zxvf vsftpd-3.0.3.tar.gz
$ ./configure
$ make && make install
$ sudo rpm -ivh vsftpd-3.0.2-28.el7.x86_64.rpm
$ sudo yum install -y vsftpd
$ sudo systemctl start/stop/restart/status/enable/disable vsftpd
$ sudo firewall-cmd --zone=public --add-service=ftp --permanent
$ sudo firewall-cmd --reload
SELinux
$ sudo sestatus
$ sudo setenforce 0
$ sudo vim /etc/sysconfig/selinux
Change the SELINUX=enforcing directive to SELINUX=disabled
PAM in Linux
$ sudo vim /etc/pam.d/vsftpd
#auth required pam_shells.so
standalone
$ sudo vim /etc/vsftpd/vsftpd.conf
listen=YES
#listen_ipv6=YES
listen_port=21
#listen_address=
xinetd
$ sudo yum install xinetd
$ sudo vim /etc/vsftpd/vsftpd.conf
listen=NO
$ sudo vim /etc/xinetd.d/vsftpd
service ftp
{
socket_type = stream
wait = no
user = root
server = /usr/sbin/vsftpd
log_on_success += HOST DURATION
log_on_failure += HOST
disable = no
}
$ sudo systemctl start xinetd
$ sudo systemctl enable xinetd
vsftpd.conf
$ sudo cp /etc/vsftpd/vsftpd.conf{,.bak}
$ sudo vim /etc/vsftpd/vsftpd.conf
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=002
file_open_mode=0755
ascii_upload_enable=YES
ascii_download_enable=YES
Firewall
UFW
$ sudo ufw allow 20/tcp
$ sudo ufw allow 21/tcp
$ sudo ufw allow 990/tcp
$ sudo ufw allow 10190:10200/tcp
IPTables
iptables -A INPUT -m tcp -p tcp -m multiport --dports 20,21 -m state --state NEW -j ACCEPT -m comment --comment " FTP Server "
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
modprobe nf_conntrack_ftp
Notes
Error message “500 OOPS: vsftpd: refusing to run with writable root inside chroot()” - keep user jailed
Go to /etc/vsftpd.conf and add this:
allow_writeable_chroot=YES
Allow “ls -R” recursive directory list. Default is disabled.
Go to /etc/vsftpd.conf and add this:
ls_recurse_enable=YES
Enabling TLS encryption
$ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem
Go to /etc/vsftpd.conf and add this:
ssl_enable=YES
rsa_cert_file=/etc/ssl/private/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=NO
ssl_ciphers=HIGH