How to install vsftpd on RHEL 8 / CentOS 8

by

This tutorial provides readers with instructions on how to install and configure a VSFTPD ftp server on a RHEL 8 / CentOS 8 server. This guide will first start with a basic default configuration on top of which we will add secure TLS configuration, anonymous access and passive mode configuration.

In this tutorial you will learn:

  • How to install VSFTPD ftp server.
  • How to open firewall for incoming FTP connections.
  • How to secure FTP connection with TLS.
  • How to allow anonymous connections.

VSFTPD ftp connection on RHEL 8 / CentOS 8 Server/Workstation

VSFTPD ftp connection on RHEL 8 / CentOS 8 Server/Workstation.

Software Requirements and Conventions Used

Software Requirements and Linux Command Line Conventions
Category Requirements, Conventions or Software Version Used
System RHEL 8 / CentOS 8
Software vsftpd: version 3.0.3
Other Privileged access to your Linux system as root or via the sudo command.
Conventions # – requires given linux commands to be executed with root privileges either directly as a root user or by use of sudo command
$ – requires given linux commands to be executed as a regular non-privileged user

Basic VSFTPD configuration step by step instructions

In this section we will simply install VSFTPD ftp server, open firewall ports and test the connections.

  1. Install VSFTPD package. vsftpd package can be installed by using the dnf package manager: 
    # dnf install vsftpd
  2. Make a copy and review the default VSFTPD configuration file. First make a copy of the original configuration file: 
    # mv /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf_orig

    Let’s start with a clean configuration file:

    # grep -v ^# /etc/vsftpd/vsftpd.conf_orig > /etc/vsftpd/vsftpd.conf

    Your new /etc/vsftpd/vsftpd.conf configuration should look similar to the one below:

    anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
listen=NO
listen_ipv6=YES

pam_service_name=vsftpd
userlist_enable=YES
  3. Start VSFTPD daemon and set it to start after reboot: 
    # systemctl start vsftpd
# systemctl enable vsftpd
  4. Open firewall FTP port 21 incoming connections: 
    # firewall-cmd --zone=public --permanent --add-service=ftp
# firewall-cmd --reload
  5. Test FTP connection from the remote host using the ftp command. Use your regular user credentials to login. For example, create an FTP connection to host rhel8-ftp.linuxconfig.org: 
    # ftp rhel8-ftp.linuxconfig.org
Connected to rhel8-ftp.linuxconfig.org.
220 (vsFTPd 3.0.3)
Name (rhel8-ftp.linuxconfig.org:lubos): linuxconfig
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

    6. This concludes basic VSFTPD configuration and testing. In the next section we will add a layer of security by configuring our VSFTPD ftp server using TLS.

Securing VSFTPD with TLS connection step by step instructions

In this section we will simply install the VSFTPD ftp server, open firewall ports and test the connections.

  1. Install OpenSSL. This package might already by available on your RHEL8 system. To install OpenSSL run: 
    # dnf install openssl
  2. Generate self-signed certificate or use your existing certificate. In this example we will generate the private key vsftpd.key and the signed certificate vsftpd.crt. You will be prompted to answer some questions. Feel free to leave most of them as default except Common Name: 
    # openssl req -newkey rsa:2048 -nodes -keyout /etc/pki/tls/private/vsftpd.key -x509 -days 365 -out /etc/pki/tls/certs/vsftpd.crt
Generating a RSA private key
..................+++++
....+++++
writing new private key to '/etc/pki/tls/private/vsftpd.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:rhel8-ftp.linuxconfig.org
Email Address []:
#
  3. Configure VSFTPD for the TLS encrypted connection. Open your existing VSFTPD /etc/vsftpd/vsftpd.conf configuration and add the following configuration in addition to the existing lines: 
    rsa_cert_file=/etc/pki/tls/certs/vsftpd.crt
rsa_private_key_file=/etc/pki/tls/private/vsftpd.key
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=NO
ssl_ciphers=HIGH
  4. Restart VSFTPD: 
    # systemctl restart vsftpd
  5. Test the TLS VSFTPD ftp connection.
    NOTE
    Please note that unless you have opened appropriate ports on your RHEL 8 server’s firewall you will not be able to make passive ftp connection from a remote host at this point.

    Use an FTP client which supports TLS connections like for example FileZilla:

    Establishing TLS connection to VSFTPD ftp RHEL 8 server

    Establishing TLS connection to VSFTPD ftp RHEL 8 server.
    Connected to VSFTPS RHEL 8 server with secure TLS connection

    Connected to VSFTPS RHEL 8 server with secure TLS connection.

All seems to be in order. In the next section we will add a passive connection feature to our VSFTPD ftp server.

Add passive mode to VSFTPD step by step instructions

  1. Open your existing VSFTPD /etc/vsftpd/vsftpd.conf configuration and add the following configuration in addition the the existing lines:

    pasv_enable=YES
pasv_min_port=10000
pasv_max_port=10100
  2. Restart VSFTPD: 
    # systemctl restart vsftpd
  3. Open firewall port range to accommodate passive ports: 
    # firewall-cmd --permanent --zone=public --add-port=10000-10100/tcp 
# firewall-cmd --reload

Allow anonymous VSFTPD access step by step instructions

  1. Open your existing VSFTPD /etc/vsftpd/vsftpd.conf configuration and change the anonymous_enable and allow_anon_ssl lines to YES:

    anonymous_enable=YES
allow_anon_ssl=YES
  2. Restart VSFTPD: 
    # systemctl restart vsftpd

Appendix

For your convenience the final /etc/vsftpd/vsftpd.conf configuration file is shown below:

anonymous_enable=YES
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
listen=NO
listen_ipv6=YES

pam_service_name=vsftpd
userlist_enable=YES

rsa_cert_file=/etc/pki/tls/certs/vsftpd.crt
rsa_private_key_file=/etc/pki/tls/private/vsftpd.key
ssl_enable=YES
allow_anon_ssl=YES
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=NO
ssl_ciphers=HIGH

pasv_enable=YES
pasv_min_port=10000
pasv_max_port=10100

Related Linux Tutorials: