This tutorial provides readers with instructions on how to install and configure a VSFTPD ftp server on a RHEL 8 / CentOS 8 server. This guide will first start with a basic default configuration on top of which we will add secure TLS configuration, anonymous access and passive mode configuration.
In this tutorial you will learn:
- How to install VSFTPD ftp server.
- How to open firewall for incoming FTP connections.
- How to secure FTP connection with TLS.
- How to allow anonymous connections.
Software Requirements and Conventions Used
Category | Requirements, Conventions or Software Version Used |
---|---|
System | RHEL 8 / CentOS 8 |
Software | vsftpd: version 3.0.3 |
Other | Privileged access to your Linux system as root or via the sudo command. |
Conventions |
# – requires given linux commands to be executed with root privileges either directly as a root user or by use of sudo command$ – requires given linux commands to be executed as a regular non-privileged user |
Basic VSFTPD configuration step by step instructions
In this section we will simply install VSFTPD ftp server, open firewall ports and test the connections.
- Install VSFTPD package.
vsftpd
package can be installed by using the dnf package manager:# dnf install vsftpd
- Make a copy and review the default VSFTPD configuration file. First make a copy of the original configuration file:
# mv /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf_orig
Let’s start with a clean configuration file:
# grep -v ^# /etc/vsftpd/vsftpd.conf_orig > /etc/vsftpd/vsftpd.conf
Your new
/etc/vsftpd/vsftpd.conf
configuration should look similar to the one below:anonymous_enable=NO local_enable=YES write_enable=YES local_umask=022 dirmessage_enable=YES xferlog_enable=YES connect_from_port_20=YES xferlog_std_format=YES listen=NO listen_ipv6=YES pam_service_name=vsftpd userlist_enable=YES
- Start VSFTPD daemon and set it to start after reboot:
# systemctl start vsftpd # systemctl enable vsftpd
- Open firewall FTP port 21 incoming connections:
# firewall-cmd --zone=public --permanent --add-service=ftp # firewall-cmd --reload
- Test FTP connection from the remote host using the
ftp
command. Use your regular user credentials to login. For example, create an FTP connection to hostrhel8-ftp.linuxconfig.org
:# ftp rhel8-ftp.linuxconfig.org Connected to rhel8-ftp.linuxconfig.org. 220 (vsFTPd 3.0.3) Name (rhel8-ftp.linuxconfig.org:lubos): linuxconfig 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp>
This concludes basic VSFTPD configuration and testing. In the next section we will add a layer of security by configuring our VSFTPD ftp server using TLS.
Securing VSFTPD with TLS connection step by step instructions
In this section we will simply install the VSFTPD ftp server, open firewall ports and test the connections.
- Install OpenSSL. This package might already by available on your RHEL8 system. To install OpenSSL run:
# dnf install openssl
- Generate self-signed certificate or use your existing certificate. In this example we will generate the private key
vsftpd.key
and the signed certificatevsftpd.crt
. You will be prompted to answer some questions. Feel free to leave most of them as default exceptCommon Name
:# openssl req -newkey rsa:2048 -nodes -keyout /etc/pki/tls/private/vsftpd.key -x509 -days 365 -out /etc/pki/tls/certs/vsftpd.crt Generating a RSA private key ..................+++++ ....+++++ writing new private key to '/etc/pki/tls/private/vsftpd.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]: State or Province Name (full name) []: Locality Name (eg, city) [Default City]: Organization Name (eg, company) [Default Company Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:rhel8-ftp.linuxconfig.org Email Address []: #
- Configure VSFTPD for the TLS encrypted connection. Open your existing VSFTPD
/etc/vsftpd/vsftpd.conf
configuration and add the following configuration in addition to the existing lines:rsa_cert_file=/etc/pki/tls/certs/vsftpd.crt rsa_private_key_file=/etc/pki/tls/private/vsftpd.key ssl_enable=YES allow_anon_ssl=NO force_local_data_ssl=YES force_local_logins_ssl=YES ssl_tlsv1=YES ssl_sslv2=NO ssl_sslv3=NO require_ssl_reuse=NO ssl_ciphers=HIGH
- Restart VSFTPD:
# systemctl restart vsftpd
- Test the TLS VSFTPD ftp connection.
NOTE
Please note that unless you have opened appropriate ports on your RHEL 8 server’s firewall you will not be able to make passive ftp connection from a remote host at this point.Use an FTP client which supports TLS connections like for example FileZilla:
All seems to be in order. In the next section we will add a passive connection feature to our VSFTPD ftp server.
Add passive mode to VSFTPD step by step instructions
-
Open your existing VSFTPD
/etc/vsftpd/vsftpd.conf
configuration and add the following configuration in addition the the existing lines:pasv_enable=YES pasv_min_port=10000 pasv_max_port=10100
- Restart VSFTPD:
# systemctl restart vsftpd
- Open firewall port range to accommodate passive ports:
# firewall-cmd --permanent --zone=public --add-port=10000-10100/tcp # firewall-cmd --reload
Allow anonymous VSFTPD access step by step instructions
-
Open your existing VSFTPD
/etc/vsftpd/vsftpd.conf
configuration and change theanonymous_enable
andallow_anon_ssl
lines toYES
:anonymous_enable=YES allow_anon_ssl=YES
- Restart VSFTPD:
# systemctl restart vsftpd
Appendix
For your convenience the final /etc/vsftpd/vsftpd.conf
configuration file is shown below:
anonymous_enable=YES
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
listen=NO
listen_ipv6=YES
pam_service_name=vsftpd
userlist_enable=YES
rsa_cert_file=/etc/pki/tls/certs/vsftpd.crt
rsa_private_key_file=/etc/pki/tls/private/vsftpd.key
ssl_enable=YES
allow_anon_ssl=YES
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=NO
ssl_ciphers=HIGH
pasv_enable=YES
pasv_min_port=10000
pasv_max_port=10100