Step 1: Install vsftpd
Warning: FTP data is insecure; traffic is not encrypted, and all transmissions are clear text (including usernames, passwords, commands, and data). Consider securing your FTP connection with SSL/TLS.

As a matter of best practice we’ll update our packages:

yum -y update

Then let’s install vsftpd and any required packages:

yum -y install vsftpd

Step 2: Configure vsftpd

 

The vsftpd RPM installs the daemon (/usr/sbin/vsftpd), its configuration and related files, as well as FTP directories onto the system.
The following lists the files and directories related to vsftpd configuration:

 

  • /etc/rc.d/init.d/vsftpd — The initialization script (initscript) used by the systemctl command to start, stop, or reload vsftpd. Refer to Starting and Stopping vsftpd ” for more information about using this script.
    Restart the vsftpd service:systemctl restart vsftpdThen set the vsftpd service to start at boot:systemctl enable vsftpd
  • /etc/pam.d/vsftpd — The Pluggable Authentication Modules (PAM) configuration file for vsftpd. This file specifies the requirements a user must meet to login to the FTP server. For more information on PAM, refer to the Using Pluggable Authentication Modules (PAM) chapter of the Fedora 17 Managing Single Sign-On and Smart Cards guide.

/etc/vsftpd/vsftpd.conf — The configuration file for vsftpd. Refer to “ vsftpdConfiguration Options” for a list of important options contained within this file.

Configuration file for vsftpd:

vim /etc/vsftpd/vsftpd.conf

Each directive is on its own line within the file and follows the following format:

directive=value

1. For each directive, replace directive with a valid directive and value with a valid value.
Do not use spaces
There must not be any spaces between the directive, equal symbol, and the value in a directive.

2. Daemon Options

The following is a list of directives which control the overall behavior of the vsftpd daemon.
  • listen — When enabled, vsftpd runs in stand-alone mode. Fedora sets this value to YES. This directive cannot be used in conjunction with the listen_ipv6 directive.
    The default value is NO.
  • listen_ipv6 — When enabled, vsftpd runs in stand-alone mode, but listens only to IPv6 sockets. This directive cannot be used in conjunction with the listen directive.
    The default value is NO.
  • session_support — When enabled, vsftpd attempts to maintain login sessions for each user through Pluggable Authentication Modules (PAM). For more information, refer to the Using Pluggable Authentication Modules (PAM) chapter of the Red Hat Enterprise Linux 6 Managing Single Sign-On and Smart Cards and the PAM man pages. . If session logging is not necessary, disabling this option allows vsftpd to run with less processes and lower privileges.
    The default value is YES.

3. Permission:

  • pam_service_name Disallow anonymous, unidentified users to access files via FTP; change the anonymous_enable setting to NO:
    anonymous_enable=NO
  • Allow local uses to login by changing the local_enable setting to YES:
    local_enable=YES
  • If you want local user to be able to write to a directory, then change the write_enable setting to YES:
    write_enable=YES
  • Local users will be ‘chroot jailed’ and they will be denied access to any other part of the server; change the chroot_local_user setting to YES:
    chroot_local_user=YES
  • Specifies a comma-delimited list of FTP commands allowed by the server. All other commands are rejected.
    cmds_allowed
  • pam_service_name — Specifies the PAM service name for vsftpd.
    The default value is ftp.
    Note, in Fedora, the value is set to vsftpdThe default value is NO. Note, in Fedora, the value is set to YES.
  • userlist_deny — When used in conjunction with the userlist_enable directive and set to NO, all local users are denied access unless the username is listed in the file specified by the userlist_file directive. Because access is denied before the client is asked for a password, setting this directive to NO prevents local users from submitting unencrypted passwords over the network.
    The default value is YES.
  • userlist_enable — When enabled, the users listed in the file specified by the userlist_file directive are denied access. Because access is denied before the client is asked for a password, users are prevented from submitting unencrypted passwords over the network.
    The default value is NO, however under Fedora the value is set to YES.
  • userlist_file — Specifies the file referenced by vsftpd when the userlist_enable directive is enabled.
    The default value is /etc/vsftpd/user_list and is created during installation.

  • /etc/vsftpd/ftpusers — A list of users not allowed to log into vsftpd. By default, this list includes the rootbin, and daemon users, among others.
  • /etc/vsftpd/user_list — This file can be configured to either deny or allow access to the users listed, depending on whether the userlist_deny directive is set to YES (default) or NO in /etc/vsftpd/vsftpd.conf. If /etc/vsftpd/user_list is used to grant access to users, the usernames listed must not appear in /etc/vsftpd/ftpusers.
  • /var/ftp/ — The directory containing files served by vsftpd. It also contains the /var/ftp/pub/ directory for anonymous users. Both directories are world-readable, but writable only by the root user.
Step 3: Allow vsftpd Through the Firewall

Allow the default FTP port, port 21, through firewalld:

firewall-cmd --permanent --add-port=21/tcp

And reload the firewall:

firewall-cmd --reload