@JS's Notes

Site with notes from my work.

Vsftpd on Centos 8

2020-07-14 System @JS

My test platform: CentOS Linux release 8.2.2004 (Core)

Requirements: user with root privileges or non-root user with sudo privileges.

Vsftpd installation
$ sudo dnf update -y
$ sudo dnf install vsftpd.service -y
$ sudo systemctl status vsftpd.service
$ sudo systemctl start vsftpd.service
$ sudo systemctl enable vsftpd.service
## create a ftp user and its directory
$ sudo adduser ftpuser; sudo passwd ftpuser
$ sudo mkdir -p /home/ftpuser/ftp_dir
$ sudo chmod -R 750 /home/ftpuser/ftp_dir
$ sudo chown -R ftpuser: /home/ftpuser/ftp_dir
$ sudo bash -c 'echo ftpuser >> /etc/vsftpd/user_list'
Vsftpd configuration

The default configuration file for vsftpd is the /etc/vsftpd/vsftpd.conf file. We will make a few tweaks in this file:

[...]
# to allow local users to access the FTP server remotely, and block anonymous users
anonymous_enable=NO
local_enable=YES
[...]
# to grant users rights to run any FTP command and make changes such as uploading, 
# downloading and deleting files
write_enable=YES
[...]
# for security purposes, you may opt to restrict users from accessing any files 
# and directories outside their home directories
chroot_local_user=YES
[...]
# to grant users write access to their respective home directories
allow_writeable_chroot=YES
[...]
# we are going to define custom ports to enable Passive FTP connections
pasv_min_port=50000
pasv_max_port=51000
[...]
# we are going to only allow the users defined in the /etc/vsftpd/user_list access 
# to the server and block the rest
userlist_file=/etc/vsftpd/user_list
userlist_deny=NO
[...]
# specify the path to the SSL/TLS certificate files and turn on SSL
rsa_cert_file=/etc/vsftpd/vsftpd.pem
rsa_private_key_file=/etc/vsftpd/vsftpd.pem
ssl_enable=YES

To generate the certificate, run the command below and restart the vsftpd service:

$ sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/vsftpd/vsftpd.pem -out /etc/vsftpd/vsftpd.pem
$ sudo systemctl restart vsftpd.service
$ sudo systemctl status vsftpd.service
Firewall configuration
$ sudo firewall-cmd --permanent --add-port=20-21/tcp
$ sudo firewall-cmd --permanent --add-port=50000-51000/tcp
$ sudo firewall-cmd --relo­ad