How to configure Very Secure File Transfer Protocol Daemon (vsFTPd)

File Transfer Protocol (FTP) is considered as the primary method used to transfer files over a network from computer to computer. FTP uses a client/server model. An FTP client is used to access the FTP server, and as a server, FTP provides access to files or storage.

Very Secure File Transfer Protocol Daemon (vsFTPd) is a fast and secure FTP daemon which is the preferred FTP server for Red Hat Enterprise Linux.

How to Install Very Secure File Transfer Protocol Daemon (vsFTPd)

You can use the rpm command to install vsFTPd as shown below.

[root@RHEL04 ~]# rpm -Uvh vsftpd-2.0.5-10.el5.i386.rpm

OR by using the yum command, if you have configured yum properly.

[root@RHEL04 ~]# yum –y install vsftpd

Once vsFTPd is installed, make sure it starts the next time you boot Linux. You can use the ‘chkconfig’ command to make the vsFTPd start working when you reboot the system.

[root@RHEL04 ~]# chkconfig vsftpd on

Main files and directories Installed with vsftpd

The vsftpd RPM installs the daemon (/usr/sbin/vsftpd), its configuration and related files, as well as FTP directories onto the system.

The following list shows the main files and directories related to vsftpd configuration:

• /etc/rc.d/init.d/vsftpd: The initialization script (initscript) used by the /sbin/service command to start, stop, or reload vsftpd.

• /etc/pam.d/vsftpd: The Pluggable Authentication Modules (PAM) configuration file for vsftpd.

• /etc/vsftpd/vsftpd.conf: The main configuration file for vsftpd.

• /etc/vsftpd/ftpusers: A list of users not allowed to log into vsftpd. By default, this list includes the root, bin, and daemon users, among others, since sending the username and password credentials of sensitive users using clear text is not secure.

• /etc/vsftpd/user_list: This file can be configured to either deny or allow access to the users listed, depending on whether the userlist_deny directive is set to YES (default) or NO in /etc/vsftpd/vsftpd.conf. If /etc/vsftpd.user_list is used to grant access to users, the usernames listed must not appear in /etc/vsftpd.ftpusers.

• /var/ftp/: — The directory containing files served by vsftpd. It also contains the /var/ftp/pub/ directory for anonymous users. Both directories are world-readable, but writable only by the root user.

vsFTPd configuration file /etc/vsftpd/vsftpd.conf

All configuration of vsftpd can be done by its configuration file, /etc/vsftpd/vsftpd.conf. Each directive is on its own line within the file and follows the following format:

<directive>=<value>

The lines starting with‘#’ are comments.

vsFTPd daemon Options in /etc/vsftpd/vsftpd.conf

The following is a list of directives which control the overall behavior of the vsftpd daemon.

• listen: When enabled, vsftpd runs in standalone mode. This value is set to YES by default. This directive cannot be used in conjunction with the listen_ipv6 directive.

• listen_ipv6: When enabled, vsftpd runs in standalone mode, but listen only to IPv6 sockets. This directive cannot be used in conjunction with the listen directive.

The default value is NO.

Log-in Options and Access Controls in /etc/vsftpd/vsftpd.conf

Anonymous access features can be changed for your FTP server by editing the vsftpd.conf file and changing related entries to YES or NO in the file. The main setting related with anonymous access are:

• anonymous_enable: Enabled by default. Use a setting of NO, and then restart the server to turn off anonymous access.

• anon_mkdir_write_enable: Allows or disallows creating of new directories.

• anon_other_write_enable: Allows or disallows deleting or renaming of files and directories.

• anon_upload_enable: Controls whether anonymous users can upload files (also depends on the global write_enable setting).

• anon_world_readable_only: Allows anonymous users to download only files with world-readable (444) permission

• no_anon_password: When enabled, the anonymous user is not asked for a password. The default value is NO.

• banner_file: Specifies the file containing text displayed when a connection is established to the server. This option overrides any text specified in the ftpd_banner directive.

• cmds_allowed — Specifies a comma-delimited list of FTP commands allowed by the server. All other commands are rejected.

• ftpd_banner: When enabled, the string specified within this directive is displayed when a connection is established to the server. This option can be overridden by the banner_file directive. By default vsftpd displays its standard banner.

• local_enable: When enabled, local users are allowed to log into the system.

• userlist_deny: If userlist_deny=NO, only allow users in userlist_file. If userlist_deny=YES (default), never allow users in userlist_file, and do not even prompt for a password.

• userlist_enable: When enabled, the users listed in the file specified by the userlist_file directive are denied access.

• userlist_file: Specifies the file referenced by vsftpd when the userlist_enable directive is enabled. This file is created when vsftp is installed and is located in /etc/vsftpd/user_list.

• ftp_username: Specifies the local user account (listed in /etc/passwd) used for the anonymous FTP user. The home directory specified in /etc/passwd for the user is the root directory of the anonymous FTP user. The default user is ftp and default home folder is /var/ftp/.

• chroot_list_enable: When enabled, the local users listed in the file specified in the chroot_list_file directive are placed in a chroot jail upon log in. If enabled in conjunction with the chroot_local_user directive, the local users listed in the file specified in the chroot_list_file directive are not placed in a chroot jail upon log in. The default value is NO.

• chroot_list_file: Specifies the file containing a list of local users referenced when the chroot_list_enable directive is set to YES. The default value is /etc/vsftpd/chroot_list.

• chroot_local_user: When enabled, local users are change-rooted to their home directories after logging in. The default value is NO.

Other important options in /etc/vsftpd/vsftpd.conf

• dirlist_enable: When enabled, users are allowed to view directory lists.

• write_enable: When enabled, FTP commands which can change the file system are allowed.

• accept_timeout: Specifies the amount of time for a client using passive mode to establish a connection. The default value is 60.

• anon_max_rate: Specifies the maximum data transfer rate for anonymous users in bytes per second. The default value is 0, which does not limit the transfer rate.

• connect_timeout: Specifies the maximum amount of time a client using active mode has to respond to a data connection, in seconds. The default value is 60.

• idle_session_timeout: Specifies the maximum amount of time between commands from a remote client. Once triggered, the connection to the remote client is closed.

• listen_address: Specifies the IP address on which vsftpd listens for network connections. There is no default value for this directive.

• listen_address6: Specifies the IPv6 address on which vsftpd listens for network connections when listen_ipv6 is set to YES. There is no default value for this directive.

• listen_port: Specifies the port on which vsftpd listens for network connections. The default value is 21.

• local_max_rate: Specifies the maximum rate data is transferred for local users logged into the server in bytes per second. The default value is 0, which does not limit the transfer rate.

• max_clients: Specifies the maximum number of simultaneous clients allowed to connect to the vsFTPd server when it is running in standalone mode. Any additional client connections to the vsFTPd server would result in an error message. The default value is 0, which does not limit connections.