Last update: 2022-10-18
To set up your CentOS as a secure FTP server, follow the next couple steps
Install VSFTPD with
yum install vsftpd |
Turn on vsftpd auto start with
(CentOS 6.x)
chkconfig --level 235 vsftpd on service vsftpd start |
(CentOS 7.x)
systemctl vsftpd enable systemctl start vsftpd |
Open vsftpd.conf
nano /etc/vsftpd/vsftpd.conf |
and edit the next:
1. Change anonymous_enable=YES to anonymous_enable=NO
anonymous_enable=NO |
2. Uncomment chroot_local_user=YES line (In CentOS 5.x you will need to add this line)
chroot_local_user=YES |
3. Change the default port number from 21 to XXXXX (where XXXXX is above 1024) with
listen_port=XXXXX |
It this line doesn’t exist, paste it to the end of the file. Be sure that port XXXXX is accessible.
4. Prevent the FTP users to access any files outside of their home directories by uncommenting the chroot directive.
chroot_local_user=YES |
5. The vsftpd version that comes with Centos 7 does not permit chrooted local users to write by default. To “fix” this, you’ll need to add the next line:
allow_writeable_chroot=YES |
Restart vsftpd with service vsftpd restart. Please keep in mind that changing default port number doesn’t mean that your server is 100% secured. It will help you to avoid random dictionary attacks and your log files will be much smaller. Good password is a MUST.
Other options
6. Passive FTP Connections
Vsftpd can use any port for passive FTP connections (example when server is behind the router). Specify the minimum and maximum range of ports and later open the range in our router. Also, replace the xxx.xxx.xxx.xxx with your public IP (IP on the WAN side of the router)
Add the following lines to the configuration file
pasv_enable=YES pasv_min_port=40000 pasv_max_port=40100 pasv_address=xxx.xxx.xxx.xxx |
7. Limiting User Login
To allow only certain users to login to the FTP server add the following lines after the userlist_enable=YES line
userlist_file=/etc/vsftpd/user_list userlist_deny=NO |
Now you need to explicitly specify which users are able to login by adding the user names to the /etc/vsftpd/user_list file (one user per line)
8. Securing Transmissions with SSL/TLS
To encrypt the FTP transmissions with SSL/TLS, you’ll need to have an SSL certificate and configure the FTP server to use it. If you have a domain or subdomain pointing to the FTP server’s IP address you can easily generate a free Let’s Encrypt SSL certificate. Also, you can use an existing certificate signed by a trusted CA or you can create a self-signed certificate with.
sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/vsftpd/vsftpd.pem -out /etc/vsftpd/vsftpd.pem |
Add the next lines in conf file (in case your using LE, set up the path to LE generated pem files)
rsa_cert_file=/etc/vsftpd/vsftpd.pem rsa_private_key_file=/etc/vsftpd/vsftpd.pem ssl_enable=YES |
9. Other options
To enable dual log files (by default log goes to xferlog) add
dual_log_enable=YES |
10. Restart vsftpd with
systemctl restart vsftpd |
11. Opening the Firewall
If you are running a firewall you’ll need to allow FTP traffic.
To open port xxxx (FTP command port), port yyyy (FTP data port) and 40000-40100 (Passive ports range), issue the following commands
firewall-cmd --permanent --add-port=yyyy-xxxx/tcp firewall-cmd --permanent --add-port=40000-40100/tcp |