vsftpd Configuration Guide
vsftpd is a secure and fast FTP server software for Linux systems. Its main configuration file is typically located at /etc/vsftpd/vsftpd.conf. This guide explains the most common configuration options.
Basic Directory and Port Settings
These options define the server's root directory and listening port.
# Root directory for local users after login (requires chroot)
local_root=/download
# Change default listening port (21). Requires service restart and firewall adjustment.
# listen_port=4449User Access and Permission Control
These settings determine who can log in and their basic permissions.
# Allow anonymous login? YES or NO.
anonymous_enable=NO
# Allow local system users to log in? If NO, virtual users also cannot log in.
local_enable=YES
# Global write permission switch. Must be YES for uploads, deletions, or modifications.
write_enable=YES
# Default umask for files and directories created by local users.
# 022 gives directories 755 and files 644; 077 gives directories 700 and files 600.
local_umask=022
# Allow anonymous users to upload files? (requires write_enable=YES)
anon_upload_enable=NO
# Allow anonymous users to create directories?
anon_mkdir_write_enable=NOConnection and Logging Settings
# Enable directory welcome messages (reads .message file in directory).
dirmessage_enable=YES
# Use port 20 for active mode data connections.
connect_from_port_20=YES
# Enable passive mode (PASV), important for clients behind firewalls.
pasv_enable=YES
# Enable transfer logging? Default NO. Enable for auditing.
xferlog_enable=NO
# Log file path (if xferlog_enable=YES, ensure file exists and is writable).
# xferlog_file=/var/log/xferlogPerformance and Timeout Settings
# Idle session timeout in seconds. Connection closes after this period.
# idle_session_timeout=600
# Data connection establishment timeout in seconds.
# data_connection_timeout=120
# Allow asynchronous ABOR command? Usually disable for security.
async_abor_enable=NO
# Enable ASCII mode transfers? Disable both for safer binary mode.
ascii_upload_enable=NO
ascii_download_enable=NO
# Allow recursive directory listing (e.g., ls -R). Enable for convenience, disable under heavy load.
ls_recurse_enable=YESAdvanced Security and Restrictions
# Lock local users into their home directory (chroot).
chroot_local_user=YES
# Enable exception user list.
chroot_list_enable=YES
# Path to exception list file. When chroot_local_user=YES, users listed here are NOT locked.
chroot_list_file=/etc/vsftpd/chroot_list
# Enable user list control.
userlist_enable=YES
# When userlist_enable=YES, this defines how the user_list file is used.
# NO means users in /etc/vsftpd/user_list are ALLOWED to log in.
userlist_deny=NO
# Run in standalone mode, listening on IPv4 port.
listen=YES
# Listen on IPv6 port? Conflicts with listen=YES; only one can be enabled.
listen_ipv6=NO
# PAM service name for authentication.
pam_service_name=vsftpd
# Use TCP Wrappers for host-based access control (via /etc/hosts.allow and /etc/hosts.deny).
tcp_wrappers=YES
# Passive mode port range. Open this range in your firewall.
pasv_min_port=31888
pasv_max_port=36888Connection and Rate Limits
# Maximum client connections allowed (0 = unlimited).
max_client=5
# Maximum connections per IP address (0 = unlimited).
max_per_ip=5
# Maximum transfer rate for local users (bytes/sec, 0 = unlimited).
local_max_rate=0
# Maximum transfer rate for anonymous users (bytes/sec, 0 = unlimited).
anon_max_rate=0Important Notes and Recommendations
- File Creation: If configuration files like
chroot_listoruser_listdon't exist, create them manually. - Permission Management: After modifying configuration, ensure relevant files (e.g., log files) have correct ownership and permissions for the vsftpd process.
- SELinux: On systems with SELinux enabled, you may need to adjust boolean values (e.g.,
setsebool -P ftp_home_dir on) or file contexts. - Firewall: If you change the default port or enable passive mode, open the necessary ports in your system firewall.
- Applying Changes: After modifying
vsftpd.conf, restart the vsftpd service (e.g.,systemctl restart vsftpd).