How to Set Up a Secure FTP Server with vsftpd on Linux (Modern Configuration Guide)

Introduction

Setting up an FTP server on Linux is a common task, but default configurations often have security vulnerabilities. This guide uses vsftpd (Very Secure FTP Daemon) to establish a functional and secure FTP server on modern Linux distributions (like CentOS/RHEL 8+ or Ubuntu 20.04+), including solutions for common issues.

Installation

Install vsftpd using your distribution's package manager.

RHEL/CentOS/Fedora

sudo dnf install vsftpd
sudo systemctl enable --now vsftpd

Debian/Ubuntu

sudo apt update
sudo apt install vsftpd
sudo systemctl enable --now vsftpd

Basic Security Configuration

The main configuration file is /etc/vsftpd/vsftpd.conf. Backup the original file, then apply these key settings:

# Disable anonymous login
anonymous_enable=NO
# Allow local users
local_enable=YES
# Enable logging
xferlog_enable=YES
xferlog_file=/var/log/vsftpd.log
# Restrict users to their home directories (chroot)
chroot_local_user=YES
allow_writeable_chroot=YES
# Use local time
use_localtime=YES
# Enable passive mode with a port range
pasv_enable=YES
pasv_min_port=40000
pasv_max_port=50000
# Connection limits
max_clients=50
max_per_ip=5

After editing, restart the service: sudo systemctl restart vsftpd.

Common Issues & Solutions

Issue 1: User Cannot Upload Files or Create Directories

Cause: Usually incorrect directory permissions or SELinux policy.

Solution:

1. Check directory permissions:

   sudo chmod 755 /home/ftpuser
   sudo chown ftpuser:ftpuser /home/ftpuser

2. SELinux settings (if enabled):

   sudo setsebool -P ftp_home_dir on
   # Or for a specific directory:
   sudo semanage fcontext -a -t public_content_rw_t 
     "/home/ftpuser(/.*)?"
   sudo restorecon -Rv /home/ftpuser

Issue 2: Secure Anonymous Upload (If Required)

Not recommended, but for controlled internal networks:

1. Enable in config:

   anonymous_enable=YES
   anon_upload_enable=YES
   anon_mkdir_write_enable=YES
   anon_other_write_enable=NO
   anon_root=/var/ftp/pub

2. Create and secure upload directory:

   sudo mkdir -p /var/ftp/pub/incoming
   sudo chown ftp:ftp /var/ftp/pub/incoming
   sudo chmod 730 /var/ftp/pub/incoming

Issue 3: Change Default FTP Port

Change from port 21 to reduce automated scans.

1. Add to config: listen_port=2121
2. Update firewall (firewalld example):

   sudo firewall-cmd --permanent --remove-service=ftp
   sudo firewall-cmd --permanent --add-port=2121/tcp
   sudo firewall-cmd --reload

3. Restart vsftpd.

Issue 4: Enable TLS/SSL Encryption

Encrypts credentials and data in transit.

1. Generate a certificate (self-signed for testing):

   sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 
     -keyout /etc/ssl/private/vsftpd.key 
     -out /etc/ssl/certs/vsftpd.crt

2. Configure vsftpd:

   rsa_cert_file=/etc/ssl/certs/vsftpd.crt
   rsa_private_key_file=/etc/ssl/private/vsftpd.key
   ssl_enable=YES
   force_local_data_ssl=YES
   force_local_logins_ssl=YES
   ssl_tlsv1=YES
   ssl_sslv2=NO
   ssl_sslv3=NO

Advanced Security Recommendations

• User list access control: Use userlist_enable=YES and userlist_file=/etc/vsftpd/user_list.
• Connection timeouts:

  idle_session_timeout=600
  data_connection_timeout=120

• Regular updates and monitoring: Keep vsftpd updated and check /var/log/vsftpd.log.
• Consider SFTP instead: For new deployments, OpenSSH's SFTP subsystem provides secure file transfer over SSH with simpler configuration.

Conclusion

Building a secure FTP server on Linux requires attention to permissions, network configuration, encryption, and monitoring. This vsftpd guide provides a balanced approach. For production, tailor settings to your needs and consider modern alternatives like SFTP.