If you have a CentOS 7 server and need to set up a secure FTP service that allows only specific users to access it, vsftpd (Very Secure FTP daemon) is a great choice. It is a lightweight and stable FTP server that provides security features such as encryption and authentication. However, configuring vsftpd can be a daunting task, and if you have searched all over the internet for a working solution, you may have come up empty-handed. In this tutorial, we will walk you through the process of configuring vsftpd on CentOS 7 using a set of settings that we have tested and found to be a working solution. By the end of this tutorial, you will have successfully configured vsftpd to restrict access to only specific users.
Before you begin, you will need:
- A CentOS 7 server with a non-root user with sudo privileges.
- SSH access to the server.
Step 1: Install vsftpd
The first step is to install vsftpd on your CentOS 7 server. You can do this by running the following command:
sudo yum install vsftpd
Step 2: Configure vsftpd
Once vsftpd is installed, you need to configure it to allow only specific users to access the FTP service. To do this, follow these steps:
- Open the vsftpd configuration file for editing:
sudo vi /etc/vsftpd/vsftpd.conf
Add or modfy the following lines to the end of the file:
pam_service_name=vsftpd
userlist_enable=YES
userlist_file=/etc/vsftpd/user_list
userlist_deny=NO
tcp_wrappers=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
chroot_local_user=YES
allow_writeable_chroot=YES
# if you don't want pasv_enable use NO
pasv_enable=YES
pasv_min_port=1000
pasv_max_port=1030
pasv_address=<your server ip> Windows command-line issue
Windows command-line FTP client does not support the passive mode. You need to disable passive mode using pasv_enable=NO
This is a sample vsftpd configuration file. Here is a brief explanation of the various configuration options:
- pam_service_name=vsftpd: This option specifies the PAM service name that vsftpd should use for authentication.
- userlist_enable=YES: This option enables the use of a user list file.
- userlist_file=/etc/vsftpd/user_list: This option specifies the path to the user list file.
- userlist_deny=NO: This option allows users listed in the user list file to log in.
- tcp_wrappers=YES: This option enables the use of TCP wrappers for vsftpd.
- anonymous_enable=NO: This option disables anonymous FTP access.
- local_enable=YES: This option enables local user authentication.
- write_enable=YES: This option enables write access for authenticated users.
- chroot_local_user=YES: This option restricts users to their home directories.
- allow_writeable_chroot=YES: This option allows users to write files in their home directories even when chrooted.
- pasv_enable=NO: This option disables passive FTP mode.
- pasv_min_port=21 and pasv_max_port=21: These options specify the range of ports to use for passive mode data connections. In this case, only port 21 is used.
- pasv_address=192.168.1.240: This option specifies the IP address to use for passive mode data connections.
Add an ftpuser
useradd ftpuser1
#set the password for the user
passwd ftpuser1 Create a new file called user_list in the /etc/vsftpd/ directory
sudo touch /etc/vsftpd/user_list
# open in vi editor
sudo vi /etc/vsftpd/user_list
Add the usernames of the users who should be allowed to log in, one per line. For example
ftpuser1
ftpuser2
Restart the vsftpd service
sudo systemctl restart vsftpd
Step 3: Test vsftpd
To test if vsftpd is working correctly, follow these steps:
Open your FTP client of choice (such as FileZilla) and connect to your CentOS 7 server using the IP address or hostname of the server.
Enter the username and password of one of the users listed in the user_list file.
If the login is successful, you should be able to access the files in the user’s home directory.
Congratulations! You have successfully configured vsftpd on CentOS 7 to allow only specific users to access the FTP service.
