[ad_1]
FTP (File Transfer Protocol) is a client-server network protocol that allows users to transfer files to and from a remote machine.
There are many open-source FTP servers available for Linux. The most popular and commonly used servers are PureFTPd
, ProFTPD
, and vsftpd
.
In this tutorial, we’ll be installing vsftpd (Very Secure Ftp Daemon) on CentOS 8. It is a stable, secure, and fast FTP server. We’ll also show you how to configure vsftpd to restrict users to their home directory and encrypt the data transmission with SSL/TLS.
Installing vsftpd on CentOS 8 #
The vsftpd package is available in the default CentOS repositories. To install it, run the following command as root or user with sudo privileges
:
sudo dnf install vsftpdOnce the package is installed, start the vsftpd daemon and enable it to start at boot time automatically:
sudo systemctl enable vsftpd --nowVerify the service status:
sudo systemctl status vsftpdThe output will look something like this, showing that the vsftpd service is active and running:
● vsftpd.service - Vsftpd ftp daemon
Loaded: loaded (/usr/lib/systemd/system/vsftpd.service; enabled; vendor preset: disabled)
Active: active (running) since Mon 2020-03-30 15:16:51 EDT; 10s ago
Process: 2880 ExecStart=/usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf (code=exited, status=0/SUCCESS)
...
Configuring vsftpd #
The vsftpd server settings are stored in the /etc/vsftpd/vsftpd.conf configuration file. Most of the settings are well documented inside the file. For all available options, visit the official vsftpd
page.
In the following sections, we will go over some important settings required to configure a secure vsftpd installation.
Start by opening the vsftpd configuration file:
sudo nano /etc/vsftpd/vsftpd.conf1. FTP Access #
We’ll allow access to the FTP server only the local users, find the anonymous_enable and local_enable directives and make sure your configuration match to lines below:
/etc/vsftpd/vsftpd.conf
anonymous_enable=NO
local_enable=YES
2. Enabling uploads #
Uncomment the write_enable setting to allow changes to the filesystem, such as uploading and deleting files.
/etc/vsftpd/vsftpd.conf
3. Chroot Jail #
Prevent the FTP users from accessing any files outside of their home directories by uncommenting the chroot directive.
/etc/vsftpd/vsftpd.conf
By default, when chroot is enabled, vsftpd will refuse to upload files if the directory that the users are locked in is writable. This is to prevent a security vulnerability.
Use one of the methods below to allow uploads when the chroot is enabled.
-
Method 1. – The recommended method to allow upload is to keep the chroot enabled and configure FTP directories. In this tutorial, we will create an
ftpdirectory inside the user home, which will serve as the chroot and a writableuploadsdirectory for uploading files./etc/vsftpd/vsftpd.conf
user_sub_token=$USER local_root=/home/$USER/ftp -
Method 2. – Another option is to add the following directive in the vsftpd configuration file. Use this option if you must to grant writable access to your user to its home directory.
/etc/vsftpd/vsftpd.conf
allow_writeable_chroot=YES
4. Passive FTP Connections #
vsftpd can use any port for passive FTP connections. We’ll specify the minimum and maximum range of ports and later open the range in our firewall.
Add the following lines to the configuration file:
/etc/vsftpd/vsftpd.conf
pasv_min_port=30000
pasv_max_port=31000
5. Limiting User Login #
To allow only certain users to log in to the FTP server, add the following lines after the userlist_enable=YES line:
/etc/vsftpd/vsftpd.conf
userlist_file=/etc/vsftpd/user_list
userlist_deny=NO
When this option is enabled, you need to explicitly specify which users are able to login by adding the user names to the /etc/vsftpd/user_list file (one user per line).
6. Securing Transmissions with SSL/TLS #
In order to encrypt the FTP transmissions with SSL/TLS, you’ll need to have an SSL certificate and configure the FTP server to use it.
You can use an existing SSL certificate signed by a trusted Certificate Authority or create a self-signed certificate.
If you have a domain or subdomain pointing to the FTP server’s IP address, you can easily generate a free Let’s Encrypt
SSL certificate.
In this tutorial, we will generate a self-signed SSL certificate
using the openssl tool.
The following command will create a 2048-bit private key and self signed certificate valid for 10 years. Both the private key and the certificate will be saved in a same file:
sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/vsftpd/vsftpd.pem -out /etc/vsftpd/vsftpd.pemOnce the SSL certificate is created open the vsftpd configuration file:
sudo nano /etc/vsftpd/vsftpd.confFind the rsa_cert_file and rsa_private_key_file directives, change their values to the pam file path and set the ssl_enable directive to YES:
/etc/vsftpd/vsftpd.conf
rsa_cert_file=/etc/vsftpd/vsftpd.pem
rsa_private_key_file=/etc/vsftpd/vsftpd.pem
ssl_enable=YES
If not specified otherwise, the FTP server will use only TLS to make secure connections.
Restart the vsftpd Service #
Once you are done editing, the vsftpd configuration file (excluding comments) should look something like this:
/etc/vsftpd/vsftpd.conf
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
chroot_local_user=YES
listen=NO
listen_ipv6=YES
pam_service_name=vsftpd
userlist_enable=YES
userlist_file=/etc/vsftpd/user_list
userlist_deny=NO
tcp_wrappers=YES
user_sub_token=$USER
local_root=/home/$USER/ftp
pasv_min_port=30000
pasv_max_port=31000
rsa_cert_file=/etc/vsftpd/vsftpd.pem
rsa_private_key_file=/etc/vsftpd/vsftpd.pem
ssl_enable=YES
Save the file and restart the vsftpd service for changes to take effect:
sudo systemctl restart vsftpdOpening the Firewall #
how-to-configure-and-manage-firewall-on-centos-8
If you are running a you’ll need to allow FTP traffic.
To open port 21 (FTP command port), port 20 (FTP data port) and 30000-31000 (Passive ports range), on your firewall
enter the following commands:
sudo firewall-cmd --permanent --add-port=20-21/tcpsudo firewall-cmd --permanent --add-port=30000-31000/tcp
Reload the firewall rules by typing:
firewall-cmd --reloadCreating an FTP User #
To test the FTP server, we will create a new user.
- If you already have a user that you want to grant FTP access, skip the 1st step.
- If you set
allow_writeable_chroot=YESin your configuration file, skip the 3rd step.
-
Create a new user named
newftpuser:sudo adduser newftpuserNext, you’ll need to set the user password
:sudo passwd newftpuser -
Add the user to the allowed FTP users list:
echo "newftpuser" | sudo tee -a /etc/vsftpd/user_list -
Create the FTP directory tree and set the correct permissions
:sudo mkdir -p /home/newftpuser/ftp/uploadsudo chmod 550 /home/newftpuser/ftpsudo chmod 750 /home/newftpuser/ftp/uploadsudo chown -R newftpuser: /home/newftpuser/ftpAs discussed in the previous section, the user will be able to upload its files to the
ftp/uploaddirectory.
At this point, your FTP server is fully functional, and you should be able to connect to your server with any FTP client that can be configured to use TLS encryption such as FileZilla
.
Disabling Shell Access #
By default, when creating a user, if not explicitly specified, the user will have SSH access to the server.
To disable shell access, we will create a new shell which will simply print a message telling the user that their account is limited to FTP access only.
Run the following commands to create the /bin/ftponly shell and make it executable:
echo -e '#!/bin/shnecho "This account is limited to FTP access only."' | sudo tee -a /bin/ftponlysudo chmod a+x /bin/ftponly
Append the new shell to the list of valid shells in the /etc/shells file:
echo "/bin/ftponly" | sudo tee -a /etc/shellsChange the user shell to /bin/ftponly:
sudo usermod newftpuser -s /bin/ftponlyUse the same command to change the shell for other users you want to give only FTP access.
Conclusion #
We’ve shown you how to install and configure a secure and fast FTP server on CentOS 8.
For more secure and faster data transfers, you should use SCP
or SFTP
.
If you have any questions or feedback, feel free to leave a comment.
[ad_2]
Source link
