Setting up a Quick and Secure FTP Server

This guide will show you how to setup an FTP server on CentOS using VSFTPd which is available via yum. besides being available directly via yum, VSFTPd is also very easily configurable and secure. There are a few tradeoffs including no support for quotas. If you need these, take a look at PureFTP, which is slightly more complex to setup and must be build from source.

This tutorial requires some proficiency with using the shell and text editors.

Installation

Installing VSFTP is done by simply grabbing it through yum:

yum -y install vsftpd

Configuration

To configure VSFTP for a single user access, follow these steps below; more can be added by repeating steps 2-7:

  • Create an FTP user group <sxh bash>groupadd ftp</sxh>
  • Modify the command below to suit your desires. We used “ftp” as the group, “user” as the username, and “/home/user” as the home directory for the account <sxh bash>useradd -g ftp -d /home/user/ -c “user” user</sxh>
  • Set the user's password <sxh bash>passwd user</sxh>
  • Create a fake shell for the ftp service <sxh bash>touch /bin/ftp</sxh>
  • Edit /etc/shells and add that fake shell (/bin/ftp) to the last line.
  • Next edit /etc/passwd and add the fake shell to the user <sxh bash>user:x:500:50: user :/home/user:/bin/ftp</sxh>
  • Check the user is listed in /etc/vsftpd.chroot_list but not in /etc/vsftpd/user_list or /etc/vsftpd/ftpusers as they will be unable to access the server if so.
  • In the VSFTP config file /etc/vsftpd/vsftpd.conf activate the following in order to jail users: <sxh bash>chrootlistenable=YES</sxh>

Finalize

Start the FTP service:

/etc/init.d/vsftpd start

We also do not recommend running SELinux with VSFTP:

echo 0 > /selinux/disable

Also if you are running a firewall via iptables, you will need to poke a hole for the service:

iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 21 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 1024:65535 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 20 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 --dport 20 -m state --state ESTABLISHED -j ACCEPT

That's it! You now have a working and secure FTP server that can be accessed from anywhere!