Installing and Configuring vsftpd FTP Server on CentOS 7

Overview

vsftpd (Very Secure FTP Daemon) is a lightweight, secure FTP server software for UNIX-like operating systems including Linux, BSD, Solaris, and HP-UNIX. Its free and open-source, offering excellent security features, bandwidth control, virtual user support, IPv6 compatibility, and high transfer rates.

Key Features

  • Runs with reduced system privileges, minimizing security risks
  • Implements chroot() functionality to isolate users within their home directories
  • Uses a privileged parent process for operations requiring elevated permissions
  • Treats all requests for elevated privileges as untrusted, requiring authentication
  • Continues to use chroot restrictions within the parent process

Installation and Configuration

Environment

  • OS: CentOS Linux release 7.6.1810 (Core)
  • Package: vsftpd.x86_64 3.0.2-25.el7

Installing vsftpd

[root@server ~]# yum -y install vsftpd

Configuration

Edit the vsftpd configuration file:

[root@server ~]# cd /etc/vsftpd
[root@server ~]# vim vsftpd.conf

Essential settings:

# Disable anonymous access
anonymous_enable=NO

# Enable local user authentication
local_enable=YES

# Enable write permissions
write_enable=YES

# Set umask for newly created files and directories
local_umask=022

# Display directory messages
dirmessage_enable=YES

# Enable transfer logging
xferlog_enable=YES
xferlog_std_format=YES
xferlog_file=/var/log/vsftpd.log

# Use port 20 for data connections
connect_from_port_20=YES

# Disable ASCII mode transfers for security
ascii_upload_enable=NO
ascii_download_enable=NO

# Chroot configuration for user isolation
chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list

# PAM service name
pam_service_name=vsftpd

# Enable TCP wrappers
tcp_wrappers=YES

# Allow writeable chroot (required to prevent errors)
allow_writeable_chroot=YES

# Custom FTP port
listen_port=2121

# Passive mode configuration
pasv_enable=YES
pasv_min_port=64000
pasv_max_port=65000

# FTP root directory
local_root=/ftp/data/

Firewall Configuraton

For testing purposes, the firewall can be temporarily disabled:

[root@server vsftpd]# systemctl stop firewalld

For production environments, open the required ports:

[root@server vsftpd]# firewall-cmd --permanent --zone=public --add-port=2121/tcp
success
[root@server vsftpd]# firewall-cmd --permanent --zone=public --add-port=64000-65000/tcp
success
[root@server vsftpd]# firewall-cmd --reload
success

Creating FTP Users

Create a dedicated FTP user with restricted shell access:

[root@server vsftpd]# useradd -d /ftp/data/ -s /sbin/nologin ftpusera
[root@server vsftpd]# passwd ftpusera

Verify the user's shell is set to nologin:

[root@server vsftpd]# vim /etc/passwd

Ensure the user entry shows /sbin/nologin instead of /bin/bash.

Set ownership permissions:

[root@server vsftpd]# chown -R ftpusera /ftp/data/

Enabling Service Auto-Start

[root@server ~]# systemctl enable vsftpd.service

Service Management Commands

[root@server ~]# systemctl start vsftpd.service
[root@server ~]# systemctl status vsftpd.service

Testing the FTP Connection

Connect to the FTP server using any FTP client such as FileZilla Client or the command-line ftp tool to verify the configuration works correctly.

Troubleshooting

Issue 1: Missing chroot_list File

If you encounter an error related to the chroot list file, create the file or update the configuration path:

[root@server vsftpd]# touch /etc/vsftpd/chroot_list

Or modify the chroot_list_file directive in vsftpd.conf to point to an existing file.

Issue 2: SELinux Blocking Connections

If connections fail due to SELinux policies, disable SELinux:

[root@localhost ~]# vim /etc/selinux/config

SELINUX=disabled

After making this change, reboot the system or set SELinux to permissive mode temporarily.

Tags: Linux FTP vsftpd centos Server Configuration

Posted on Thu, 07 May 2026 22:00:16 +0000 by RHolm

Hot Tags

©2026 Freaks City