Site icon Ryadel

How to install and configure a FTP Server in Linux CentOS 7.x with VSFTPD

How to install and configure a FTP Server in Linux CentOS 7.x with VSFTPD

FTP, short for File Transfer Protocol, is a traditional and widely used standard for transferring files over a network. The transfer happens via a standard client-server connection with or without authentication support, as the server can be opened to anonymous users as well as restricting access to registered ones. Although FTP is considered to be reliable and secure it has big security flaws, the most critical one being the fact that the user credentials and data are trasmitted without encryption. This issue has been addressed in 1996 with the introduction of FTPS, also known as FTPESFTP-SSLS-FTP and FTP Secure - an extension to FTP that adds support for the Transport Layer Security (TLS) and the Secure Sockets Layer (SSL) cryptographic protocols.

IMPORTANT: It's very important to non confuse FTPS with the SSH File Transfer Protocol (SFTP), a secure file transfer subsystem for the Secure Shell (SSH) protocol it is not compatible with. It is also conceptually different from FTP over SSH, which depicts the practice of tunneling a standard FTP connection through an SSH channel.

In this article we'll show how to install, configure and secure VSFTPD, a standard FTP server, in CentOS/RHEL 7 and Fedora distributions: in a follow-up post we'll also explain how to properly secure it by adding SSL/TLS support with a self-signed SSL certificate.

Installing VSFTPD

VSFTPD, aka for "Very Secure FTP Daemon", is a small, lightweight and extensible FTP server that can be installed on any Linux machine in a couple minutes. All that we need to do in a CentOS 7.x machine is to input the following command in the terminal:

Start & Enable the service

Right after that, we need to manually start the service and also enable it to start automatically from the next system boot as well. We can do that in the following way:

Opening the Firewall port(s)

Last but not least, in order to allow access to FTP services from external systems, we have to open port 21, where the FTP daemons are listening. To do that, assuming that the public zone is the one associated with WAN, we can use these terminal commands:

Passive Mode

In case we want our FTP server to work in passive mode we should also open a range of ports matching those that we will define in the VSFTPD configuration file (see below):

This will open a grand total of 100 TCP ports (40001-40100) for passive mode.

Needless to say, the above lines take for granted that the public zone is bound to the WAN: if this is not the case, be sure to open these ports on the right zone.

Configuring the FTP Server

The next step would be opening the vsftpd.conf  file and setup and secure our brand-new FTP server. Before proceeding, it's advisable to make a backup of the original config file in the following way:

Right after that, open the .conf file above and set the following options:

The above settings are good for a general purpose FTP server: most of them mimics the default VSFTPD values with few notable exceptions such as pasv_enable and max_per_ip (see below). Feel free to adjust them to better your suit your needs.

Passive Mode

To configure passive mode for VSFTPD we need to set the following parameters:

This will enable passive mode and will also restrict it to use 100 ports for data connections (from TCP 40001 to TCP 40100): it goes without saying that these ports need to match those we opened earlier on the firewall (see above).

Max connections per single IP Address

By default VSFTPD allows unlimited connection from the same client IP address, which can expose the FTP service to flood-based attacks or make it prone to some sort of client's abuse. In order to overcome this, there is a special directive called max_per_ip that can be used to force the server to use limited number of connection:

That's it for now: in the following article we'll show how to strengthen the FTP server even further using SSL/TLS for secure connections and file transfers.

CONTINUE TO THE NEXT POST

 

Exit mobile version