Very secure FTP daemon (vsftpd) is a lightweight, safe, and easy-to-use FTP server software for Linux. This article describes how to install and configure vsftpd on a Linux Elastic Compute Service (ECS) instance.
An ECS instance is created and assigned a public IP address. For information about how to create an ECS instance, see Creation methods.
FTP is a protocol that is used to transfer files. FTP is based on a client-server architecture and supports the following work modes:
Note: Most FTP clients are located in LANs, have no independent public IP addresses, and are protected by firewalls. This makes it difficult for FTP servers in active mode to connect to the clients. If you do not have special requirements, we recommend that you use passive mode for the FTP server.
FTP supports the following authentication modes:
In this article, vsftpd is configured in passive and local user modes. For information about how to configure an FTP server to allow anonymous users to access the FTP server and how to use third-party FTP client tools, see the "FAQ" section of Manually build an FTP site on a CentOS 7 instance.
In this article, the following resources are used in the procedure:
Note: The commands and parameters may vary based on your software version.
1. Connect to a Linux instance. For more information, see Connection methods.
2. Run the following command to install vsftpd:
dnf install -y vsftpd
A command output similar to the following one indicates that vsftpd is installed:
Installed:
vsftpd-3.0.3-35.0.1.al8.x86_64
Complete!
3. Run the following command to enable the FTP service to automatically start on system startup:
systemctl enable vsftpd.service
4. Run the following command to start the FTP service:
systemctl start vsftpd.service
Note:
If the "Job for vsftpd.service failed because the control process exited with error code" error message appears when you run the preceding command, check whether the following issues occur. If the issues occur, troubleshoot the issues and then restart FTP.
lsof -i:21
command to check whether a process is running on the port. If a process is running on the port, run the kill -9 <Process ID>
command to terminate the process./etc/vsftpd/vsftpd.conf
command to change the value of listen_ipv6
from YES
to NO
.ifconfig
command to query the actual MAC address of the NIC. Then, run the vim /etc/sysconfig/network-scripts/ifcfg-eth0
command to add or modify the HWADDR=<Actual MAC address of the NIC>
parameter for the NIC in the configuration file. An ifconfig command output similar to the following one is returned, which indicates the MAC address of the eth0 NIC.5. Run the following command to query the listening port of the FTP service:
netstat -antup | grep ftp
A command output similar to the following one indicates that the FTP service starts and listens on port 21:
[root@iZbp14h7n3cwipjln62**** ~]# netstat -antup | grep ftp
tcp6 0 0 :::21 :::* LISTEN 5870/vsftpd
By default, local user mode is enabled. To use the FTP service, configure other parameters.
In this example, vsftpd is configured in passive and local user modes to ensure data security.
1. Run the following command to create a Linux user for the FTP service. In this example, the ftptest user is created.
adduser ftptest
2. Run the following command to change the password of the ftptest user:
passwd ftptest
Enter and confirm the password as prompted.
[root@iZbp14h7n3cwipjln62**** ~]# passwd ftptest
Changing password for user ftptest.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
Note: To ensure password security, the entered password characters are hidden by default.
3. Run the following command to create a file directory for the FTP service.
In this example, the /var/ftp/test file directory is created.
mkdir /var/ftp/test
4. Run the following command to create a test file.
In this example, the testfile.txt test file is created. The test file is used to access the FTP server from an FTP client.
touch /var/ftp/test/testfile.txt
5. Run the following command to change the owner of the /var/ftp/test directory to ftptest:
chown -R ftptest:ftptest /var/ftp/test
6. Modify the vsftpd.conf configuration file.
a) Run the following command to open the configuration file of vsftpd.
If you installed vsftpd by running the apt install vsftpd
command, the path of the configuration file is /etc/vsftpd.conf.
vim /etc/vsftpd/vsftpd.conf
b) Press the I
key to enter the Insert mode.
c) Enable passive mode for the FTP server.
Configure the following parameters and use the default values for other parameters.
Note: When you modify or add information in the configuration file, pay attention to the format. For example, an extra space may cause the service to fail to restart.
Modify the following parameters:
#Deny anonymous users from logging on to the FTP server.
anonymous_enable=NO
#Allow local users to log on to the FTP server.
local_enable=YES
#Listen on IPv4 sockets.
listen=YES
Add a number sign (#) at the beginning of the line to comment out the following parameter and disable listening on IPv6 sockets.
#listen_ipv6=YES
Add the following parameters to the end of the configuration file. Change the value of pasv_address
to the public IP address of the FTP server.
#Specify the directory of a local user after the local user logs on.
local_root=/var/ftp/test
#Limit all users to the home directory after they log on.
chroot_local_user=YES
#Use a list to specify exception users. Exception users are not limited to the home directory after they log on.
chroot_list_enable=YES
#Specify a file to store the list of exception users.
chroot_list_file=/etc/vsftpd/chroot_list
#Enable passive mode.
pasv_enable=YES
allow_writeable_chroot=YES
#Enter the public IP address of the Linux instance used in this topic.
pasv_address=<Public IP address of the FTP server>
#Specify the lowest possible port sent to the FTP clients for passive mode connections.
We recommend that you use ports in a high number range, such as 50000 to 50010. These ports provide more secure access to the FTP server.
pasv_min_port=50000
#Specify the highest possible port sent to the FTP clients for passive mode connections
pasv_max_port=50010
For information about more parameters, see vsftpd configuration file and parameters.
d) Press the Esc
key to exit the Insert mode. Enter :wq
and press the Enter key to save and close the file.
7. Create the chroot_list file, and write the list of exception users to the file.
Note: If exception users do not exist, you must create the chroot_list file and leave the file empty.
a) Run the following command to create the chroot_list file:
vim /etc/vsftpd/chroot_list
b) Press the I
key to enter the Insert mode.
c) Enter the list of exception users. Exception users are not limited to the home directory and have access to other directories.
d) Press the Esc
key to exit the Insert mode. Enter :wq
and press the Enter key to save and close the file.
8. Run the following command to restart vsftpd:
systemctl restart vsftpd.service
After you build the FTP site, add inbound rules to the security group of the instance to allow traffic on the following FTP ports. For more information, see Add a security group rule.
Note: Most clients are located in LANs and can map private IP addresses to public IP addresses to communicate with external resources. Therefore, the IP addresses returned by the ipconfig or ifconfig command may not be the actual public IP addresses of the clients. If you cannot log on to the FTP server from a client, check the public IP address of the client.
In passive mode, you must allow traffic on port 21 and all ports in the port range specified by pasv_min_port and pasv_max_port in the /etc/vsftpd/vsftpd.conf configuration file. The following table describes how to configure the inbound security group rules.
Rule direction | Action | Protocol type | Port range | Authorization object |
Inbound | Allow | Custom TCP | 21/21 | The public IP addresses of all clients that want to access the FTP server. Separate the IP addresses with commas (,). To allow all clients to access the FTP server, specify 0.0.0.0/0 as an authorization object. |
Inbound | Allow | Custom TCP | 50000/50010 | The public IP addresses of all clients that want to access the FTP server. Separate the IP addresses with commas (,). To allow all clients to access the FTP server, specify 0.0.0.0/0 as an authorization object. |
You can use FTP clients, Windows command-line tools, or browsers to check whether the FTP server is reachable. In this example, an on-premises host that runs a Windows Server 2012 R2 64-bit operating system is used as an FTP client to describe how to access the FTP server.
1. On the on-premises host, open File Explorer.
2. In the address bar, enter ftp://<Public IP address of the FTP server>:<FTP port>.
In this example, the public IP address of the Linux instance is used. Example: ftp://121.43.XX.XX:21
.
Note:
If you cannot access the FTP site, perform the following operations:
3. In the Log on as dialog box, enter the FTP username and password that you configured and then click Logon.
After you log on to the FTP server, you can view the files in the specified directory on the FTP server. For example, you can view the test file named testfile.txt.
Alibaba Platforms Leverage Technology to Support Users With Disabilities
1,042 posts | 256 followers
FollowAlibaba Cloud Community - January 15, 2024
Alibaba Cloud Community - July 3, 2024
Alibaba Clouder - August 11, 2020
Alibaba Clouder - February 10, 2020
Alibaba Cloud Community - January 15, 2024
Alibaba Clouder - July 24, 2018
1,042 posts | 256 followers
FollowElastic and secure virtual cloud servers to cater all your cloud hosting needs.
Learn MoreAlibaba Cloud Function Compute is a fully-managed event-driven compute service. It allows you to focus on writing and uploading code without the need to manage infrastructure such as servers.
Learn MoreHigh Performance Computing (HPC) and AI technology helps scientific research institutions to perform viral gene sequencing, conduct new drug research and development, and shorten the research and development cycle.
Learn MoreAlibaba Cloud Linux is a free-to-use, native operating system that provides a stable, reliable, and high-performance environment for your applications.
Learn MoreMore Posts by Alibaba Cloud Community