All Products
Search
Document Center

Simple Application Server:Build an FTP server (Linux)

Last Updated:Feb 29, 2024

Very Secure FTP Daemon (vsftpd) is a lightweight, safe, and easy-to-use FTP server software for Linux. This topic describes how to install and configure vsftpd on a Linux-based simple application server and how to test the connectivity to the FTP server.

Prerequisites

A Linux-based simple application server is created. For more information, see Create a simple application server.

Background information

FTP is a protocol used to transfer files. FTP is based on a client-server model architecture and supports the following working modes:

  • Active mode: The client sends information of a port to the FTP server, and the server establishes a connection to the port.

  • Passive mode: The FTP server enables a port and sends the port information to the client. The client initiates a connection to the port, and the server accepts the connection.

FTP supports the following authentication modes:

  • Anonymous user mode: Users can log on to the FTP server without a username or password. This is the least secure authentication mode. In most cases, this mode is used to transfer unimportant public files. We recommend that you do not use this mode in a production environment.

  • Local user mode: The system authenticates users by checking whether they are local Linux users. This mode is more secure than the anonymous user mode.

  • Virtual user mode: The Linux system authenticates users by checking whether they are virtual users. Virtual users have access only to the FTP service that the Linux system provides to them, and do not have access to other resources of the system. Virtual user mode is more secure than anonymous and local user modes. If you have high security requirements on server data, we recommend that you configure virtual user mode under the guidance of professionals.

This topic describes the easy-to-configure anonymous user mode and the more secure local user mode.

Step 1: Make preparations

FileZilla is an FTP client tool. In the example, FileZilla is used to test connectivity to the FTP server. You must make the following preparations:

  1. Download and install FileZilla on your computer.

    To download FileZilla, visit FileZilla.

  2. Set a password for the Linux server.

    For more information, see Set or reset the password of a server.

Step 2: Install and configure vsftpd

In this topic, CentOS 7 is used as an example. The procedure varies based on operating systems. For more information, see Build an FTP site on an ECS instance.

  1. Connect to the Linux server.

    For more information, see Connect to a Linux server.

  2. Run the following command to check whether vsftpd is installed on the server:

    Some simple application servers that are deployed by using application images have vsftpd pre-installed. If you install vsftpd again, conflicts may occur.

    vsftpd -v

    If the following information is returned, vsftpd is installed in the simple application server. You do not need to install vsftpd again. You can obtain the username and password of the FTP server by referring to relevant application image documentation. Then, you can configure the firewall and use an FTP client to test connectivity to the FTP server. For more information, see the Step 4: Configure the firewall of the Linux server and Step 5: Check whether you can access the FTP server from the FTP client sections of this topic.

    [admin@iZ2579sxicu**** ~]$ vsftpd -v
    vsftpd: version 3.0.2
  3. Run the following command to install vsftpd:

    sudo yum install -y vsftpd

    If the following message appears, vsftpd is installed. 轻量-安装ftp

  4. Run the following command to enable the FTP service to automatically start on system startup:

    sudo systemctl enable vsftpd.service
  5. Run the following command to start the FTP service:

    sudo systemctl start vsftpd.service
    Note

    If the FTP service cannot be started and the system returns the Job for vsftpd.service failed because the control process exited with error code error message, check whether port 21 is used by other services and troubleshoot the issue.

    1. Run the lsof -i:21 command to check if a process exists.

    2. If a process exists, run the kill -9 <Number of the process> command to kill the process.

  6. Run the following command to query the port number of the FTP service:

    sudo netstat -antup | grep ftp

    If you can view the port number of the FTP service, as shown in the following figure, the FTP service is started.轻量-FTP状态

Step 3: Configure the access mode of the FTP server

You can configure the anonymous or local user mode for the FTP server. We recommend that you use the more secure local user mode.

(Recommended) Local user mode

  1. Run the following command to create a Linux user for the FTP service.

    In this example, the ftptest username is used.

    sudo adduser ftptest
  2. Run the following command to modify the password of the ftptest user:

    sudo passwd ftptest

    Follow the command line instructions to modify the password of the user.

  3. Run the following command to create a file directory for the FTP service:

    sudo mkdir /var/ftp/test
  4. Run the following command to change the owner of the /var/ftp/test directory to ftptest:

    sudo chown -R ftptest:ftptest /var/ftp/test
  5. Modify the vsftpd.conf configuration file.

    1. Run the following command to modify the /etc/vsftpd/vsftpd.conf configuration file.

      If you ran the apt install vsftpd command when you installed vsftpd, the path to the configuration file is /etc/vsftpd.conf.

      sudo vim /etc/vsftpd/vsftpd.conf
    2. Press the I key to enter the edit mode.

    3. Enable the passive mode for the FTP server.

      Configure the following parameters and retain the default values of other parameters.

      Important

      Before you copy the following parameters and paste them to the configuration file of the Linux server, make sure that the parameters are not commented out with the number sign (#). Make sure that the parameters are specified in valid formats. For example, an extra space may cause the service to fail to restart.

      Modify the values of the following parameters:

      #Disable anonymous users from logging on to the FTP server. 
      anonymous_enable=NO
      #Allow local users to log on to the FTP server. 
      local_enable=YES
      #Listen on IPv4 sockets. 
      listen=YES

      Add a number sign (#) to the beginning of the line to comment out the following parameter and disable the listening on IPv6 sockets:

      #listen_ipv6=YES

      Add the following parameters to the end of the configuration file. Replace the value of the pasv_address parameter with the public IP address of the simple application server.

      #Specify the directory of a local user after the local user logs on. 
      local_root=/var/ftp/test
      #Limit all users to the home directory after they log on. 
      chroot_local_user=YES
      #Use a list to specify exceptional users. Exceptional users are users who are not limited to the home directory after they log on. 
      chroot_list_enable=YES
      #Specify a file to contain the list of exceptional users. 
      chroot_list_file=/etc/vsftpd/chroot_list
      #Enable the passive mode. 
      pasv_enable=YES
      allow_writeable_chroot=YES
      #Enter the public IP address of the simple application server. 
      pasv_address=39.105.xx.xx
      #Specify the minimum port number of the port range that can be used to transfer data in passive mode. 
      #We recommend that you use ports from a high number range, such as 50000 to 50010. These ports provide more secure access to the FTP server. 
      pasv_min_port=50000
      #Specify the maximum port number of the port range that is sent to the FTP clients for passive mode connections. 
      pasv_max_port=50010

      For information about more parameters, see vsftpd configuration file and parameters.

    4. Press the Esc key to exit the edit mode. Enter :wq and press the Enter key to save and close the file.

  6. Create the chroot_list file, and write the list of exceptional users to the file.

    1. Run the following command to create the chroot_list file:

      sudo vim /etc/vsftpd/chroot_list
    2. Press the I key to enter the edit mode.

    3. Specify exceptional users. Exceptional users are not limited to the home directory and have access to other directories.

      Important

      You must create the chroot_list file even if no exceptional users exist. The file can be empty.

    4. Press the Esc key to exit the edit mode. Enter :wq and press the Enter key to save and close the file.

  7. Run the following command to disable the firewall:

    sudo systemctl stop firewalld
  8. Modify the configuration file.

    1. Run the following command to open the /etc/ssh/sshd_config file:

      sudo vi /etc/ssh/sshd_config
    2. Change the value of PasswordAuthentication to yes at the end of the file.asdas

    3. Press the Esc key to exit the edit mode. Enter :wq! and press the Enter key to save and close the configuration file.

  9. Run the following command to restart the FTP service:

    sudo systemctl restart vsftpd.service

Anonymous user mode

  1. Run the following command to modify the /etc/vsftpd/vsftpd.conf configuration file.

    If you ran the apt install vsftpd command when you installed vsftpd, the path to the configuration file is /etc/vsftpd.conf.

    sudo vim /etc/vsftpd/vsftpd.conf
  2. Press the I key to enter the edit mode.

  3. Find the anonymous_enable parameter that specifies the anonymous mode, and the anon_upload_enable parameter that specifies the anonymous upload permission.

    The default settings in the configuration file may vary based on the Linux distribution of the simple application server. Make sure that the values of both parameters are YES after you modify the parameters.

    anonymous_enable=YES
    anon_upload_enable=YES
    listen=YES
    listen_ipv6=NO 
  4. Add the following parameters to the end of the file:

    Important

    Before you copy the following parameters and paste them to the configuration file of the Linux server, make sure that the parameters are not commented out with the number sign (#). Make sure that the parameters are specified in valid formats. For example, an extra space may cause the service to fail to restart.

    #Enable the passive mode. 
    pasv_enable=YES
    #Specify the minimum port number of the port range that can be used to transfer data in passive mode. 
    #We recommend that you use ports from a high number range, such as 50000 to 50010. These ports provide more secure access to the FTP server. 
    pasv_min_port=50000
    #Specify the maximum port number of the port range that is sent to the FTP clients for passive mode connections. 
    pasv_max_port=50010                   
    #Enter the public IP address of the simple application server.                
    pasv_address=39.105.xx.xx    
  5. Press the Esc key to exit the edit mode. Enter :wq and press the Enter key to save and close the file.

  6. Run the following command to change the permissions on the /var/ftp/pub directory and grant write permissions on the directory to FTP users:

    /var/ftp/pub is the default file directory of the FTP service.

    sudo chmod o+w /var/ftp/pub/
  7. Run the following command to restart the FTP service:

    sudo systemctl restart vsftpd.service

Step 4: Configure the firewall of the Linux server

After the FTP server is built, you must add rules in the firewall of the Linux server to enable the ports listed in the following table. For more information, see Manage a firewall.

In passive mode, you must enable port 21 and all the ports that belong to the port range specified by pasv_min_port and pasv_max_port in the /etc/vsftpd/vsftpd.conf configuration file. The following table describes the configuration details.

Application type

Protocol

Port range

FTP

TCP

21

Custom

TCP

pasv_min_port/pasv_max_port. Example: 50000/50010.

After the firewall rules are added, they appear on the Firewall page, as shown in the following figure:

image.png

Step 5: Check whether you can access the FTP server from the FTP client

  1. Open the FileZilla client.

  2. In the top navigation bar, choose File > Site Manager.

  3. In the lower-left corner of the Site Manager dialog box, click New site (N).

  4. Enter a name for the new site and configure the new site.

    Note

    In this example, FileZilla 3.64.0 is used. The actual interface may vary based on your FileZilla version.

    filezillaThe following list describes the parameters:

    • Name: a custom site name. Example: test-01.

    • Protocol: FTP.

    • Host: the public IP address of the FTP server. In this topic, the value is the public IP address of the Linux instance. Example: 121.43.XX.XX.

    • Port: 21.

    • Logon Type: Anonymous.

      In this example, an FTP client is used to connect to the FTP server in anonymous mode. If you want to manage access to the FTP server, set the logon type to normal and configure the username and password.

  5. Click Connect.

    After you connect to the FTP server, you can upload, download, and delete files. The following figure shows a sample FileZilla interface. filezillaThe following table describes the sections in the preceding interface.

    No.

    Description

    Commands, the connection status of the FTP server, and task execution results are shown.

    The section that displays the information about the on-premises host, including the directory information of the host.

    The section that displays the information about the remote server, including the directory information of the FTP server. In anonymous mode, the default directory is /pub.

    The section that displays records, including the queues and logs of the FTP task.

vsftpd configuration file and parameters

The following section describes the files in the /etc/vsftpd directory:

  • /etc/vsftpd/vsftpd.conf is the core configuration file of vsftpd.

  • /etc/vsftpd/ftpusers is the blacklist file. Users specified in this file are not allowed to access the FTP server.

  • /etc/vsftpd/user_list is the whitelist file. Users specified in this file are allowed to access the FTP server.

The following tables describe the parameters that are used in the vsftpd.conf configuration file.

  • The following table describes the parameters for logon control.

    Parameter

    Description

    anonymous_enable=YES

    Accepts anonymous users.

    no_anon_password=YES

    Anonymous users do not need a password to log on to the FTP server.

    anon_root= (none)

    Specifies the home directory of anonymous users.

    local_enable=YES

    Accepts local users.

    local_root= (none)

    Specifies the home directory of local users.

  • The following table describes the parameters that are used to manage the permissions of users.

    Parameter

    Description

    write_enable=YES

    Allows all users to upload files.

    local_umask=022

    Grants local users permissions to upload files.

    file_open_mode=0666

    Uses umask to grant permissions to upload files.

    anon_upload_enable=NO

    Allows anonymous users to upload files.

    anon_mkdir_write_enable=NO

    Allows anonymous users to create directories.

    anon_other_write_enable=NO

    Allows anonymous users to modify and delete files.

    chown_username=lightwiter

    Specifies the ownership of files that are uploaded by anonymous users.