• Sales: 1-800-961-2888
  • Support: 1-800-961-4454

Feedback

Let us know what you think of our Knowledge Center!

Open Cloud Community

Learn about Rackspace products, ask questions, and share your knowledge in our Open Cloud Community.

Rackspace Cloud Essentials 5 - CentOS - Installing vsftpd

  • Article ID: 135
  • Last updated on November 7, 2012
  • Authored by: Rackspace Support
  • (17 Comments)

Now that you have a working server that is secured and backed up, you'll want to upload your web content to the server.   When you think of transferring files, you probably think of the File Transfer Protocol (FTP) because it has been around for so long.  While simple to use, FTP has become obsolete because it lacks the ability for secure file transfers.  

Instead, we recommend installing and using a secure file transfer mechanism, and we will introduce you to a few of them in this guide.  This article will show you how to install vsftpd (very secure FTP daemon), and will walk you through setting the daemon to work on reboot.

Contents

Setup

Installing the Package

Luckily for us CentOS makes this super easy with the group install available in YUM. No need to search out all the dependencies and added features you might want. Use the following command to install everything you'll need:

sudo yum install vsftpd

Turn on vsftpd

The service command makes life simple in CentOS, here is how you startup vsftpd:

sudo service vsftpd start

Almost done

Wow, that was quick, we've got a working install of vsftpd already on the server. Lets go ahead and make a couple of configuration changes for security and convenience.

Set FTP to start on Boot

The 'chkconfig' tool in CentOS is your friend, you can use this tool to check which services will start on boot and on which run level they'll start with. To get Vsftpd to start on the most common run levels(3,4,5) you can use:

sudo chkconfig vsftpd on

Verify the "on" status by checking the complete chkconfig output:

chkconfig --list

or for specific output

chkconfig --list vsftpd

Config file Changes

The standard vsftpd configuration file and all subsequent files for CentOS will reside in /etc/vsftpd/ the most important being vsftpd.conf. We need to make two changes to this file for security and convenience:

OPEN up /etc/vsftpd/vsftpd.conf in your favorite editor:

  • Lets disable anonymous FTP, it can be useful for somethings, but if you don't plan to use it turn it off:
Change:
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=YES

to read:

# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=NO
  • And lets configure vsftpd to be able to chroot(commonly referred to as jailing or jail) users to their home directories for security and privacy:

Change:

# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
chroot_list_enable=YES
# (default follows)
chroot_list_file=/etc/vsftpd/chroot_list

to read:

# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
chroot_list_enable=NO
# (default follows)
chroot_list_file=/etc/vsftpd/chroot_list
  • Also, lock down vsftpd to a predictable port range. (By default, vsftpd runs in passive mode and will choose a port between 1024-65535). Add the following:
pasv_min_port=3000
pasv_max_port=3050
  • Finally we need to make sure that users are jailed in their home directory. At the bottom of the file add the following:
chroot_local_user=YES
  • Create the chroot_list file so you do not get an error when restarting:
sudo touch /etc/vsftpd/chroot_list
  • Don't forget to open that port range in your firewall:
iptables -I RH-Firewall-1-INPUT 1 -p tcp --dport 3000:3050 -j ACCEPT
iptables -I RH-Firewall-1-INPUT -m tcp -p tcp --dport 21 -j ACCEPT


© 2011-2013 Rackspace US, Inc.

Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License


See license specifics and DISCLAIMER

17 Comments

After following all the above steps we're getting the followoing error:

[root@********* public_html]# ftp localhost
Connected to localhost (127.0.0.1).
220 (vsFTPd 2.0.5)
Name (localhost:root): *********
331 Please specify the password.
Password: *********
500 OOPS: cannot change directory:/xyz
Login failed.
ftp> exit
By neebox on Jul. 30, 2012

Neebox, that error usually means vsftpd isn't able to change directories to the directory it wants to use as the user's home directory. That could mean permissions problems are restricting it from changing to the directory, or it could mean the directory doesn't exist. It could also mean that the user is blocked from using FTP (a root login, for example, is typically rejected by ftp). Have you followed the instructions in the article following this one as well?
By jered.heeschen on Jul. 30, 2012

it should be noted that in order to do the iptables part I had to run

iptables -I RH-Firewall-1-INPUT 1 -p tcp --dport 3000:3050 -j ACCEPT
By Jeremy Bass on Jul. 30, 2012

I had to use

iptables -I INPUT 1 -p tcp --dport 3000:3050 -j ACCEPT

or I got a "No chain/target/match by that name" error
By Rene Dupre on Jul. 30, 2012

The article doesn't mention it specifically, but port 21 should also be opened in addition to the 3000 passive port range,

iptables -I RH-Firewall-1-INPUT -m tcp -p tcp --dport 21 -j ACCEPT

By Anh Nguyen on Jul. 30, 2012

A good point Anh, thanks. We'll add that to the article.
By jered.heeschen on Jul. 30, 2012

image links broken in article. not sure what results of chkconfig --list vsftpd should look like!

thanks!
By rw1 on Jul. 30, 2012

How do I open up /etc/vsftpd/vsftpd.conf in my favorite editor?

I am using this command to open up the file:
vi /etc/vsftpd/vsftpd.conf

I am unsure how to save changes and get out of this mode. How does one do this?

By Anonymous on Jul. 30, 2012

Found this article taht was very helpful: http://radu.cotescu.com/vsftpd-and-symbolic-links/

create a directory inside user’s chroot: mkdir webroot

mount the folder you want user to access using the bind option: mount --bind /var/www/html/ ./webroot
By Gary on Jul. 30, 2012

ip tables can be written as

# iptables -I INPUT -p tcp -m tcp --dport 20 -j ACCEPT
# iptables -I INPUT -p tcp -m tcp --dport 21 -j ACCEPT
By Amritpal singh on Oct. 28, 2012

It block now at password level negociation ?@%$?%$@?B45b

Eric
By Ricky on Feb. 1, 2013

Just when trying to connect through ftp, or trying to ssh as well? Were you able to connect via ftp before following the instructions here, with a default vsftp install?
By jered.heeschen on Feb. 1, 2013

dont forget this:
sudo service iptables save
By Michael Schulz on Apr. 26, 2013

I've been at this all afternoon...
I keep getting this same error mentioned above:
500 OOPS: cannot change directory:/home/user
Login failed.

when trying to login to ftp.
So I try disabling selinux, and still no joy.
And I've tried setsebool -P ftp_home_dir on
and I get
libsemanage.semanage_get_lock: Could not get direct transaction lock at /etc/selinux/targeted/modules/semanage.trans.LOCK. (Resource temporarily unavailable).
Could not change policy booleans

I've googled about for that, and I see it mentioned all over the place, but in not one site is a solution mentioned.

So, I'm unclear what the problem is or how to resolve it.

The vsftpd is configured to allow local users to login and access their home dirs.
The proper ports are opened with the iptables.
With selinux disabled, I still can't get in.
With selinux enabled, I can't open up the home dirs.
I'm used to working with Debian servers and using pure-ftpd, which sets up in like 5 minutes flat on a bad day and works great, so this is frustrating.
I don't really need ftp access, myself, since I can scp stuff all day long, but I want the ftpd to work, anyway, for users.
By tony on May. 5, 2013

If you're used to pure-ftpd, you can install it on a CentOS instance. You can set up your server to use the EPEL repository per the instructions here:

http://www.rackspace.com/knowledge_center/article/installing-rhel-epel-repo-on-centos-5x-or-6x

There should be a "pure-ftpd" package there you can install via yum.

Back to selinux, you might try "1" instead of "on" in the setsebool command (just to cover all bases).

The "cannot change directory" error is unfortunately pretty broad, covering any circumstance where vsftp can't let the user switch to their home directory. It might not think the directory exists, or the permissions may not be letting it in there (or the permissions on /home could be the ones getting in the way), or that the system doesn't think that user should be allowed to ftp in.
By jered.heeschen on May. 5, 2013

As it turns out, I did get this resolved, but, frankly, I'm not sure how.
I went around and around, changing selinux settings, vsftpd.conf settings, blah blah blah...
Eventually I shut down the server (it's in a virtualbox on my debian system, built for playing with/learning centos, as I'm hoping to become a racker).
Then when I brought up the server/vm again, ftp worked.
Magical reboot? Actually, it wasn't even a reboot, since I shut down the vm, preserving its current state, and when I brought it back up, it should have been in the same state, so very mysterious why that worked...

I had tried both "on" and "1" with the setsebool -P home_dir_ftp thingy, but I kept getting the same error. Clearly there IS a problem setting these parameters, with semanage, or something, which I haven't resolved (as mentioned, I can find a thousand mentions of the relevant error online, but not a single solution), but, hey, the ftp server is now working, anyway.
By tony on May. 6, 2013

I'm glad you got it working, though I understand the frustration of why something suddenly started working all too well. I usually blame gremlins. It's a flimsy case, but at least then I have SOMETHING to blame.
By jered.heeschen on May. 6, 2013

Add new comment