• Sales: 1-800-961-2888
  • Support: 1-800-961-4454

Rackspace Cloud Essentials - CentOS - Installing vsftpd


Now that you have a working server that is secured and backed up, you'll want to upload your web content to the server. When you think of transferring files, you probably think of the File Transfer Protocol (FTP) because it has been around for so long. While simple to use, FTP has become obsolete because it lacks the ability for secure file transfers.

Instead, we recommend installing and using a secure file transfer mechanism, and we will introduce you to a few of them in this guide.  This article will show you how to install vsftpd (very secure FTP daemon), and will walk you through setting the daemon to work on reboot.


Contents

Setup

Installing the Package

Luckily for us CentOS makes this super easy with the group install available in YUM. No need to search out all the dependencies and added features you might want. Use the following command to install everything you'll need:

sudo yum install vsftpd

Turn on vsftpd

The service command makes life simple in CentOS, here is how you startup vsftpd:

sudo service vsftpd start

Almost done

Wow, that was quick, we've got a working install of vsftpd already on the server. Lets go ahead and make a couple of configuration changes for security and convenience.

Set FTP to start on Boot

The 'chkconfig' tool in CentOS is your friend, you can use this tool to check which services will start on boot and on which run level they'll start with. To get Vsftpd to start on the most common run levels(3,4,5) you can use:

sudo chkconfig vsftpd on

Verify the "on" status by checking the complete chkconfig output:

chkconfig --list

or for specific output

chkconfig --list vsftpd

Config file Changes

The standard vsftpd configuration file and all subsequent files for CentOS will reside in /etc/vsftpd/ the most important being vsftpd.conf. We need to make two changes to this file for security and convenience:

OPEN up /etc/vsftpd/vsftpd.conf in your favorite editor:

  • Lets disable anonymous FTP, it can be useful for somethings, but if you don't plan to use it turn it off:
Change:
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=YES

to read:

# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=NO
  • And lets configure vsftpd to be able to chroot(commonly referred to as jailing or jail) users to their home directories for security and privacy:

Change:

# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
chroot_list_enable=YES
# (default follows)
chroot_list_file=/etc/vsftpd/chroot_list

to read:

# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
chroot_list_enable=NO
# (default follows)
chroot_list_file=/etc/vsftpd/chroot_list
  • Also, lock down vsftpd to a predictable port range. (By default, vsftpd runs in passive mode and will choose a port between 1024-65535). Add the following:
pasv_min_port=3000
pasv_max_port=3050
  • Finally we need to make sure that users are jailed in their home directory. At the bottom of the file add the following:
chroot_local_user=YES
  • Create the chroot_list file so you do not get an error when restarting:
sudo touch /etc/vsftpd/chroot_list
  • If your server runs CentOS 5.x, open ports in your firewall by running:
iptables -I RH-Firewall-1-INPUT 1 -p tcp --dport 3000:3050 -j ACCEPT
iptables -I RH-Firewall-1-INPUT -m tcp -p tcp --dport 21 -j ACCEPT
  • If your server runs CentOS 6.x, open ports in your firewall by running:
iptables -I INPUT -m tcp -p tcp --dport 21 -j ACCEPT
iptables -I INPUT 1 -p tcp --dport 3000:3050 -j ACCEPT






© 2011-2013 Rackspace US, Inc.

Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License


See license specifics and DISCLAIMER