Article overview

Help article

Configuring and installing an FTP server in CentOS 7

The most used FTP servers within Linux are PureFTPd, ProFTPD and vsftpd. An overview of the differences can be found on this website. ProFTPD is less well maintained, so we recommend PureFTPd or vsftpd.

Please note: July the 23rd of 2019 a vulnerability has been found ProFTPD, see this page. We recommend using vsftpd from this manual or SFTP through OpenSSH instead.

In this manual, we show you how to install and configure an FTP server in CentOS 7 with vsftpd (Very Secure FTPDaemon) and how to use TLS to set up a secure FTPS connection.

Using an FTP server is a relatively easy method to upload files to your VPS. This is useful, for example, with a web server for posting updates to websites on your VPS, or with a Plex server for uploading media to your VPS.

Do you prefer SFTP? Consult this manual.

  • Use sudo or follow the steps in this article as a root user.
  • It is safest to only test your FTP connection after configuring SSL (TLS).

Installing and configuring the FTP server

 

Step 1

Connect to your VPS via SSH or the VPS console in your control panel.


 

Step 2

Install vsftpd with the command:

yum -y install vsftpd

 

Step 3

Before you start your FTP server, make some adjustments to the vsftpd configuration, with the aim of adjusting access to your FTP server more specifically.

Open the configuration file:

nano /etc/vsftpd/vsftpd.conf

 

Step 4

Adjust / add the following settings if they do not yet exist. The operation of these options is further explained in the explanatory notes to the options.

anonymous_enable=NO
chroot_local_user=YES
allow_writeable_chroot=YES
userlist_enable=YES
userlist_file=/etc/vsftpd.userlist
userlist_deny=NO
Explanation code
  • anonymous_enable=NO: Prevents unidentified users from logging in to your FTP server.
  • chroot_local_user=YES: Places FTP users in their own home directory (i.e. a chroot jail) after logging in to your FTP server.
  • allow_writeable_chroot=YES: Allows FTP users to make changes to the chroot directory (i.e. their own home directory).
  • userlist_enable=YES: Enables the vsftpd user list, with which you can give users permission or prohibit access to your FTP server.
  • userlist_file=/etc/vsftpd.userlist: The location of the user list described above.
  • userlist_deny=NO: Only the user accounts in the user list file may log in to your FTP server. If you set the option to 'YES', the user list does not give permission, but it prohibits access to your FTP server.

Save the changes and close the file using the key combination ctrl + x > y > enter.


 

Step 5

Out-of-the-box, CentOS 7 comes with Firewalld, in which all ports are closed by default. Open port 21 with the commands:

firewall-cmd --zone=public --permanent --add-port=21/tcp
firewall-cmd --reload

 

Step 6

In addition to Firewalld, CentOS 7 also comes with SELinux by default. In this step, you set SELinux to give FTP read / write access to a user's home directory with the command below. Are you not using SELinux, or is SELinux set to permissive? Then continue with the next step.

semanage boolean -m ftpd_full_access --on

 

Step 7

vsftpd does not automatically start after the installation and after a reboot. You start vsftpd and enable automatic starting with:

systemctl start vsftpd
systemctl enable vsftpd

Creating users and giving access to your FTP server

 

In the previous steps, you have enabled the vsftpd user list option, together with the additional option that only user accounts in the user list file have access to your FTP server. In this part, you (optionally) create a new user and add the user to the user list.

 

Step 1

FTP users are created in the same way as normal users on your VPS. Do you want to use an existing user account? Then continue with step 2.

Do you use FTP to upload websites? Then we recommend using the name of your domain as the username, for example, the username example.com, for the domain example.com.

useradd -m -c "transip ftp demo" username
passwd username
Code explanation
  • -m: creates a home directory for the user. This is optional and only required if you actually want to give the user a home directory on your VPS in /home/username. Are you giving the user a home directory that is not in /home in the 'Customizing user home directories' section? Then you can omit -m.
  • -c: is also optional and adds a comment to the user. This is especially useful for creating a note for yourself explaining what an account serves for.
  • username: the actual username
  • passwd username: gives the user a password

 

Step 2

Open the user list file with:

nano /etc/vsftpd.userlist

 

Step 3

Add the user's name to the file. Each username is added on a new line, for example:

transip
admin
username

Tip: Alternatively, you can also add the username to the file with one command:

Save the changes and close nano with ctrl + c > y > enter.


Customizing users' home directories

 

Thanks to the earlier configuration, FTP users are directed to their home directory by default. In this section, we show you how to set up specific directories. This is useful, for example, if you want to direct users to a specific directory in which their website is located (for web servers), or, for example, a specific folder (e.g. Big Storage) on a Plex server.


Step 1

Do you want to use an existing folder? Then continue with step 3. Does the folder not yet exist? First, create it and remove all write permissions for all users (replace user name with the user’s name).

mkdir /home/gebruikersnaam/ftp
chown nobody:nobody /home/gebruikersnaam/ftp
chmod a-w /home/gebruikersnaam/ftp

 

Step 2

Create the directory in which the user may place files and only give that user full rights to the directory (replace username with the user's name):

mkdir /home/gebruikersnaam/ftp/files
chown gebruikersnaam:gebruikersnaam /home/gebruikersnaam/ftp/files
chmod 0700 /home/gebruikersnaam/ftp/files

The reason why you remove access to the FTP folder and do give access to the files folder is for security reasons: this way, you prevent that any further access to the underlying folders can be obtained.


 

Step 3

You are now going to set the home directory of your users. Open the VSFTP configuration file again:

nano /etc/vsftpd/vsftpd.conf

 

Step 4

Add the following two lines at the bottom of the file:

user_sub_token=$USER
local_root=/home/$USER/ftp/
  • user_sub_token=$USER: the name of the user who connects to your FTP server is used for the variable $USER
  • local_root: the directory in which your FTP users end up. In this example, it is the FTP folder in the home directory.
    • For example, if you have linked Big Storage to your VPS and want to use it (e.g. for a Plex server), then you use local_root=/mnt/bigstorage/ (replace /mnt/bigstorage/ with the actual folder in which your Big Storage is mounted), where, for example, you remove the rights from /bigstorage/ and create a folder /mnt/bigstorage/plex to which you do grant users rights.
    • Do you host websites (in /var/www/html/) and did you use your domain as a user name in the previous section? Then, you would set local_root=/var/www/html/$USER here, where you do not give permissions in that folder, but, for example, do give permissions to /var/www/html/$USER/public_html

Save the changes and close the file with the key combination ctrl + x > y > enter.


 

Step 5

Finally, restart vsftpd to apply the new configuration. It can sometimes take a few minutes for you to see such a configuration change when you connect via your FTP client.

systemctl restart vsftpd

Securing your FTP server

 

The FTP protocol does not encrypt data and is therefore unsafe. In practice, SFTP or FTPS is therefore usually always used (see this article for an explanation of the differences). In this part of the manual, you protect your FTP server with FTPS.

 

Step 1

As SSL(TLS) certificate, we use a Let's Encrypt certificate. If you have not yet installed Let's Encrypt, install it first with the command:

yum -y install certbot

 

Step 2

In this step, you generate a standalone certificate that is not dependent on an existing web server. It is important for this that ports 80 and 443 are open in your firewall (in CentOS 7, this is Firewalld by default). If they are not yet open, use the commands:

firewall-cmd --zone=public --permanent --add-port=80/tcp
firewall-cmd --zone=public --permanent --add-port=443/tcp
firewall-cmd --reload

Generate a certificate with the command below. Replace server.example.com here with your hostname (check with the command hostnamectl).

You will be asked for an email address and permission for the terms and conditions, and for sharing your email address with the Electronic Frontier Foundation (optional).

certbot certonly --standalone -d server.example.com

 

Step 3

Your Let's Encrypt certificate and keyfile are stored in /etc/letsencrypt/live/<hostname>/ (the exact location is in the output of the command in step 3).

You then adjust the vsftpd configuration to indeed use the Let's Encrypt certificates and reject unsafe connections. Open /etc/vsftpd/vsftpd.conf again:

nano /etc/vsftpd/vsftpd.conf

 

Step 4

Add the following configuration at the bottom of the file, replacing server.example.com with your hostname.

ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1_1=YES
ssl_tlsv1_2=YES
ssl_tlsv1=NO
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=NO
ssl_ciphers=HIGH
pasv_min_port=50100
pasv_max_port=51100
rsa_cert_file=/etc/letsencrypt/live/server.voorbeeld.nl/fullchain.pem
rsa_private_key_file=/etc/letsencrypt/live/server.voorbeeld.nl/privkey.pem
  • These steps have been tested in FileZilla. Older FTP clients may need the ssl_tlsv1=YES option. Please note that it is safer to use a newer FTP client.
  • Is your connection often lost? Then try require_ssl_reuse=NO
  • Take care when copying that you do not put a space after one of the lines. One space too much is sufficient to prevent vsftpd from starting.

 

Step 5

A good reason to opt for Let's Encrypt instead of OpenSSL is the simple auto-renew option of Let's Encrypt, so you don't have to worry about the possible expiration of your certificate. For this, you create a cronjob with the command:

crontab -e

 

Step 6

Crontab works practically the same as vi. It opens in command mode and you switch to insert mode with the 'i' key. Then, add the content below.

SHELL=/bin/bash
HOME=/
@monthly certbot -q renew >> /var/log/le.log
  • The cronjob is performed every month at 0:00.
  • -q ensures that no output is generated, except for errors.
  • renew renews all Let's Encrypt certificates that expire within 30 days. Let's Encrypt certificates are valid for 90 days, so a new certificate is generated every two months.
  • >> /var/log/le.log sends the output to the le.log file

After adding the code, switch back to command mode with 'Esc'. Then, save your changes and close crontab with the key combination :wq!


 

Step 7

In step 5 you have, among other things, configured a passive port range. This port is not automatically open in your firewall and you open it manually with:

firewall-cmd --zone=public --permanent --add-port=50100-51100/tcp
firewall-cmd --reload

 

Step 8

You now only need to restart vsftpd with the command:

systemctl restart vsftpd

 

That concludes this tutorial and you have set up a secure FTP(S) server! You can now test your FTP server and transfer files to your VPS.

Should you have any questions left regarding this article, do not hesitate to contact our support department. You can reach them via the ‘ContactUs’ button at the bottom of this page.

If you want to discuss this article with other users, please leave a message under 'Comments'.

Has this article been helpful?

Create an account or log in to leave a rating.

Comments

Create an account or log in to be able to leave a comment.