Cart

    Sorry, we could not find any results for your search querry.

    Configuring and installing an FTP server in CentOS 7

    The most used FTP servers within Linux are PureFTPd, ProFTPD and vsftpd. An overview of the differences can be found on this website. ProFTPD is less well maintained, so we recommend PureFTPd or vsftpd.

    Please note: July the 23rd of 2019 a vulnerability has been found ProFTPD, see this page. We recommend using vsftpd from this manual or SFTP through OpenSSH instead.

    In this manual, we show you how to install and configure an FTP server in CentOS 7 with vsftpd (Very Secure FTP Daemon) and how to use TLS to set up a secure FTPS connection.

    Using an FTP server is a relatively easy method to upload files to your VPS. This is useful, for example, with a web server for posting updates to websites on your VPS, or with a Plex server for uploading media to your VPS.

    Do you prefer SFTP? Consult this manual.

    • Use sudo or follow the steps in this article as a root user.
    • It is safest to only test your FTP connection after configuring SSL (TLS).

    Installing and configuring the FTP server

     

    Step 1

    Connect to your VPS via SSH or the VPS console in your control panel.


     

    Step 2

    Install vsftpd with the command:

    yum -y install vsftpd

     

    Step 3

    Before you start your FTP server, make some adjustments to the vsftpd configuration, with the aim of adjusting access to your FTP server more specifically.

    Open the configuration file:

    nano /etc/vsftpd/vsftpd.conf

     

    Step 4

    Adjust / add the following settings if they do not yet exist. The operation of these options is further explained in the explanatory notes to the options.

    anonymous_enable=NO
    chroot_local_user=YES
    allow_writeable_chroot=YES
    userlist_enable=YES
    userlist_file=/etc/vsftpd.userlist
    userlist_deny=NO

    Explanation code

    • anonymous_enable=NO: Prevents unidentified users from logging in to your FTP server.
    • chroot_local_user=YES: Places FTP users in their own home directory (i.e. a chroot jail) after logging in to your FTP server.
    • allow_writeable_chroot=YES: Allows FTP users to make changes to the chroot directory (i.e. their own home directory).
    • userlist_enable=YES: Enables the vsftpd user list, with which you can give users permission or prohibit access to your FTP server.
    • userlist_file=/etc/vsftpd.userlist: The location of the user list described above.
    • userlist_deny=NO: Only the user accounts in the user list file may log in to your FTP server. If you set the option to 'YES', the user list does not give permission, but it prohibits access to your FTP server.

    Save the changes and close the file using the key combination ctrl + x > y > enter.


     

    Step 5

    Out-of-the-box, CentOS 7 comes with Firewalld, in which all ports are closed by default. Open port 21 with the commands:

    firewall-cmd --zone=public --permanent --add-port=21/tcp
    firewall-cmd --reload

     

    Step 6

    In addition to Firewalld, CentOS 7 also comes with SELinux by default. In this step, you set SELinux to give FTP read / write access to a user's home directory with the command below. Are you not using SELinux, or is SELinux set to permissive? Then continue with the next step.

    semanage boolean -m ftpd_full_access --on

     

    Step 7

    vsftpd does not automatically start after the installation and after a reboot. You start vsftpd and enable automatic starting with:

    systemctl start vsftpd
    systemctl enable vsftpd

    Creating users and giving access to your FTP server

     

    In the previous steps, you have enabled the vsftpd user list option, together with the additional option that only user accounts in the user list file have access to your FTP server. In this part, you (optionally) create a new user and add the user to the user list.

     

    Step 1

    FTP users are created in the same way as normal users on your VPS. Do you want to use an existing user account? Then continue with step 2.

    Do you use FTP to upload websites? Then we recommend using the name of your domain as the username, for example, the username example.com, for the domain example.com.

    useradd -m -c "transip ftp demo" username
    passwd username

    Code explanation

    • -m: creates a home directory for the user. This is optional and only required if you actually want to give the user a home directory on your VPS in /home/username. Are you giving the user a home directory that is not in /home in the 'Customizing user home directories' section? Then you can omit -m.
    • -c: is also optional and adds a comment to the user. This is especially useful for creating a note for yourself explaining what an account serves for.
    • username: the actual username
    • passwd username: gives the user a password

     

    Step 2

    Open the user list file with:

    nano /etc/vsftpd.userlist

     

    Step 3

    Add the user's name to the file. Each username is added on a new line, for example:

    transip
    admin
    username

    Tip: Alternatively, you can also add the username to the file with one command:

    Save the changes and close nano with ctrl + c > y > enter.


    Customizing users' home directories

     

    Thanks to the earlier configuration, FTP users are directed to their home directory by default. In this section, we show you how to set up specific directories. This is useful, for example, if you want to direct users to a specific directory in which their website is located (for web servers), or, for example, a specific folder (e.g. Big Storage) on a Plex server.


    Step 1

    Do you want to use an existing folder? Then continue with step 3. Does the folder not yet exist? First, create it and remove all write permissions for all users (replace user name with the user’s name).

    mkdir /home/
    /ftp
    chown nobody:nobody /home/
    /ftp
    chmod a-w /home/
    /ftp

     

    Step 2

    Create the directory in which the user may place files and only give that user full rights to the directory (replace username with the user's name):

    mkdir /home/
    /ftp/files
    chown 
    :
    /home/
    /ftp/files
    

    The reason why you remove access to the FTP folder and do give access to the files folder is for security reasons: this way, you prevent that any further access to the underlying folders can be obtained.


     

    Step 3

    You are now going to set the home directory of your users. Open the VSFTP configuration file again:

    nano /etc/vsftpd/vsftpd.conf

     

    Step 4

    Add the following two lines at the bottom of the file:

    user_sub_token=$USER
    local_root=/home/$USER/ftp/
    • user_sub_token=$USER: the name of the user who connects to your FTP server is used for the variable $USER
    • local_root: the directory in which your FTP users end up. In this example, it is the FTP folder in the home directory.
      • For example, if you have linked Big Storage to your VPS and want to use it (e.g. for a Plex server), then you use local_root=/mnt/bigstorage/ (replace /mnt/bigstorage/ with the actual folder in which your Big Storage is mounted), where, for example, you remove the rights from /bigstorage/ and create a folder /mnt/bigstorage/plex to which you do grant users rights.
      • Do you host websites (in /var/www/html/) and did you use your domain as a user name in the previous section? Then, you would set local_root=/var/www/html/$USER here, where you do not give permissions in that folder, but, for example, do give permissions to /var/www/html/$USER/public_html

    Save the changes and close the file with the key combination ctrl + x > y > enter.


     

    Step 5

    Finally, restart vsftpd to apply the new configuration. It can sometimes take a few minutes for you to see such a configuration change when you connect via your FTP client.

    systemctl restart vsftpd

    Securing your FTP server

     

    The FTP protocol does not encrypt data and is therefore unsafe. In practice, SFTP or FTPS is therefore usually always used (see this article for an explanation of the differences). In this part of the manual, you protect your FTP server with FTPS.

     

    Step 1

    As SSL(TLS) certificate, we use a Let's Encrypt certificate. If you have not yet installed Let's Encrypt, install it first with the command:

    yum -y install certbot

     

    Step 2

    In this step, you generate a standalone certificate that is not dependent on an existing web server. It is important for this that ports 80 and 443 are open in your firewall (in CentOS 7, this is Firewalld by default). If they are not yet open, use the commands:

    firewall-cmd --zone=public --permanent --add-port=80/tcp
    firewall-cmd --zone=public --permanent --add-port=443/tcp
    firewall-cmd --reload

    Generate a certificate with the command below. Replace server.example.com here with your hostname (check with the command hostnamectl).

    You will be asked for an email address and permission for the terms and conditions, and for sharing your email address with the Electronic Frontier Foundation (optional).

    certbot certonly --standalone -d server.example.com

     

    Step 3

    Your Let's Encrypt certificate and keyfile are stored in /etc/letsencrypt/live/<hostname>/ (the exact location is in the output of the command in step 3).

    You then adjust the vsftpd configuration to indeed use the Let's Encrypt certificates and reject unsafe connections. Open /etc/vsftpd/vsftpd.conf again:

    nano /etc/vsftpd/vsftpd.conf

     

    Step 4

    Add the following configuration at the bottom of the file, replacing server.example.com with your hostname.

    ssl_enable=YES
    allow_anon_ssl=NO
    force_local_data_ssl=YES
    force_local_logins_ssl=YES
    
    ssl_tlsv1=NO
    ssl_sslv2=NO
    ssl_sslv3=NO
    require_ssl_reuse=NO
    ssl_ciphers=HIGH
    pasv_min_port=50100
    pasv_max_port=51100
    rsa_cert_file=/etc/letsencrypt/live/server.voorbeeld.nl/fullchain.pem
    rsa_private_key_file=/etc/letsencrypt/live/server.voorbeeld.nl/privkey.pem
    • These steps have been tested in FileZilla. Older FTP clients may need the ssl_tlsv1=YES option. Please note that it is safer to use a newer FTP client.
    • Is your connection often lost? Then try require_ssl_reuse=NO
    • Take care when copying that you do not put a space after one of the lines. One space too much is sufficient to prevent vsftpd from starting.

     

    Step 5

    A good reason to opt for Let's Encrypt instead of OpenSSL is the simple auto-renew option of Let's Encrypt, so you don't have to worry about the possible expiration of your certificate. For this, you create a cronjob with the command:

    crontab -e

     

    Step 6

    Crontab works practically the same as vi. It opens in command mode and you switch to insert mode with the 'i' key. Then, add the content below.

    SHELL=/bin/bash
    HOME=/
    @monthly certbot -q renew >> /var/log/le.log
    • The cronjob is performed every month at 0:00.
    • -q ensures that no output is generated, except for errors.
    • renew renews all Let's Encrypt certificates that expire within 30 days. Let's Encrypt certificates are valid for 90 days, so a new certificate is generated every two months.
    • >> /var/log/le.log sends the output to the le.log file

    After adding the code, switch back to command mode with 'Esc'. Then, save your changes and close crontab with the key combination :wq!


     

    Step 7

    In step 5 you have, among other things, configured a passive port range. This port is not automatically open in your firewall and you open it manually with:

    firewall-cmd --reload

     

    Step 8

    You now only need to restart vsftpd with the command:

    systemctl restart vsftpd

     

    That concludes this tutorial and you have set up a secure FTP(S) server! You can now test your FTP server and transfer files to your VPS.

    Should you have any questions left regarding this article, do not hesitate to contact our support department. You can reach them via the ‘Contact Us’ button at the bottom of this page.

    Need help?

    Receive personal support from our supporters

    Contact us