The most used FTP servers within Linux are PureFTPd, ProFTPD and vsftpd. An overview of the differences can be found on this website. ProFTPD is less well maintained, so we recommend PureFTPd or vsftpd.
Please note: July the 23rd of 2019 a vulnerability has been found ProFTPD, see this page. We recommend using vsftpd from this manual or SFTP through OpenSSH instead.
In this manual, we show you how to install and configure an FTP server in CentOS 7 with vsftpd (Very Secure FTP Daemon) and how to use TLS to set up a secure FTPS connection.
Using an FTP server is a relatively easy method to upload files to your VPS. This is useful, for example, with a web server for posting updates to websites on your VPS, or with a Plex server for uploading media to your VPS.
Do you prefer SFTP? Consult this manual.
Installing and configuring the FTP server
Step 1
Connect to your VPS via SSH or the VPS console in your control panel.
Step 2
Install vsftpd with the command:
yum -y install vsftpd
Step 3
Before you start your FTP server, make some adjustments to the vsftpd configuration, with the aim of adjusting access to your FTP server more specifically.
Open the configuration file:
nano /etc/vsftpd/vsftpd.conf
Step 4
Adjust / add the following settings if they do not yet exist. The operation of these options is further explained in the explanatory notes to the options.
anonymous_enable=NO
chroot_local_user=YES
allow_writeable_chroot=YES
userlist_enable=YES
userlist_file=/etc/vsftpd.userlist
userlist_deny=NO
Save the changes and close the file using the key combination ctrl + x > y > enter.
Step 5
Out-of-the-box, CentOS 7 comes with Firewalld, in which all ports are closed by default. Open port 21 with the commands:
firewall-cmd --zone=public --permanent --add-port=21/tcp
firewall-cmd --reload
Step 6
In addition to Firewalld, CentOS 7 also comes with SELinux by default. In this step, you set SELinux to give FTP read / write access to a user's home directory with the command below. Are you not using SELinux, or is SELinux set to permissive? Then continue with the next step.
semanage boolean -m ftpd_full_access --on
Step 7
vsftpd does not automatically start after the installation and after a reboot. You start vsftpd and enable automatic starting with:
systemctl start vsftpd
systemctl enable vsftpd
Creating users and giving access to your FTP server
In the previous steps, you have enabled the vsftpd user list option, together with the additional option that only user accounts in the user list file have access to your FTP server. In this part, you (optionally) create a new user and add the user to the user list.
Step 1
FTP users are created in the same way as normal users on your VPS. Do you want to use an existing user account? Then continue with step 2.
Do you use FTP to upload websites? Then we recommend using the name of your domain as the username, for example, the username example.com, for the domain example.com.
useradd -m -c "transip ftp demo" username
passwd username
Step 2
Open the user list file with:
nano /etc/vsftpd.userlist
Step 3
Add the user's name to the file. Each username is added on a new line, for example:
transip
admin
username
Tip: Alternatively, you can also add the username to the file with one command:
Save the changes and close nano with ctrl + c > y > enter.
Customizing users' home directories
Thanks to the earlier configuration, FTP users are directed to their home directory by default. In this section, we show you how to set up specific directories. This is useful, for example, if you want to direct users to a specific directory in which their website is located (for web servers), or, for example, a specific folder (e.g. Big Storage) on a Plex server.
Step 1
Do you want to use an existing folder? Then continue with step 3. Does the folder not yet exist? First, create it and remove all write permissions for all users (replace user name with the user’s name).
mkdir /home/
/ftp
chown nobody:nobody /home/
/ftp
chmod a-w /home/
/ftp
Step 2
Create the directory in which the user may place files and only give that user full rights to the directory (replace username with the user's name):
mkdir /home/
/ftp/files
chown
:
/home/
/ftp/files
The reason why you remove access to the FTP folder and do give access to the files folder is for security reasons: this way, you prevent that any further access to the underlying folders can be obtained.
You are now going to set the home directory of your users. Open the VSFTP configuration file again:
nano /etc/vsftpd/vsftpd.conf
Step 4
Add the following two lines at the bottom of the file:
user_sub_token=$USER
local_root=/home/$USER/ftp/
- user_sub_token=$USER: the name of the user who connects to your FTP server is used for the variable $USER
-
local_root: the directory in which your FTP users end up. In this example, it is the FTP folder in the home directory.
- For example, if you have linked Big Storage to your VPS and want to use it (e.g. for a Plex server), then you use local_root=/mnt/bigstorage/ (replace /mnt/bigstorage/ with the actual folder in which your Big Storage is mounted), where, for example, you remove the rights from /bigstorage/ and create a folder /mnt/bigstorage/plex to which you do grant users rights.
- Do you host websites (in /var/www/html/) and did you use your domain as a user name in the previous section? Then, you would set local_root=/var/www/html/$USER here, where you do not give permissions in that folder, but, for example, do give permissions to /var/www/html/$USER/public_html
Save the changes and close the file with the key combination ctrl + x > y > enter.
Step 5
Finally, restart vsftpd to apply the new configuration. It can sometimes take a few minutes for you to see such a configuration change when you connect via your FTP client.
systemctl restart vsftpd
Securing your FTP server
The FTP protocol does not encrypt data and is therefore unsafe. In practice, SFTP or FTPS is therefore usually always used (see this article for an explanation of the differences). In this part of the manual, you protect your FTP server with FTPS.
Step 1
As SSL(TLS) certificate, we use a Let's Encrypt certificate. If you have not yet installed Let's Encrypt, install it first with the command:
yum -y install certbot
Step 2
In this step, you generate a standalone certificate that is not dependent on an existing web server. It is important for this that ports 80 and 443 are open in your firewall (in CentOS 7, this is Firewalld by default). If they are not yet open, use the commands:
firewall-cmd --zone=public --permanent --add-port=80/tcp
firewall-cmd --zone=public --permanent --add-port=443/tcp
firewall-cmd --reload
Generate a certificate with the command below. Replace server.example.com here with your hostname (check with the command hostnamectl).
You will be asked for an email address and permission for the terms and conditions, and for sharing your email address with the Electronic Frontier Foundation (optional).
certbot certonly --standalone -d server.example.com
Step 3
Your Let's Encrypt certificate and keyfile are stored in /etc/letsencrypt/live/<hostname>/ (the exact location is in the output of the command in step 3).
You then adjust the vsftpd configuration to indeed use the Let's Encrypt certificates and reject unsafe connections. Open /etc/vsftpd/vsftpd.conf again:
nano /etc/vsftpd/vsftpd.conf
Step 4
Add the following configuration at the bottom of the file, replacing server.example.com with your hostname.
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=NO
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=NO
ssl_ciphers=HIGH
pasv_min_port=50100
pasv_max_port=51100
rsa_cert_file=/etc/letsencrypt/live/server.voorbeeld.nl/fullchain.pem
rsa_private_key_file=/etc/letsencrypt/live/server.voorbeeld.nl/privkey.pem
- These steps have been tested in FileZilla. Older FTP clients may need the ssl_tlsv1=YES option. Please note that it is safer to use a newer FTP client.
- Is your connection often lost? Then try require_ssl_reuse=NO
- Take care when copying that you do not put a space after one of the lines. One space too much is sufficient to prevent vsftpd from starting.
Step 5
A good reason to opt for Let's Encrypt instead of OpenSSL is the simple auto-renew option of Let's Encrypt, so you don't have to worry about the possible expiration of your certificate. For this, you create a cronjob with the command:
crontab -e
Step 6
Crontab works practically the same as vi. It opens in command mode and you switch to insert mode with the 'i' key. Then, add the content below.
SHELL=/bin/bash HOME=/ @monthly certbot -q renew >> /var/log/le.log
- The cronjob is performed every month at 0:00.
- -q ensures that no output is generated, except for errors.
- renew renews all Let's Encrypt certificates that expire within 30 days. Let's Encrypt certificates are valid for 90 days, so a new certificate is generated every two months.
- >> /var/log/le.log sends the output to the le.log file
After adding the code, switch back to command mode with 'Esc'. Then, save your changes and close crontab with the key combination :wq!
Step 7
In step 5 you have, among other things, configured a passive port range. This port is not automatically open in your firewall and you open it manually with:
firewall-cmd --reload
Step 8
You now only need to restart vsftpd with the command:
systemctl restart vsftpd
That concludes this tutorial and you have set up a secure FTP(S) server! You can now test your FTP server and transfer files to your VPS.
Should you have any questions left regarding this article, do not hesitate to contact our support department. You can reach them via the ‘Contact Us’ button at the bottom of this page.