Build the FTP Service in the Linux System
Build the FTP Service in Centos System
This tutorial takes BCC public image eCentOS6.5/CentOS7.5 64-bit operating system as an example to describe how to install and configure vsftpd on the Linux instance.
- Step 1: Install “vsftpd”
-
Step 2: Configure “vsftpd”
- Method 1: Configure the privilege for anonymous users to upload files.
- Method 2: Configure the local user login.
- Step 3: Set the security group.
- Step 4: Test the client.
Step 1: Install “vsftpd”
- Remotely connect and log in to the Linux instance.
- Run the command yum install -y vsftpd to install vsftpd.
-
Run the following command to enter the directory /etc/vsftpd, and then view the file under this directory.
cd /etc/vsftpd ls
Note:
- /etc/vsftpd/vsftpd.conf is the core configuration file of vsftpd.
- /etc/vsftpd/user_list is a whitelist file, and users in this file are allowed to access the FTP server.
- /etc/vsftpd/ftpusers is a blacklist file, and users in this file are not allowed to access the FTP server.
- Run the following commands to set the power-on auto-start of FTP server.
Centos6.5: chkconfig vsftpd on
Centos7.5: systemctl enable vsftpd.service
- Run the following commands to start the FTP service.
Centos6.5:/etc/init.d/vsftpd start
Centos7.5:systemctl start vsftpd.service
6 Run the following commands to view the FTP service listening port.
netstat -antup grep ftp
Step 2: Configure “vsftpd”
After the successful installation of vsftpd, the anonymous access to FTP server is enabled by default. For the anonymous access, you can log in to the FTP server without entering the user name and password, but you do not have privilege to modify or upload files.
This tutorial introduces the following two ways to configure vsftpd and provides relevant parameter descriptions. You can refer to this tutorial according to your specific requirements.
- Configure the privilege for anonymous users to upload files.
- Configure the local user login.
Method 1: Configure the privilege for anonymous users to upload files.
The anonymous access to FTP server is an insecure access mode, and anyone can log in to the FTP server without the password authentication. This mode is generally used to save the unimportant public files only and not recommended for use in the production environment. If you want to configure the privilege for anonymous users to upload files, you can configure it by following steps below:
- Change /etc/vsftpd/vsftpd.conf.
a. Run the command vim /etc/vsftpd/vsftpd.conf.
b. Press the i key to enter the Edit mode.
c. Change the write privilege to write_enable=YES.
d. Change the anonymous upload privilege to anon_upload_enable=YES.
e. Press Esc to exit the Edit mode, and then enter :wq to save and exit files.
- Run the following command to change the privilege of the directory /var/ftp/pub, and add the write privilege for the FTP user, and then reload the configuration file.
Centos6.5:
chmod o+w /var/ftp/pub/
/etc/init.d/vsftpd restart
CentOS7.5:
chmod o+w /var/ftp/pub/
systemctl restart vsftpd.serviceAt this time, use filezilla to test that you can access this FTP server without the account number and password (anonymous).
Method 2: Configure the local user login.
The local user login means users log in to the FTP server with the account number and password in the Linux operating system.
After the successful installation of vsftpd, only the anonymous access to FTP server is supported by default. If you try to log in to the server with the account in the Linux operating system, the service is denied by vsftpd. You can configure the vsftpd service by following the steps below to access the FTP server with the Linux account number and password.
- Run the following command to create a Linux user for the FTP service. The user name is ftpbaidu in this example.
useradd ftpbaidu
- Run the following command to change the password of the ftptest user.
passwd ftpbaidu
- Create a file directory for the FTP service.
mkdir /var/ftp/baidu
- Change the owner of the directory /var/ftp/baidu to ftpbaidu.
chown -R ftpbaidu:ftpbaidu /var/ftp/baidu
- Enter the command vim /etc/vsftpd/vsftpd.conf to open the configuration file vsftpd.conf, and press the i key to enter the Edit mode.
- Change the configuration file vsftpd.conf.
The FTP server can be configured as the active or passive mode.
The client sends the data port information to the server in the active mode, and the server actively connects to the data port sent by the client. The parameters to configure FTP as the active mode are as follows:
#Disable anonymous login to FTP server
anonymous_enable=NO
#Allow local users to log in to the FTP server
local_enable=YES
#Set the directory where the local user is logged in
local_root=/var/ftp/baidu
#All users are restricted in the home directory
chroot_local_user=YES
#Enable the list of exceptional users
chroot_list_enable=YES
#Specify a list of exception users who are not locked in the home directory
chroot_list_file=/etc/vsftpd/chroot_list
#Configure additional parameters
allow_writeable_chroot=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
listen=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES(1) Press ESC to exit the Edit mode, and then press the :wq key to save and exit files.
(2) Run the command touch /etc/vsftpd/chroot_list to create a file chroot_list, and write a list of exceptional users who are not limited to access the home directory only.
Note: If there is not any exceptional user, there must be also the file chroot_list, but the content may be empty.
(3) Press ESC to exit the Edit mode, and then press the :wq key to save and exit files.
(4) Run the following command to restart the vsftpd service. etc/init.d/vsftpd restart
At this point, all configurations of active mode are completed successfully.
The server enables the data port and sends the data port information to the client in the passive mode, the client connects to the data port enabled by the server, and the server accepts the connection passively. You need to configure the range of data ports that the server can enable in the passive mode. The parameters to configure FTP as the passive mode are as follows:
#Disable anonymous login to FTP server
anonymous_enable=NO
#Allow local users to log in to the FTP server
local_enable=YES
#Set the directory where the local user is logged in
local_root=/var/ftp/baidu
#All users are restricted in the home directory
chroot_local_user=YES
#Enable the list of exceptional users
chroot_list_enable=YES
#Specify a list of exception users who are not locked in the home directory
chroot_list_file=/etc/vsftpd/chroot_list
#Open the passive mode
pasv_enable=YES
#FTP Server Public Network IP
pasv_address=<FTP Server Public Network IP>
#Set the minimum value of the port range for data transfer to be set in passive mode
pasv_min_port=50000
#Set the Maximum value of the port range for data transfer to be set in passive mode
pasv_max_port=50010
#Configure additional parameters
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
xferlog_std_format=YES
tcp_wrappers=YES
allow_writeable_chroot=YES
listen=YES
listen_ipv6=NO
pam_service_name=vsftpd
userlist_enable=YESNote: It is recommended that you set the port in a relatively high range, such as 50,000-50,010, to help to improve the security of accessing FTP server.
(1) Press ESC to exit the Edit mode, and then press the :wq key to save and exit files.
(2) Run the command touch /etc/vsftpd/chroot_list to create a file chroot_list, and write a list of exceptional users who are not limited to access the home directory only.
Notice: If there is not any exceptional user, there must be also the file chroot_list, but the content may be empty.
(3) Press ESC to exit the Edit mode, and then press the :wq key to save and exit files.
(4) Run the following command to restart the vsftpd service. etc/init.d/vsftpd restart
At this point, all configurations of passive mode are completed successfully.
Parameter Description of vsftpd.conf Configuration File
Run the command cat /etc/vsftpd/vsftpd.conf to view the configuration file.
User login control:
| Parameters | Note |
|---|---|
| anonymous_enable=YES | Accept the anonymous user |
| no_anon_password=YES | Do not ask for the password for the anonymous user login |
| anon_root=(none) | Home directory of anonymous user |
| local_enable=YES | Accept the local user |
| local_root=(none) | Home directory of local user |
User access control:
| Parameters | Note |
|---|---|
| write_enable=YES | Can upload files (global control) |
| local_umask=022 | Umask for local users to upload files |
| file_open_mode=0666 | Upload file privilege with umask |
| anon_upload_enable=NO | Anonymous users can upload files |
| anon_mkdir_writ_enable=NO | Anonymous users can create directories |
| anon_other_write_enable=NO | Anonymous users modify or delete files |
| chown_username=lightwiter | User name of anonymous upload file |
Step 3: Set the security group.
After the successful building of FTP site, you need to add a rule to enable the following FTP ports in the incoming direction of instance security group.
When FTP is in the active mode: port 21.
When FTP is in the passive mode: port 21 and all ports between parameters pasv_min_port and pasv_max_port in the configuration file /etc/vsftpd/vsftpd.conf.
For the specific steps to add the security group rules, see Add Security Group Rules.
Step 4: Test the client.
You can access the FTP server for testing through the FTP client or browser. This tutorial takes the filezilla tool as an example:
Build the FTP Service in Ubantu System
This tutorial takes the BCC public image ubantu14.01 64-bit operating system as an example to describe how to install and configure vsftpd on the Linux instance.
- Step 1: Install “vsftpd”
-
Step 2: Configure “vsftpd”
- Method 1: Configure the privilege for anonymous users to upload files.
- Method 2: Configure the local user login.
- Step 3: Set the security group.
- Step 4: Test the client.
Step 1: Install “vsftpd”
- Remotely connect and log in to the Linux instance.
- Run the command sudo apt-get install vsftpd -y to install vsftpd.
- After the successful installation, VSFTPD starts automatically and power-on auto-starts by default. You can see the system listening through the command netstat.
Step 2: Configure “vsftpd”
vsftp can be configured as the anonymous mode (you can log in to the system without entering the account number and password) or local user mode.
This tutorial introduces the following two ways to configure vsftpd and provides relevant parameter descriptions. You can refer to this tutorial according to your specific requirements.
- Anonymous mode
- Local user mode
Method 1: Configure the privilege for anonymous users to upload files.
The anonymous access to FTP server is an insecure access mode, and anyone can log in to the FTP server without the password authentication. This mode is generally used to save the unimportant public files only and not recommended for use in the production environment. If you want to configure the privilege for anonymous users to upload and download files, you can configure it by following the steps below:
- Run the command: vim /etc/vsftpd.conf
a. Press the i key to enter the Edit mode. b. Change the write privilege to write_enable=YES. c. Change the anonymous upload privilege to anon_upload_enable=YES. d. Change whether anonymous login is allowed to anonymous_enable=YES. e. Press Esc to exit the Edit mode, and then enter :wq to save and exit files.
- Create an FTP subdirectory.
Run the command: sudo mkdir /srv/ftp/upload
The default root directory of FTP built by ubantu is /srv/ftp/. However, the anonymous users can not upload files under the root directory by default. Therefore, they can only upload files by creating a subdirectory.
- Set the privilege 755 and the group for this directory.
Run the command: sudo chown root: ftp /srv/ftp/upload
And then run the command: sudo chmod 755 /srv/ftp/upload
- Restart the service to make it take effect.
Run the command: sudo service vsftpd restart
- Test whether it can access and upload/download files normally.
Method 2: Configure the local user login.
The local user login means users log in to the FTP server with the account number and password in the Linux operating system.
You can configure the vsftpd service by following the steps below to access the FTP server with the Linux account number and password.
- Run the following command to create a Linux user for the FTP service. The user name is ftpbaidu in this example.
sudo useradd ftpbaidu
- Run the following command to change the password of the ftptest user.
sudo passwd ftpbaidu
- Run the following command to create a file directory for the FTP service.
sudo mkdir /srv/ftp/baidu
- Run the following command to change the owner of directory /srv/ftp/baidu to ftpbaidu.
sudo chown -R ftpbaidu:ftpbaidu /srv/ftp/baidu
- Enter the command vim /etc/vsftpd.conf to open the configuration file vsftpd.conf, and then press the i key to enter the edit mode.
- Change the configuration file vsftpd.conf.
The FTP server can be configured as the active or passive mode.
Configure an active mode: The client sends the data port information to the server in the active mode, and the server connects to the data port sent by the client actively. The parameters to configure FTP as the active mode are as follows:
#Disable anonymous login to FTP server
anonymous_enable=NO
#Allow local users to log in to the FTP server
local_enable=YES
#Set the directory where the local user is logged in
local_root=/var/ftp/baidu
#All users are restricted in the home directory
chroot_local_user=YES
#Enable the list of exceptional users
chroot_list_enable=YES
#Specify a list of exception users who are not locked in the home directory
chroot_list_file=/etc/chroot_list# Writable privileges of home directory allow_writeable_chroot=YES
#Configure additional parameters
allow_writeable_chroot=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
listen=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES(1) Press ESC to exit the Edit mode, and then press the :wq key to save and exit files. (2) Run the command touch /etc/chroot_list to create the file chroot_list, and write a list of exceptional users who are not limited to access the home directory only. Note: If there is not any exceptional user, there must be also the file chroot_list, but the content may be empty.
(3) Press ESC to exit the Edit mode, and then press the :wq key to save and exit files.
(4) Run the following command to restart the vsftpd service. sudu service vsftpd restart
Above is the configuration method of active mode.
Configure a passive mode: The server enables the data port and sends the data port information to the client in the passive mode, The client connects to the data port enabled by the server, and the server accepts the connection passively. You need to configure the range of data ports that the server can enable in the passive mode. The parameters to configure FTP as the passive mode are as follows:
#Disable anonymous login to FTP server
anonymous_enable=NO
#Allow local users to log in to the FTP server
local_enable=YES
#Set the directory where the local user is logged in
local_root=/var/ftp/baidu
#All users are restricted in the home directory
chroot_local_user=YES
#Enable the list of exceptional users
chroot_list_enable=YES
#Specify a list of exception users who are not locked in the home directory
chroot_list_file=/etc/chroot_list
#Open the passive mode
pasv_enable=YES
#FTP Server Public Network IP
pasv_address=<FTP Server Public Network IP>
#Set the minimum value of the port range for data transfer to be set in passive mode
pasv_min_port=50000
#Set the Maximum value of the port range for data transfer to be set in passive mode pasv_max_port=50010# Writable privileges of home directory allow_writeable_chroot=YES
pasv_max_port=50010
#Configure additional parameters
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
xferlog_std_format=YES
tcp_wrappers=YES
allow_writeable_chroot=YES
listen=YES
listen_ipv6=NO
pam_service_name=vsftpd
userlist_enable=YESNote: It is recommended that you set the port in a relatively high range, such as 50,000-50,010, to help to improve the security of accessing FTP server.
(1) Press ESC to exit the Edit mode, and then press the :wq key to save and exit files.
(2) Run the command touch /etc/chroot_list to create the file chroot_list, and write a list of exceptional users who are not limited to access the home directory only. Note: If there is not any exceptional user, there must be also the file chroot_list, but the content may be empty.
(3) Press Esc to exit the Edit mode, and then press the :wq key to save and exit files.
(4) Run the following command to restart the vsftpd service. sudu service vsftpd restart
Above is the configuration method of passive mode.
Parameter Description of vsftpd.conf Configuration File
Run the command cat /etc/vsftpd.conf to view the configuration file.
User login control:
| Parameters | Note |
|---|---|
| anonymous_enable=YES | Accept the anonymous user |
| no_anon_password=YES | Do not ask for the password for the anonymous user login |
| anon_root=(none) | Home directory of anonymous user |
| local_enable=YES | Accept the local user |
| local_root=(none) | Home directory of local user |
User access control:
| Parameters | Note |
|---|---|
| write_enable=YES | Can upload files (global control) |
| local_umask=022 | Umask for local users to upload files |
| file_open_mode=0666 | Upload file privilege with umask |
| anon_upload_enable=NO | Anonymous users can upload files |
| anon_mkdir_write_enable=NO | Anonymous users can create directories |
| anon_other_write_enable=NO | Anonymous users modify or delete files |
| chown_username=lightwiter | User name of anonymous upload file |
Step 3: Set the security group.
After the successful building of FTP site, you need to add a rule to enable the following FTP ports in the incoming direction of instance security group.
- When FTP is in the active mode: port 21.
- When FTP is in the passive mode: port 21 and all ports between parameters pasv_min_port and pasv_max_port in the configuration file /etc/vsftpd.conf.
Step 4: Test the client.
You can access the FTP server for testing through the FTP client or browser.