Configure FTP in CentOS 8

FTP (File Transfer Protocol) is a client – server network Protocol that allows users to transfer files to the remote network and download them from it. For systems based on Linux developed several FTP servers open source. The most popular of them – PureFTPd, ProFTPD and vsftpd.

In this article we will look how to install FTP CentOS 8, for example vsftpd. It is stable, secure and fast FTP server. We will also show you the setup vsftpd, to restrict user to their home directory and encrypt all transmissions with SSL/TLS.

Setup FTP server CentOS

For a more secure and rapid transmission of data, use SCP or SFTP. Attention! All commands must run as sudo user.

sudo su

Package vsftpd available by default in the CentOS repositories. To install it, run the following command:

yum install vsftpd

Install FTP CentOS completed, next you need to run the service vsftpd and put it in startup:

systemctl start vsftpd

systemctl enable vsftpd

Now let’s see the success start the vsftpd service by typing the command:

systemctl status vsftpd

The output of the command is shown below:

Configure vsftpd on CentOS

Setup vsftp CentOS 8 is performed by editing its configuration file /etc/vsftpd/vsftpd.conf. The basic parameters are well documented in the configuration file. All available configuration options can be found on the official website vsftpd.

In this article we will look at some important aspects required to configure and secure installation of vsftpd. To begin, open the configuration file of vsftpd:

sudo nano /etc/vsftpd/vsftpd.conf

1. FTP access

We allow only local users access to the FTP server. To do this find the following settings, ensure that their values correspond to the rows below:

anonymous_enable=NO
local_enable=YES

Uncomment the option write_enable to allow you to make changes to the file system, such as loading and deleting files:

write_enable=YES

2. Enable chroot

Deny users FTP access to files outside their home directory, recommendyou option chroot:

chroot_local_user=YES

By default, when chroot is enabled, vsftpd will refuse to load the files even if the directory in which the user is restricted, available for recording. This is done to prevent security breaches.

Use one of the following methods to enable the download chroot.

Method 1. The recommended way to enable the download of is to keep chroot enabled, and configure the FTP directory. By this method we will create the ftp directory on the user’s home directory that will serve as the chroot and write a directory to download files.

user_sub_token=$USER
local_root=/home/$USER/ftp

Method 2. Another option is to add the following parameter to the configuration file, vsftpd. Use this option if you want to give users write access to their home directory.

allow_writeable_chroot=YES

3. Passive FTP connections

The vsftpd server can use any port for passive FTP connections. We define the range of ports used for connections, and then open them in our firewall. Add the following lines to the configuration file:

pasv_min_port=30000
pasv_max_port=31000

4. Limit user login

To allow access to the FTP server only to specific users, add after line userlist_enable = YES is the following lines:

userlist_file=/etc/vsftpd/user_list
userlist_deny=NO

If this option is active, you will need to explicitly list which users can log in by putting user names in the file located at path /etc/vsftpd/user_list (one user for each new line).

5. Configuring SSL / TLS

To ensure the security of file transfer use the encryption FTP transfer using SSL / TLS. By setting encryption you must have an SSL certificate and configure the FTP server to use it.

You can use your existing SSL certificate issued by trusted root CA, or to create Samovodene certificate on your server. The command below will create a 2048-bit private key and Samovodene the certificate that will be valid for 10 years.

The private key and certificate are stored in one file:

sudo openssl req-x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/vsftpd/vsftpd.pem -out /etc/vsftpd/vsftpd.pem

After you create the SSL certificate, open the vsftpd configuration file:

sudo nano /etc/vsftpd/vsftpd.conf

Add lines rsa_cert_file and rsa_private_key_file and specify their meaning pam on the path to the certificate file. Then add a string ssl_enable setting its value to YES:

rsa_cert_file=/etc/vsftpd/vsftpd.pemrsa_private_key_file=/etc/vsftpd/vsftpd.pem
ssl_enable=YES

After made settings, if not specified otherwise, the FTP server will always use TLS to establish secure connections with the client. Restart the vsftpd service.

After making all changes, except comments, you need to get the configuration file for vsftpd like this:

anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
chroot_local_user=YES
listen=NO
listen_ipv6=YES
pam_service_name=vsftpd
userlist_enable=YES
userlist_file=/etc/vsftpd/user_list
userlist_deny=NO
tcp_wrappers=YES
user_sub_token=$USER
local_root=/home/$USER/ftp
pasv_min_port=30000
pasv_max_port=31000
rsa_cert_file=/etc/vsftpd/vsftpd.pem
rsa_private_key_file=/etc/vsftpd/vsftpd.pem
ssl_enable=YES

Will be released from the editor confirming the saving of the configuration file and restart the vsftpd service to apply changes by running the following command:

sudo systemctl restart vsftpd

6. Opening ports in the firewall

If you have a firewall, you need to allow FTP traffic by opening port 21 (the port FTP command), port 20 (FTP data port) and 30000-31000 (range of passive ports) by typing the following command:

sudo firewall-cmd --permanent --add-port=20-21/tcp

sudo firewall-cmd --permanent --add-port=30000-31000/tcp

To apply changes you must restart the firewall:

firewall-cmd --reload

Setup ftp CentOS is almost complete.

7. Creating FTP user

It’s time to test our FTP server creating a new user.

  • If you already have a user for whom you want to provide FTP access, skip the first command.
  • If you installed allow_writeable_chroot = YES in your configuration file, skip to the third team.

To create ftp user centos 8 named newftpuser run:

sudo adduser newftpuser

Add user to the list of allowed FTP users:

echo "newftpuser" | sudo tee-a /etc/vsftpd/user_list

Create the FTP directory and set correct permissions:

sudo mkdir -p /home/newftpuser/ftp/upload

sudo chmod 550 /home/newftpuser/ftp

sudo chmod 750 /home/newftpuser/ftp/upload

sudo chown-R newftpuser: /home/newftpuser/ftp

As stated in the previous section, the user will be able to load the files in the directory ftp/upload. At this stage we have completely configured the FTP server and you are using any FTP-client is configured to use TLS encryption, can connect to your server.

8. Disabling access to SSH

By default, when you create a new user if this is not stated explicitly, there is SSH access to the server. To disable SSH access, create a new shell, which will just display a message informing the user that his account is limited to only FTP access.

Type the following commands to create the /bin/ftponly shell and assign it to the executable by default:

echo-e '#!/bin/shnecho "This account is limited to FTP access only."' | sudo tee-a /bin/ftponly

sudo chmod a+x /bin/ftponly

Then add the new shell to the list of allowed shells in /etc/shells file :

echo "/bin/ftponly" | sudo tee-a /etc/shells

Now change the shell default user to /bin/ftponly:

newftpuser sudo usermod-s /bin/ftponly

Use the same command to change the shell for all users that you want to provide only FTP access.

Conclusion

From this article you can discover how easy and fast it is to install and configure ftp centos 8. Is a popular, fast and secure FTP server to your system running CentOS 8. Thank you for reading.

Source: losst.ru

(Visited 5 times, 1 visits today)