Secure FTP User Setup on CentOS Using VSFTPD
In today’s digital environment, secure file transfer and efficient server access are essential for developers, system administrators, and businesses. One of the most reliable ways to manage file uploads and downloads on a Linux server is by configuring an FTP server using VSFTPD (Very Secure FTP Daemon).
CentOS is a popular enterprise-grade Linux distribution, and when combined with VSFTPD, it provides a stable and secure FTP solution. By creating dedicated FTP users, you can control access permissions, improve security, and allow users to upload or manage files without exposing the entire server.
In this tutorial, you will learn how to create a new FTP user on CentOS 8 using the command line and configure VSFTPD to allow restricted access to a specific directory. We will also cover how to secure FTP connections using SSL/TLS encryption, which is highly recommended for production servers.
Use Case Scenario
Recently, I installed and configured CentOS 8 on an Amazon EC2 instance (t4g.large) and deployed a web application using Laravel 8 with Vue.js. The requirement was to:
- Create a new FTP user
- Restrict access only to the /var/www/html directory
- Secure FTP connections using SSL/TLS
- Configure AWS EC2 inbound rules for FTP access
This guide walks you through the complete process, from installing VSFTPD to generating SSL certificates and configuring the firewall.
Before You Begin
Please make sure you meet the following requirements:
- Have SSH access to your server
- Allow required FTP ports in your AWS EC2 Security Group
- Log in to your EC2 instance using PuTTY (or any SSH client)
Note: On AWS EC2, authentication is done using a PEM key, not a password. The default login user for CentOS is centos.
1. Installing Vsftpd FTP Service on CentOS 8
sudo yum update // update package manager then run below command sudo yum install vsftpd
When your package installed , run the below command to set it with system boot.
sudo systemctl start vsftpd
Run the below command to verify the status of vsftpd.
sudo systemctl status vsftpd
2. Create A New FTP User
We will now create a new ftp user , replace ftpuser by your choice name.adduser ftpuser //will create a user passwd ftpuser //it will ask for password, create a strong password and then put in console , it will also ask for confirm password.
Add the new user to the userlist , just copy and paste ftuser which you have created to this list by using below command. it has other users also added to put at the bottom of it , no space required at start and end of name when you put.
sudo nano /etc/vsftpd/user_list
If you do not run the below command , you will able to access the file but you can not edit , delete file due to permission , so below line will give permission to ftp user.
sudo chown -R ftpuser:ftpuser /var/www/html
Do not allow ftpuser from logging in via ssh, change its shell
sudo usermod --shell /sbin/nologin ftpuser
3. Configuration Of SSL / TLS
We will create self signed certificate , when you execute below command it will ask for you some information , if you don't know the information then see the profile of existing logged in user , there you can get information about name , organization etc then you can fill the details in command line.When you done , you can see in /etc/vsftpd/ directory , your certificate file will be generated after filling all details.sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/vsftpd/vsftpd.key -out /etc/vsftpd/vsftpd.pem
4. Configuration Of Vsftpd
Just take a backup of vsftpd.conf file , its good idea to take backup of configuration file , so in case of any mistake we can easily revert back to original state.sudo cp /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf.backup
Open the file with command and we have to add some parameters and also we need to modified some existing parameter in vsftpd .conf file.
sudo nano /etc/vsftpd/vsftpd.conf
Modify below existing parameters , search and look for it.
#existing chroot_local_user=YES local_enable=YES write_enable=YES chroot_local_user=YES listen=YES
Add below new parameters to bottom of file
#new pasv_min_port=1024 pasv_max_port=1048 userlist_enable=YES userlist_deny=NO userlist_file=/etc/vsftpd/user_list allow_writeable_chroot=YES pasv_address=xx.xxx.xxx.xxx (This will be your public IP Adderss From Amazon Instance Ec2) local_enable=YES pasv_enable=YES rsa_cert_file=/etc/vsftpd/vsftpd.pem rsa_private_key_file=/etc/vsftpd/vsftpd.key ssl_enable=YES allow_anon_ssl=NO force_local_data_ssl=YES force_local_logins_ssl=YES ssl_tlsv1=YES ssl_sslv2=NO ssl_sslv3=NO require_ssl_reuse=NO ssl_ciphers=HIGH debug_ssl=YES
You can restart Vsftpd , for taking configuration change effect. then open you FileZila Ftp Client and place host (public ip ec2 amazon) , ftp user name , password , then connect it.
NOTE: By completing step 5 , then try to connect with File Zila Ftp Client.
sudo systemctl restart vsftpd OR sudo service vsftpd restart
5. Configuration Of Port Added In Vsftpd.conf
Now go to web and there in running instance list you can see by scrolling to right , there will be a security group associated with each instance. Just click on security group , it will open the information and there you will see inbound , just click on edit , we have to add these rule here in inbound list.
6. Test the FTP Connection
Once your FTP user is created and VSFTPD is configured, you can connect to your FTP server using an FTP client such as FileZilla. Use the FTP user credentials you set up to log in and verify access.
Important Notes:
- Ensure your firewall rules allow FTP traffic (port 21 by default).
- Consider enabling TLS encryption for secure FTP connections. This requires additional configuration in vsftpd to protect data during transfer.
- Regularly monitor FTP access logs for any suspicious activity to maintain a secure FTP server on CentOS.