[CentOS 7/AlmaLinux 8] Setting your FTP server on CentOS 7/AlmaLinux 8

Michail

Introduction

An FTP server is a server that uses the File Transfer Protocol and is designed for exchanging files over the Internet or a local computer network. It is perhaps the most popular solution for remote file transfer.

In this article, you will learn how to configure FTP server on RedHat based distributions (CentOS 7, AlmaLinux 8) with VSFTP (stands for Very Secure FTPDaemon).

WARNING

CentOS 7 reached the EOL June 30, 2024:

https://blog.centos.org/2023/04/end-dates-are-coming-for-centos-stream-8-and-centos-linux-7/

Because of this, you may encounter some repository issues. We recommend that you reinstall another OS that has not yet reached EOL.

If you are using CentOS 7 and encounter a mirror issue, please check out this guide to resolve the problem.

Step for AlmaLinux 8 only: Import GPG key repository

This step is for AlmaLinux 8 only. Skip this step if you are configuring FTP on CentOS 7.

Run the following command to install GPG key repository on AlmaLinux 8:

rpm --import https://repo.almalinux.org/almalinux/RPM-GPG-KEY-AlmaLinux

1. Updating the packages

Make sure to update your software:

yum update

2. Installing the VSFTPD

Run the following command to install the vsftpd:

yum -y install vsftpd

3. Making adjustments to the VSFTPD configuration file

Now you need to edit your vsftpd configuration file. Open the file with this command:

vi /etc/vsftpd/vsftpd.conf

Find and adjust or add the following settings (if they do not exist already):

anonymous_enable=NO
chroot_local_user=YES
allow_writeable_chroot=YES
userlist_enable=YES
userlist_file=/etc/vsftpd.userlist
userlist_deny=NO

Each line has its own purpose:

anonymous_enable=NO means that anonymous connection to your FTP server is not allowed.

chroot_local_user=YES means that FTP users will be placed in their own home directory.

allow_writeable_chroot=YES this setting means that FTP users can make changes to their own home directory.

userlist_enable=YES this line creates user list, where you can manage access of the users to the FTP server.

userlist_file=/etc/vsftpd.userlist specified the location of the user list.

userlist_deny=NO: means that only users from the list can access FTP server.

Save the file and exit (pres "Esc", then type :wq and click "Enter").

4. Allowing FTP in IPtables

To allow FTP in iptables, use these commands:

iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 20 -j ACCEPT

This will allow incoming connections to TCP port 21 and outgoing connections from port 20.

After that, save changes. On CentOS 7 run this command:

service iptables save

After that restart iptables (on CentOS7):

service iptables restart

On AlmaLinux 8 just run this command to save changes:

iptables-save

If you are using firewalld, run these commands:

firewall-cmd --zone=public --permanent --add-port=21/tcp

firewall-cmd --reload

5. Starting VSFTPD

To start vsftpd, run this command:

systemctl start vsftpd

If you want to start vsftpd automatically every time after system reboot, run the following command:

systemctl enable vsftpd

6. Creating FTP users

To create new user run the following command (change "youruser" to the actual username):

useradd -m -c "transip ftp demo" youruser

To specify a password for this user, enter this command:

passwd username

7. Adding user to the list

Now, you need to add the user to the list. Open user list file:

vi /etc/vsftpd.userlist

Add the username to it. If you have created a few users, add one username per line:

youruser
youruser2
youruser3

Save changes and exit.

You have configured the FTP server. However, FTP is not encrypted by default, so if you want to secure your FTP connection, follow the steps below.

Also, If you want to create a different folder or use an existing one, check the "Custom directories" section.

Additional configurations (optional)

Setting up a secure FTP connection

To secure connection with FTPS (File Transfer Protocol SSL) we will install Let's Encrypt certificate. In this example, we will install a certificate that is independent of the web server. However, we also have an article explaining how to install Let's Encrypt for Apache.

1. Install Let's encrypt

First, install the EPEL repository:

yum install epel-release

To install Let's Encrypt, run the following command:

yum -y install certbot

2. Enabling ports 80 and 443

Make sure to open ports 80 and 443 on the firewall that you use. On iptables, run the following commands:

iptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -I INPUT -p tcp -m tcp --dport 443 -j ACCEPT

After that, save changes. On CentOS7:

service iptables save

Restart iptables:

service iptables restart

On AlmaLinux 8:

iptables-save

If you use firewalld, run these commands:

firewall-cmd --zone=public --permanent --add-port=80/tcp
firewall-cmd --zone=public --permanent --add-port=443/tcp

Then reload firewalld:

firewall-cmd --reload

3. Generate a certificate

To create a certificate, run the following command (change "yourserver.time4vps.cloud" to your actual server hostname)

certbot certonly --standalone -d yourserver.time4vps.cloud

During this process you will need to provide your email, asked to the Terms of Service (mandatory) and agree or disagree to share your email address with Electronic Frontier Foundation (optional).

4. Adjusting the VSFTPD configuration

To avoid unsafe connections and use the Let's Encrypt certificate, you need to make changes in the vsftpd configuration file:

vi /etc/vsftpd/vsftpd.conf

Add these lines at the bottom of the file and change "yourserver.time4vps.cloud" to your actual hostname at the last 2 lines:

ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1_1=YES
ssl_tlsv1_2=YES
ssl_tlsv1=NO
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=NO
ssl_ciphers=HIGH
pasv_min_port=50100
pasv_max_port=51100
rsa_cert_file=/etc/letsencrypt/live/yourserver.time4vps.cloud/fullchain.pem
rsa_private_key_file=/etc/letsencrypt/live/yourserver.time4vps.cloud/privkey.pem

Save changes and exit.

5. Certificate renewal

Let’s Encrypt certificates are valid for 90 days. If you want it to renew automatically, you need to create a cronjob:

crontab -e

Add these lines to the crontab:

SHELL=/bin/bash
HOME=/
@monthly certbot -q renew >> /var/log/le.log

Save changes and exit (pres "Esc", then type :wq and click "Enter").

Cronjob will run this command every month and when necessary, will renew your certificate.

After all these steps, restart the VSFTPD:

systemctl restart vsftpd

Please note: if you are using the firewalld, make sure to allow 50100-51100 port range:

firewall-cmd --zone=public --permanent --add-port=50100-51100/tcp

firewall-cmd --reload

Custom directories

1. Creating custom directory

To create custom directory run the following command (change "youruser" to the actual username):

mkdir /home/youruser/ftp

Adjust the permissions:

chown nobody:nobody /home/youruser/ftp

chmod a-w /home/youruser/ftp

2. Specifying the home directory

To specify home directory, open the VSFTP configuration file:

vi /etc/vsftpd/vsftpd.conf

Add these lines at the bottom:

user_sub_token=$USER
local_root=/home/$USER/ftp/

local_root specifies which directory you want FTP users to reside in. We use the FTP folder for this example, but you can change it.

Save changes and exit.

After that make sure to restart the VSFTP:

systemctl restart vsftpd

Conclusion

You're all set. For FTP connection, you can use programs like FileZilla WinSCP, Cyberduck, WinSCP, SmartFTP, etc. We have a guide for one of the most popular FTP clients FileZilla that explains how to transfer files using FTP.