wholesale jerseys nba jersey discounts ncaa college jerseys nfl cheap jerseys with free shipping nfl authentic football jerseys new york giants apparel cheap wholesale jerseys

VSFTPD: Very Secure File Transfer Protocol Deamon


  1. Introduction
  2. Features
  3. Configuration Instructions and Basic Setup
    1. Download
    2. To disable anonymous login and to enable local users login and give them write permissions:
    3. To chroot users
    4. To deny (or allow) just some users to login
    5. To allow just some users to login:
    7. Additional Options
    8. Apply new configuration settings
    9. Webmin Module
    10. Set pasv_min_port and pasv_max_port in /etc/vsftpd.conf and allow outbound connections in the ports you set in your firewall.
    11. Virtual users with TLS/SSL/FTPS and a common upload directory - Complicated VSFTPD
  4. The workshop
    1. Create The Virtual Users Database
    2. Sample output:
    3. Configure VSFTPD for virtual user
    4. Create a PAM File Which Uses Your New Database
    5. Append the following:
    6. Restart The FTP Server
    7. Test Your Setup
    8. Sample success output:
    9. Troubleshooting
  5. See Also


VSFTPD stands for "Very Secure FTP Daemon" is a GPL licensed FTP server for UNIX systems. It is licensed under the GNU General Public License. It supports IPv6 and SSL.vsftpd supports explicit (since 2.0.0) and implicit (since 2.1.0) FTPS. vsftpd is the default FTP server in the Ubuntu, CentOS, Fedora, NimbleX, Slackware and RHEL Linux distributions. It is secure and extremely fast. It is stable. VSFTPD is a mature and trusted solution which supports virtual users with PAM (pluggable authentication modules). A virtual user is a user login which does not exist as a real login on the system in /etc/passwd and /etc/shadow file. Virtual users can therefore be more secure than real users, because a compromised account can only use the FTP server but cannot login to system to use other services such as SSH or SMTP.

In July 2011, it was discovered that VSFTPD version 2.3.4 downloadable from the master site had been compromised. Users logging into a compromised vsftpd-2.3.4 server may issue a ":)" smiley-face as the username and gain a command shell on port 6200. This was not an issue of a security hole in VSFTPD, instead, someone had uploaded a different version of VSFTPD which contained a backdoor. Since then, the site was moved to Google App Engine.





Despite being small for purposes of speed and security, many more complicated FTP setups are achievable with vsftpd! vsftpd will handle:

  • Virtual IP configurations
  • Virtual users
  • Standalone or inetd operation
  • Powerful per-user configurability
  • Bandwidth throttling
  • Per-source-IP configurability
  • Per-source-IP limits
  • IPv6
  • Encryption support through SSL integration...




Configuration Instructions and Basic Setup



The latest vsftpd release is v3.0.2, currently at https://security.appspot.com/downloads/vsftpd-3.0.2.tar.gz


To disable anonymous login and to enable local users login and give them write permissions:

# No anonymous login 
# Let local users login 
# If you connect from the internet with local users, you should enable TLS/SSL/FTPS 
# Write permissions 


To chroot users

To jail / chroot users (not the VSFTPD service), there are three choices. Search for "chroot_local_users" on the file and consider one of the following: Code:
# 1. All users are jailed by default:

# 2. Just some users are jailed:
# Create the file /etc/vsftpd.chroot_list with a list of the jailed users.

# 3. Just some users are "free":
# Create the file /etc/vsftpd.chroot_list with a list of the "free" users.


To deny (or allow) just some users to login

To deny some users to login, add the following options in the end of the file: Code: userlist_deny=YES
In the file /etc/vsftpd.denied_users add the username of the users that can't login. One username per line.


To allow just some users to login:

Code: userlist_deny=NO
In the file /etc/vsftpd.allowed_users add the username of the users that can login.

The not allowed users will get an error that they can't login before they type their password.



NOTE: you definitely have to use this if you connect from the Internet.

To use vsftpd with encryption (it's safer), change or add the following options (some options aren't on the original config file, so add them): Code:ssl_enable=YES
# Filezilla uses port 21 if you don't set any port
# in Servertype "FTPES - FTP over explicit TLS/SSL"
# Port 990 is the default used for FTPS protocol.
# Uncomment it if you want/have to use port 990.
# listen_port=990
No need to create a certificateif openssl package is installed!

Install Filezilla (on the repositories), and use the Servertype "FTPES - FTP over explicit TLS/SSL" option to connect to the server with TLS/SSL/FTPS.


Additional Options

Here are some other available options. The values are examples: Code: # Show hidden files and the "." and ".." folders.
# Useful to not write over hidden files:

# Hide the info about the owner (user and group) of the files.

# Connection limit for each IP:

# Maximum number of clients:


Apply new configuration settings

Don't forget that to apply new configurations, you must restart the vsftpd service. Code:<<BR>> sudo /etc/init.d/vsftpd restart


Webmin Module

For those who use webadmin, there is a module for VSFTPD here http://www.webmin.com/third.html.


Set pasv_min_port and pasv_max_port in /etc/vsftpd.conf and allow outbound connections in the ports you set in your firewall.

Code: pasv_min_port=12000


Virtual users with TLS/SSL/FTPS and a common upload directory - Complicated VSFTPD

Virtual users are users that do not exist on the system - they are not in /etc/passwd, do not have a home directory on the system, can not login but in vsftpd - or if they do exist, they can login in vsftpd with a non system password - security.

You can set different definitions to each virtual user, granting to each of these users different permissions. If TLS/SSL/FTPS and virtual users are enabled, the level of security of your vsftpd server is increased: encrypted passwords, with passwords that are not used on the system, and users that can't access directly to their home directory (if you want).

The following example is based and adapted on the example for virtual users in vsftpd site, on documentation and the very good examples in this forum that can be found here and here. Currently there is a restriction that with guest_enable enabled, local users also get mapped to guest_username. This is a polite way to say that if the default vsftpd PAM file is used, the system users will be guests too. To avoid confusions change the PAM file used by vsftpd to authenticate only virtual users, make all vsftpd users as virtual users and set their passwords, home and permissions based on this example.




The workshop


Create The Virtual Users Database

To create a "db4" format file to store usernames (another option here would be an apache htpasswd style file, not discussed), first create a plain text files with the usernames and password on alternating lines. For e.g. create user called "vivek" with password called "vivekpass" and sayali with password "sayalipass": # cd /etc/vsftpd
# sudo gedit vusers.txt


Sample output:


Next, create the actual database file like this (may require the db_util package to be installed first):

# db_load -T -t hash -f vusers.txt vsftpd-virtual-user.db
# chmod 600 vsftpd-virtual-user.db
# rm vusers.txt


Configure VSFTPD for virtual user

Edit the vsftpd configuration file (/etc/vsftpd.conf). Add or correct the following configuration options, depending on if they're already listed somewhere in the file or not:

# Virtual users will use the same privileges as local users.
# It will grant write access to virtual users. Virtual users will use the
# same privileges as anonymous users, which tends to be more restrictive
# (especially in terms of write access).

# Set the name of the PAM service vsftpd will use

# Activates virtual users

# Automatically generate a home directory for each virtual user, based on a template.
# For example, if the home directory of the real user specified via guest_username is
# /home/virtual/$USER, and user_sub_token is set to $USER, then when virtual user vivek
# logs in, he will end up (usually chroot()'ed) in the directory /home/virtual/vivek.
# This option also takes affect if local_root contains user_sub_token.

# Usually this is mapped to Apache virtual hosting docroot, so that
# Users can upload files

# Chroot user and lock down to their home dirs

# Hide ids from user

Save and close the file.


Create a PAM File Which Uses Your New Database

The following PAM is used to authenticate users using your new database. Create /etc/pam.d/vsftpd.virtual:# sudo gedit /etc/pam.d/vsftpd.virtual


Append the following:

auth       required     pam_userdb.so db=/etc/vsftpd/vsftpd-virtual-user
account    required     pam_userdb.so db=/etc/vsftpd/vsftpd-virtual-user
session    required     pam_loginuid.so

Create The Location Of The Files

You need to set up the location of the files / dirs for the virtual users. Type the following command: # mkdir /home/vftp
# mkdir -p /home/vftp/{vivek,sayali}
# chown -R ftp:ftp /home/vftp


Restart The FTP Server

Type the following command:
# service vsftpd restart


Test Your Setup

Open another shell session and type:
$ ftp localhost


Sample success output:

Connected to ftp.nixcraft.net.in.
Name (localhost:root): vivek
331 Please specify the password.[user now types in vivekpass]
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.



The official documentation: ftp://vsftpd.beasts.org/users/cevans/untar/vsftpd-3.0.2/EXAMPLE/VIRTUAL_USERS may be helpful.




  • http://j.mp/YunkHV - vsftpd - Secure, fast FTP server for UNIX-like systems security.appspot.com Secure, fast FTP server for UNIX systems
  • http://j.mp/Yunor2 - vsftpd - Wikipedia, the free encyclopedia: en.wikipedia.org vsftpd, which stands for "Very Secure FTPDaemon", is an FTP server for Unix-like systems, including Linux. It is licensed under the GNU General Public License. It supports IPv6 and SSL.


See Also

  • http://j.mp/WsBpj0 - Configuring vsftpd for secure connections (TLS/SSL/SFTP) - VPSLink Wiki http://wiki.vpslink.com/Configuring_vsft... This article pertains specifically to vsftpd on CentOS. Except for the installation instructions it should be adaptable to other distributions as well..

1 comment

  1. taruhan bola says:

    Great information.

make a comment