Overview
By the end of this article you should be able to answer the following questions:
$ yum install vsftpd
/etc/vsftpd/vsftpd.conf
$ man 5 vsftpd.conf
/var/ftp
$ systemctl status vsftpd
$ firewall-cmd --permanent --add-service=ftp
$ systemctl restart firewalld
$ ss -at | grep ftp
LISTEN 0 32 :::ftp :::*
$ restorecon -R /var/ftp
$ setsebool -PV ftp_home_dir on
$ yum install lftp
$ lftp localhost
First off, you might think configuring an ftp server will be similar to how we do it for httpd. For example, there is no equivalent "documentroot" setting defined in the main config file, but more about this later.
Install vsftpd
The main package you need to install for setting up an ftp server for your machine is called "vsftpd":
$ yum install vsftpd
Configure vsfptd
Once that's done you'll find the main config file is:
/etc/vsftpd/vsftpd.conf
This file is quite self explanatory, the default settings should be enough to start sharing folders right away, but you can find more help info here if you want to do any customisations:
$ man 5 vsftpd.conf
The next thing you need to do is place files in vsftp's "share folder". The only way to identify this is by looking at the ftp's service account's directory:
$ cat /etc/passwd | grep ftp ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
Surprising this in the only way to locate this "share folder". In this folder you'll find the "pub":
$ pwd /var/ftp $ ls -l total 0 drwxr-xr-x. 2 root root 6 Jun 10 2014 pub
Therefore this is folder where you drop files to make it available via ftp:
/var/ftp/pub
Start the vsftpd service
Now, the ftp service is:
$ systemctl status vsftpd vsftpd.service - Vsftpd ftp daemon Loaded: loaded (/usr/lib/systemd/system/vsftpd.service; disabled) Active: inactive (dead)
So to start sharing we need to enable+start this service:
$ systemctl enable vsftpd ln -s '/usr/lib/systemd/system/vsftpd.service' '/etc/systemd/system/multi-user.target.wants/vsftpd.service' $ systemctl start vsftpd
Add FTP service to relevant firewalld zone
Now we need to tell the firewall to allow vsftpd to listen on the ftp port (port 21):
$ firewall-cmd --list-all public (default, active) interfaces: enp0s3 sources: services: dhcpv6-client ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules:
Now lets add this service to the current firewalld zone:
$ firewall-cmd --add-service=ftp success $ firewall-cmd --permanent --add-service=ftp success
Next you should check that the vsftpd service is listening:
ss -at | grep ftp LISTEN 0 32 :::ftp :::*
Check that file SELinux contexts are ok
Ensure the folders that contains the files/folders to be shared has the "public_content_t" type security context:
$ ls -lZ /var/ | grep ftp drwxr-xr-x. root root system_u:object_r:public_content_t:s0 ftp $ ls -lZ /var/ftp/ | grep pub drwxr-xr-x. root root system_u:object_r:public_content_t:s0 pub
If it isn't then run the following to recursively correct them:
$ restorecon -R /var/ftp
SELinux Boolean Settings
SEBooleans is another aspect you SELinux that you might need to configure as part of setting up vsftpd. Also check SEboolean settings:
$ getsebool -a | grep ftp ftp_home_dir --> on ftpd_anon_write --> off ftpd_connect_all_unreserved --> off ftpd_connect_db --> off ftpd_full_access --> off ftpd_use_cifs --> off ftpd_use_fusefs --> off ftpd_use_nfs --> off ftpd_use_passive_mode --> off httpd_can_connect_ftp --> off httpd_enable_ftp_server --> off sftpd_anon_write --> off sftpd_enable_homedirs --> off sftpd_full_access --> off sftpd_write_ssh_home --> off tftp_anon_write --> off tftp_home_dir --> off
Note, you can run the semanage boolean -l | grep ftp to find out what these settings means.
Where necessary you can change settings, e.g to enable 'ftp_home_dir', we do:
$ setsebool -PV ftp_home_dir on
Where "P" is for persistant. And "V" is for verbose mode, in case there are any error messages.
Test your vsftpd setup
Now to test whether our ftp service is working, we need to install an ftp client, this ftp client is called:
$ yum install lftp
After that, simply do:
$ lftp localhost
This starts an interactive shell. Here's an example of it in action:
$ lftp localhost lftp localhost:~> ls drwxr-xr-x 2 0 0 25 Nov 10 21:06 pub lftp localhost:/> cd pub/ lftp localhost:/pub> ls -rw-r--r-- 1 0 0 36 Nov 10 21:06 testfile.txt lftp localhost:/pub> get testfile.txt 36 bytes transferred lftp localhost:/pub> quit $ ls -l total 4 -rw-rw-r--. 1 tom tom 36 Nov 10 21:06 testfile.txt
Other common configurations
There are basically 2 types of users who you can provide access to your ftp server:
- authenticated users - they do need to provide login credentials
- anonymous users - they don't need to provide login credentials
You have all kinds of possibilities:
- Restrict access to authenticated users only
- Provide anonymous access - this approach is ideal if you are setting up an ftp server to share files with the public
- tiered access - anonymous users can access some files, whereas authenticated can access all the files that anonymous user can, but they also have access to other restricted files too.
Also notice that "others" has r+x permissions. That is so to allow anonymous users to access this directory (enabled with "x") and view/download it's content (enabled with "r")