RHCSA – Setting up an FTP server

Overview

By the end of this article you should be able to answer the following questions:


What is the command to install the ftp server software?

$ yum install vsftpd

What is the location of this packages main config file?

/etc/vsftpd/vsftpd.conf

What is the command to display help info about this config file?

$ man 5 vsftpd.conf

What directory do you install the files in?

/var/ftp

What is the command to check the ftp service?

$ systemctl status vsftpd

What is the command to persistantly add the ftp service to the firewall?

$ firewall-cmd –permanent –add-service=ftp
$ systemctl restart firewalld

What is the command to check that ftp service is listening on the ftp port?

$ ss -at | grep ftp
LISTEN 0 32 :::ftp :::*

What is the command to fix all file SELinux context issues?

$ restorecon -R /var/ftp

What is the command to persistantly+verbosely enable the ftp_home_dir boolean?

$ setsebool -PV ftp_home_dir on

What is the command to install the ftp client?

$ yum install lftp

What is the command to start a new ftp interactive session remotely?

$ lftp localhost


First off, you might think configuring an ftp server will be similar to how we do it for httpd. For example, there is no equivalent “documentroot” setting defined in the main config file, but more about this later.

Install vsftpd

The main package you need to install for setting up an ftp server for your machine is called “vsftpd”:

$ yum install vsftpd

Configure vsfptd

Once that’s done you’ll find the main config file is:

/etc/vsftpd/vsftpd.conf   

This file is quite self explanatory, the default settings should be enough to start sharing folders right away, but you can find more help info here if you want to do any customisations:

$ man 5 vsftpd.conf

Add files into the ftp share directory

The next thing you need to do is place files in vsftp’s “share folder”. The only way to identify this is by looking at the ftp’s service account’s directory:

$ cat /etc/passwd | grep ftp
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin

Surprising this in the only way to locate this “share folder”. In this folder you’ll find the “pub”:

$ pwd
/var/ftp
$ ls -l
total 0
drwxr-xr-x. 2 root root 6 Jun 10  2014 pub

Therefore this is folder where you drop files to make it available via ftp:

/var/ftp/pub

Start the vsftpd service

Now, the ftp service is:

$ systemctl status vsftpd
vsftpd.service - Vsftpd ftp daemon
   Loaded: loaded (/usr/lib/systemd/system/vsftpd.service; disabled)
   Active: inactive (dead)

So to start sharing we need to enable+start this service:

$ systemctl enable vsftpd
ln -s '/usr/lib/systemd/system/vsftpd.service' '/etc/systemd/system/multi-user.target.wants/vsftpd.service'
$ systemctl start vsftpd

Add FTP service to relevant firewalld zone

Now we need to tell the firewall to allow vsftpd to listen on the ftp port (port 21):

$ firewall-cmd --list-all
public (default, active)
  interfaces: enp0s3
  sources:
  services: dhcpv6-client ssh
  ports:
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:

Now lets add this service to the current firewalld zone:

$ firewall-cmd --add-service=ftp
success
$ firewall-cmd --permanent --add-service=ftp
success

Next you should check that the vsftpd service is listening:

ss -at | grep ftp
LISTEN     0      32        :::ftp         :::*

Check that file SELinux contexts are ok

Ensure the folders that contains the files/folders to be shared has the “public_content_t” type security context:

$ ls -lZ /var/ | grep ftp
drwxr-xr-x. root root system_u:object_r:public_content_t:s0 ftp

$ ls -lZ /var/ftp/ | grep pub
drwxr-xr-x. root root system_u:object_r:public_content_t:s0 pub

If it isn’t then run the following to recursively correct them:

$ restorecon -R /var/ftp

SELinux Boolean Settings

SEBooleans is another aspect you SELinux that you might need to configure as part of setting up vsftpd. Also check SEboolean settings:

$ getsebool -a | grep ftp
ftp_home_dir --> on
ftpd_anon_write --> off
ftpd_connect_all_unreserved --> off
ftpd_connect_db --> off
ftpd_full_access --> off
ftpd_use_cifs --> off
ftpd_use_fusefs --> off
ftpd_use_nfs --> off
ftpd_use_passive_mode --> off
httpd_can_connect_ftp --> off
httpd_enable_ftp_server --> off
sftpd_anon_write --> off
sftpd_enable_homedirs --> off
sftpd_full_access --> off
sftpd_write_ssh_home --> off
tftp_anon_write --> off
tftp_home_dir --> off

Note, you can run the semanage boolean -l | grep ftp to find out what these settings means.

Where necessary you can change settings, e.g to enable ‘ftp_home_dir’, we do:

$ setsebool -PV ftp_home_dir on

Where “P” is for persistant. And “V” is for verbose mode, in case there are any error messages.

Test your vsftpd setup

Now to test whether our ftp service is working, we need to install an ftp client, this ftp client is called:

$ yum install lftp

After that, simply do:

$ lftp localhost

This starts an interactive shell. Here’s an example of it in action:

$ lftp localhost
lftp localhost:~> ls
drwxr-xr-x    2 0        0              25 Nov 10 21:06 pub
lftp localhost:/> cd pub/
lftp localhost:/pub> ls
-rw-r--r--    1 0        0              36 Nov 10 21:06 testfile.txt
lftp localhost:/pub> get testfile.txt
36 bytes transferred
lftp localhost:/pub> quit
$ ls -l
total 4
-rw-rw-r--. 1 tom tom 36 Nov 10 21:06 testfile.txt

Other common configurations

There are basically 2 types of users who you can provide access to your ftp server:

  • authenticated users – they do need to provide login credentials
  • anonymous users – they don’t need to provide login credentials

You have all kinds of possibilities:

  • Restrict access to authenticated users only
  • Provide anonymous access – this approach is ideal if you are setting up an ftp server to share files with the public
  • tiered access – anonymous users can access some files, whereas authenticated can access all the files that anonymous user can, but they also have access to other restricted files too.

Also notice that “others” has r+x permissions. That is so to allow anonymous users to access this directory (enabled with “x”) and view/download it’s content (enabled with “r”)