= Vsftpd =

'''`vsftpd(8)`''' ('''V'''ery '''S'''ecure '''FTP''' '''D'''aemon) is a simple but secure [[Protocols/FTP|FTP]] server.

<<TableOfContents>>

----



== Installation ==

Most [[Linux]] and [[BSD]] distributions offer a `vsftpd` package.

For `systemd`-capable systems, [[Linux/Systemd|start and enable]] `vsftpd.service`.

----



== Configuration ==



=== Active Mode ===

A server configured in '''active mode''' uses port 21 (configurable) to establish a connection and then shifts to using port 20 (configurable) for data transfer. This is ''active'' because the server forms the connection back to the client.

These ports are configured in `/etc/vsftpd.conf` with:

{{{
connect_from_port_20=YES
pasv_enable=NO
listen_port=2121
ftp_data_port=2020
}}}

Contrary to the name, `connect_from_port_20` does '''not''' force port 20.

This is the recommended configuration, as the server is in control of connections.



=== Passive Mode ===

A server configured in '''passive mode''' uses port 21 to establish a connection and then shifts to using a port selected from a pool for data transfer. This is ''passive'' because the client forms the new connection to a passively-open port.

The pool of ports are configured in `/etc/vsftpd.conf` with:

{{{
connect_from_port_20=NO
pasv_enable=YES
pasv_min_port=40000
pasv_max_port=42000
}}}

Changing these port numbers is encouraged.



=== Encryption ===

For encrypting FTP, it is possible to use a self-signed certificate.

{{{
su - root
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
  -keyout /etc/ssl/private/vsftpd.key \
  -out /etc/ssl/certs/vsftpd.pem
}}}

Then configure `/etc/vsftpd.conf` with:

{{{
rsa_cert_file=/etc/ssl/certs/vsftpd.pem
rsa_key_file=/etc/ssl/private/vsftpd.key
ssl_enable=YES
implicit_ssl=YES
listen_port=990
}}}

Note that as the open port has changed, the firewall will need to be re-configured.

For example, if using `ufw(8)`:

{{{
ufw disallow 21/tcp
ufw allow 990/tcp
}}}

----



== Usage ==



=== mDNS Broadcasting ===

`vsftpd(8)` can be advertised over mDNS via [[Avahi]]. The service file should look like:

{{{
<?xml version="1.0" standalone='no'?>
<!DOCTYPE service-group SYSTEM "avahi-service.dtd">
<service-group>
  <name replace-wildcards="yes">FTP on %h</name>
  <service>
    <type>_ftp._tcp</type>
    <port>21</port>
  </service>
</service-group>
}}}

For further details, see [[Avahi|here]].

----



== See also ==

[[https://man.archlinux.org/man/vsftpd.8|vsftpd(8)]]



----
CategoryRicottone