Vsftpd

vsftpd(8) (Very Secure FTP Daemon) is a simple but secure FTP server.

Contents

  1. Vsftpd
    1. Installation
    2. Configuration
      1. Active Mode
      2. Passive Mode
      3. Encryption
    3. Usage
      1. mDNS Broadcasting
    4. See also

Installation

Most Linux and BSD distributions offer a vsftpd package.

For systemd-capable systems, start and enable vsftpd.service.

Configuration

Active Mode

A server configured in active mode uses port 21 (configurable) to establish a connection and then shifts to using port 20 (configurable) for data transfer. This is active because the server forms the connection back to the client.

These ports are configured in /etc/vsftpd.conf with: 

connect_from_port_20=YES
pasv_enable=NO
listen_port=2121
ftp_data_port=2020

Contrary to the name, connect_from_port_20 does not force port 20.

This is the recommended configuration, as the server is in control of connections.

Passive Mode

A server configured in passive mode uses port 21 to establish a connection and then shifts to using a port selected from a pool for data transfer. This is passive because the client forms the new connection to a passively-open port.

The pool of ports are configured in /etc/vsftpd.conf with: 

connect_from_port_20=NO
pasv_enable=YES
pasv_min_port=40000
pasv_max_port=42000

Changing these port numbers is encouraged.

Encryption

For encrypting FTP, it is possible to use a self-signed certificate. 

su - root
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
  -keyout /etc/ssl/private/vsftpd.key \
  -out /etc/ssl/certs/vsftpd.pem

Then configure /etc/vsftpd.conf with: 

rsa_cert_file=/etc/ssl/certs/vsftpd.pem
rsa_key_file=/etc/ssl/private/vsftpd.key
ssl_enable=YES
implicit_ssl=YES
listen_port=990

Note that as the open port has changed, the firewall will need to be re-configured.

For example, if using ufw(8): 

ufw disallow 21/tcp
ufw allow 990/tcp

Usage

mDNS Broadcasting

vsftpd(8) can be advertised over mDNS via Avahi. The service file should look like: 

<?xml version="1.0" standalone='no'?>
<!DOCTYPE service-group SYSTEM "avahi-service.dtd">
<service-group>
  <name replace-wildcards="yes">FTP on %h</name>
  <service>
    <type>_ftp._tcp</type>
    <port>21</port>
  </service>
</service-group>

For further details, see here.

See also

vsftpd(8)

CategoryRicottone

Vsftpd (last edited 2023-04-08 13:23:09 by DominicRicottone)