Fedora35 : FTP Server(Vsftpd)

Contents

FTP Server Installation
- 1. Vsftpd installation
- 2.Vsftpd configuration
vsftpd SSL/TLS
- 1. Create self-signed certificates
- 2. Vsftpd Configuration

FTP Server Installation

1. Vsftpd installation

# dnf -y install vsftpd

1	# dnf -y install vsftpd

2.Vsftpd configuration

Save the unedited vsftpd.conf with .bak

# cp /etc/vsftpd/vsftpd.conf /home/huong/vsftpd.conf.bak

1	# cp /etc/vsftpd/vsftpd.conf /home/huong/vsftpd.conf.bak

①Edit configuration file

# vi /etc/vsftpd/vsftpd.conf
●Line 12: Anonymous login prohibited (confirmation)
anonymous_enable=NO
●Line 39: Log transfer record (confirmation)
xferlog_enable=YES
●Lines 82,83 Uncomment ( Allow transfer in ASCII mode )
ascii_upload_enable=YES
ascii_download_enable=YES
●Lines 100,101: Uncomment ( chroot enabled )
chroot_local_user=YES
chroot_list_enable=YES
●Line 103 Uncomment ( chroot list file specified )
chroot_list_file=/etc/vsftpd/chroot_list
●Line 109 Uncomment ( Enable batch transfer by directory )
ls_recurse_enable=YES
●Line 114 Change ( Enable IPv4 )
listen=YES
●Line 123 Change (IPv6 is ignored)
listen_ipv6=NO
### Add to last line ###
#Use local time
use_localtime=YES

# vi /etc/vsftpd/vsftpd.conf

●Line 12: Anonymous login prohibited (confirmation)

anonymous_enable=NO

●Line 39: Log transfer record (confirmation)

xferlog_enable=YES

●Lines 82,83 Uncomment ( Allow transfer in ASCII mode )

ascii_upload_enable=YES

ascii_download_enable=YES

●Lines 100,101: Uncomment ( chroot enabled )

chroot_local_user=YES

chroot_list_enable=YES

●Line 103 Uncomment ( chroot list file specified )

chroot_list_file=/etc/vsftpd/chroot_list

●Line 109 Uncomment ( Enable batch transfer by directory )

ls_recurse_enable=YES

●Line 114 Change ( Enable IPv4 )

listen=YES

●Line 123 Change (IPv6 is ignored)

listen_ipv6=NO

### Add to last line ###

#Use local time

use_localtime=YES

②Add users to allow directory access to upper level

# echo "huong" >> /etc/vsftpd/chroot_list
In my case I wrote "huong".

1 2	# echo "huong" >> /etc/vsftpd/chroot_list In my case I wrote "huong".

③ Specify IP addresses to allow connections in /etc/hosts.allow

# echo "vsftpd:192.168.11.0/24" >> /etc/hosts.allow
"192.168.11.0/24" is the setting that allows all local IP addresses in my environment.

1 2	# echo "vsftpd:192.168.11.0/24" >> /etc/hosts.allow "192.168.11.0/24" is the setting that allows all local IP addresses in my environment.

Write vsftpd:ALL (deny all connections) in /etc/hosts.deny

# echo "vsftpd:ALL" >> /etc/hosts.deny

1	# echo "vsftpd:ALL" >> /etc/hosts.deny

This setting overrides hosts.allow.
That is, everything is denied, and the IP address specified in hosts.allow is allowed

④Enable vsftpd autostart and start it

# systemctl enable vsftpd
Created symlink /etc/systemd/system/multi-user.target.wants/vsftpd.service → /usr/lib/systemd/system/vsftpd.service.

1 2	# systemctl enable vsftpd Created symlink /etc/systemd/system/multi-user.target.wants/vsftpd.service → /usr/lib/systemd/system/vsftpd.service.

# systemctl start vsftpd
"#" is displayed, it is OK

1 2	# systemctl start vsftpd "#" is displayed, it is OK

⑤From windows side, check if you can connect with FileZilla.
Open the ftp port with firewall before connecting

# firewall-cmd --permanent --add-service=ftp
# firewall-cmd –reload

1 2	# firewall-cmd --permanent --add-service=ftp # firewall-cmd –reload

Start FileZilla and select "Site Manager" from the "File" menu.↓

Click on "New site"　　↓

Enter the following settings for each item and click "Connect"
Protocol　: FTP-File Transfer Protocol
Host　: Server IP Address
Port　:can be blank
Encryption　: Use expllict FTP ocver TLS if available
Logon Type　: Ask for password
User 　: General user name (server login user)　↓

Set the password for the login user in "Password" and click "OK".
↓

Click "OK" when the following screen appears

If the connection is successful, the server directory is displayed on the right and the Windows directory on the left.　　↓

vsftpd SSL/TLS

Configure Vsftpd to use SSL/TLS

1. Create self-signed certificates

This work is not required if you are using a trusted, legitimate certificate such as Let's Encrypt.

# cd /etc/pki/tls/certs
# openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/pki/tls/certs/vsftpd.pem -out /etc/pki/tls/certs/vsftpd.pem
Generating a RSA private key
........................+++++
..................+++++
writing new private key to '/etc/pki/tls/certs/vsftpd.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP #country code
State or Province Name (full name) []:Osaka # Region (Prefecture)
Locality Name (eg, city) [Default City]:Sakai # city
Organization Name (eg, company) [Default Company Ltd]:private # Organization Name
Organizational Unit Name (eg, section) []:Admin # Department Name
Common Name (eg, your name or your server's hostname) [] Lepard # Server Host Name
Email Address []: # Administrator's email address

# cd /etc/pki/tls/certs

# openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/pki/tls/certs/vsftpd.pem -out /etc/pki/tls/certs/vsftpd.pem

Generating a RSA private key

........................+++++

..................+++++

writing new private key to '/etc/pki/tls/certs/vsftpd.pem'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:JP #country code

State or Province Name (full name) []:Osaka # Region (Prefecture)

Locality Name (eg, city) [Default City]:Sakai # city

Organization Name (eg, company) [Default Company Ltd]:private # Organization Name

Organizational Unit Name (eg, section) []:Admin # Department Name

Common Name (eg, your name or your server's hostname) [] Lepard # Server Host Name

Email Address []: # Administrator's email address

# chmod 600 vsftpd.pem

1	# chmod 600 vsftpd.pem

2. Vsftpd Configuration

# vi /etc/vsftpd/vsftpd.conf
● Add to the last line：SSL/TLS Enable
rsa_cert_file=/etc/pki/tls/certs/vsftpd.pem
ssl_enable=YES
force_local_data_ssl=YES
force_local_logins_ssl=YES

If Firewalld is enabled, allow passive ports
● Add to the last line
# Fixed passive ports in any range of ports
pasv_enable=YES
pasv_min_port=60000
pasv_max_port=60100

# vi /etc/vsftpd/vsftpd.conf

● Add to the last line：SSL/TLS Enable

rsa_cert_file=/etc/pki/tls/certs/vsftpd.pem

ssl_enable=YES

force_local_data_ssl=YES

force_local_logins_ssl=YES

If Firewalld is enabled, allow passive ports

● Add to the last line

# Fixed passive ports in any range of ports

pasv_enable=YES

pasv_min_port=60000

pasv_max_port=60100

# systemctl restart vsftpd

1	# systemctl restart vsftpd

Allow passive ports in Firewalld

# firewall-cmd --add-port=60000-60100/tcp --permanent
success
# firewall-cmd --reload
success

# firewall-cmd --add-port=60000-60100/tcp --permanent

success

# firewall-cmd --reload

success

When connecting to FileZilla, the following screen appears, check the box and click "OK" to connect as described above.

Go to top