MiracleLinux8.4 ; Vsftpd (FTP server installation)

Contents

FTP Server Installation
- 1. Install vsftpd
- 2.Configuring vsftpd
vsftpd SSL/TLS
- 1. Create a self-signed certificate.
- 2. Configure Vsftpd

FTP Server Installation

1. Install vsftpd

Download vsftpd-3.0.3-33.el8.x86_64.rpm from the download site to /usr/local/src/.

# cd /usr/local/src/
# wget ftp://ftp.pbone.net/mirror/ftp.centos.org/8-stream/AppStream/x86_64/os/Packages/vsftpd-3.0.3-33.el8.x86_64.rpm

1 2	# cd /usr/local/src/ # wget ftp://ftp.pbone.net/mirror/ftp.centos.org/8-stream/AppStream/x86_64/os/Packages/vsftpd-3.0.3-33.el8.x86_64.rpm

# rpm -ivh vsftpd-3.0.3-33.el8.x86_64.rpm

1	# rpm -ivh vsftpd-3.0.3-33.el8.x86_64.rpm

2.Configuring vsftpd

Save the unedited vsftpd.conf with .bak

# cp /etc/vsftpd/vsftpd.conf /home/lan/vsftpd.conf.bak

1	# cp /etc/vsftpd/vsftpd.conf /home/lan/vsftpd.conf.bak

①Edit the configuration file

# vi /etc/vsftpd/vsftpd.conf
●Line 12: Anonymous login prohibited
anonymous_enable=NO
●Line 39: Log the transfer record.
xferlog_enable=NO
●Lines 82, 83 Uncomment (allow transfer in ASCII mode)
ascii_upload_enable=YES
ascii_download_enable=YES
●Lines 100 and 101: uncomment ( chroot enabled )
chroot_local_user=YES
chroot_list_enable=YES
●Line 103, uncomment (specify chroot list file)
chroot_list_file=/etc/vsftpd/chroot_list
●Line 109 Uncomment (enable bulk transfer for each directory)
ls_recurse_enable=YES
●Line 114, Change ( Enable IPv4 )
listen=YES
●Line 123, Change ( disable IPv6 )
listen_ipv6=NO
●### Add to last line ###
# Use local time.
use_localtime=YES

# vi /etc/vsftpd/vsftpd.conf

●Line 12: Anonymous login prohibited

anonymous_enable=NO

●Line 39: Log the transfer record.

xferlog_enable=NO

●Lines 82, 83 Uncomment (allow transfer in ASCII mode)

ascii_upload_enable=YES

ascii_download_enable=YES

●Lines 100 and 101: uncomment ( chroot enabled )

chroot_local_user=YES

chroot_list_enable=YES

●Line 103, uncomment (specify chroot list file)

chroot_list_file=/etc/vsftpd/chroot_list

●Line 109 Uncomment (enable bulk transfer for each directory)

ls_recurse_enable=YES

●Line 114, Change ( Enable IPv4 )

listen=YES

●Line 123, Change ( disable IPv6 )

listen_ipv6=NO

●### Add to last line ###

# Use local time.

use_localtime=YES

②Add a user to allow access to the directory to the upper level.

# echo "lan" >> /etc/vsftpd/chroot_list

1	# echo "lan" >> /etc/vsftpd/chroot_list

In my case, I wrote lan.

③Specify the IP address to allow connections in /etc/hosts.allow

# echo "vsftpd:192.168.11.0/24" >> /etc/hosts.allow

1	# echo "vsftpd:192.168.11.0/24" >> /etc/hosts.allow

192.168.11.0/24 is the setting that allows all local IP addresses in my environment.

Write vsftpd:ALL (deny all connections) in /etc/hosts.deny

# echo "vsftpd:ALL" >> /etc/hosts.deny

1	# echo "vsftpd:ALL" >> /etc/hosts.deny

This setting takes precedence over hosts.allow.
This means that everything will be rejected and the IP address specified in hosts.allow will be allowed

④Enable and start vsftpd with auto-start enabled

# systemctl enable vsftpd
Created symlink /etc/systemd/system/multi-user.target.wants/vsftpd.service → /usr/lib/systemd/system/vsftpd.service.

1 2	# systemctl enable vsftpd Created symlink /etc/systemd/system/multi-user.target.wants/vsftpd.service → /usr/lib/systemd/system/vsftpd.service.

# systemctl start vsftpd

1	# systemctl start vsftpd

If you see #, you're good to go.

⑤From the windows side, check if you can connect with FileZilla.
Open the ftp port with firewall before connecting

# firewall-cmd --permanent --add-service=ftp
# firewall-cmd –reload

1 2	# firewall-cmd --permanent --add-service=ftp # firewall-cmd –reload

Launch FileZilla and select "Site Manager" from the "File" menu. ↓

Click "New Site", fill in the fields as follows, and click "Connect".
Protocol　: FTP-File Transfer Protocol
Host　: IP address of the server
Poer　: <blank space>
logon Type　: Ask for password
User　: General user name (server login user)　↓
↓

Set the login user's password in the "Password" field and click "OK".
↓

If the connection is successful, the server directory will be displayed on the right side and the Windows directory on the left side.　　↓

vsftpd SSL/TLS

Configure Vsftpd to work with SSL/TLS

1. Create a self-signed certificate.

This step is not necessary if you use a trusted, legitimate certificate such as Let's Encrypt.

# cd /etc/pki/tls/certs
# openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/pki/tls/certs/vsftpd.pem -out /etc/pki/tls/certs/vsftpd.pem
Generating a RSA private key
........................+++++
..................+++++
writing new private key to '/etc/pki/tls/certs/vsftpd.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP # 
State or Province Name (full name) []:Osaka # Region (Prefecture)
Locality Name (eg, city) [Default City]:Sakai # City
Organization Name (eg, company) [Default Company Ltd]:private # Organization Name
Organizational Unit Name (eg, section) []:Admin # Department name of the organization
Common Name (eg, your name or your server's hostname) [] Lepard # Hostname of the server
Email Address []: # Administrator email address

# cd /etc/pki/tls/certs

# openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/pki/tls/certs/vsftpd.pem -out /etc/pki/tls/certs/vsftpd.pem

Generating a RSA private key

........................+++++

..................+++++

writing new private key to '/etc/pki/tls/certs/vsftpd.pem'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:JP #

State or Province Name (full name) []:Osaka # Region (Prefecture)

Locality Name (eg, city) [Default City]:Sakai # City

Organization Name (eg, company) [Default Company Ltd]:private # Organization Name

Organizational Unit Name (eg, section) []:Admin # Department name of the organization

Common Name (eg, your name or your server's hostname) [] Lepard # Hostname of the server

Email Address []: # Administrator email address

# chmod 600 vsftpd.pem

1	# chmod 600 vsftpd.pem

2. Configure Vsftpd

# vi /etc/vsftpd.conf
●Add to last line: Enable SSL/TLS
rsa_cert_file=/etc/pki/tls/certs/vsftpd.pem
ssl_enable=YES
force_local_data_ssl=YES
force_local_logins_ssl=YES

● Add to last line
# Fix passive ports at any range of ports
pasv_enable=YES
pasv_min_port=60000
pasv_max_port=60100

# vi /etc/vsftpd.conf

●Add to last line: Enable SSL/TLS

rsa_cert_file=/etc/pki/tls/certs/vsftpd.pem

ssl_enable=YES

force_local_data_ssl=YES

force_local_logins_ssl=YES

● Add to last line

# Fix passive ports at any range of ports

pasv_enable=YES

pasv_min_port=60000

pasv_max_port=60100

# systemctl restart vsftpd

1	# systemctl restart vsftpd

Allow passive ports in Firewalld

# systemctl restart vsftpd
# firewall-cmd --add-port=60000-60100/tcp --permanent
success
# firewall-cmd --reload
success

# systemctl restart vsftpd

# firewall-cmd --add-port=60000-60100/tcp --permanent

success

# firewall-cmd --reload

success

When you connect to FileZilla, the following screen will appear, check the box and click "OK" to connect as before.

Go to top