Install Configure VSFTPD on Ubuntu 14

To avoid any error on VSFTPD instalation please make sure Ubuntu 14 server run “apt-get update” on terminal to downloads the package lists from the repositories and “updates” them to get information on the newest versions of packages and their dependencies.

#apt-get update
#apt-get install vsftpd

The next step is to change any configuration settings for vsftpd. Open the /etc/vsftpd.conf file in your preferred text editor:

#vi /etc/vsftpd.conf

Edit the file so it resembles the following:

# Example config file /etc/vsftpd.conf
# ...
# Run standalone? vsftpd can run either from an inetd or as a standalone
# daemon started from an initscript.
# Allow anonymous FTP? (Disabled by default)
# Uncomment this to allow local users to log in.
# Uncomment this to enable any form of FTP write command.
# You may restrict local users to their home directories. See the FAQ for
# the possible risks in this before using chroot_local_user or
# chroot_list_enable below.

The critical settings seen above are outlined below:
listen=YES tells vsftpd to run as a standalone daemon (the simplest method for getting up and running). anonymous_enable=NO disallows anonymous FTP users, which is generally preferred for security reasons but can be enabled for testing purposes.
local_enable=YES allows any user account defined in the /etc/passwd file access to the FTP server and is generally how most FTP users will connect.
write_enable=YES is commented out by default, but removing the hash (#) allows files to be uploaded to the FTP server. chroot_local_user=YES restricts users to their home directory and is also commented out by default.
To begin your testing and make sure everything is working, start with the following settings for the above parameters:

Save the vsftpd.conf file then restart the vsftpd service for the changes to take effect:

#service vsftpd restart
vsftpd stop/waiting
vsftpd start/running, process 18954

Testing Your FTP Server
To quickly determine if your server was installed properly and is up and running, try to connect to the FTP server from your active shell, using the name anonymous and a blank password:

#ftp localhost
Connected to localhost.
220 (vsFTPd 3.0.2)
Name (localhost:root): anonymous
331 Please specify the password.
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.

With both anonymous_enable and local_enable set to “YES” in the configuration, you should be able to successfully login to your local FTP server as seen above!
With that out of the way, simply enter quit at the ftp> prompt to cancel out:

ftp> quit
221 Goodbye.

With the test complete, you may wish to disable anonymous access once again by setting anonymous_enable=NO in the /etc/vsftpd.conf file and restarting the service:

#vi /etc/vsftpd.conf

Edit the file to resemble this:

# Set to NO to disable anonymous access
sudo service vsftpd restart
vsftpd stop/waiting
vsftpd start/running, process 18996
Adding an FTP User

If this is a new server it may be advisable to add a specific user for FTP access. Doing so is a fairly simple process but begin by creating a new user:

#adduser foobar
Adding user `foobar' ...
Adding new group `foobar' (1000) ...
Adding new user `foobar' (1000) with group `foobar' ...
Creating home directory `/home/foobar' ...
Copying files from `/etc/skel' ...
$ Enter new UNIX password:
$ Retype new UNIX password:
passwd: password updated successfully
Changing the user information for foobar
$ Enter the new value, or press ENTER for the default
Full Name []:
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n]
$ Y

With a new user added you can now connect to your server remotely with an FTP client such as FileZilla, but you will immediately run into an error:

Status: Connecting to
Status: Connection established, waiting for welcome message...
Response: 220 (vsFTPd 3.0.2)
Command: USER foobar
Response: 331 Please specify the password.
Command: PASS ****************
Response: 500 OOPS: vsftpd: refusing to run with writable root inside chroot()

The “500 OOPS” error vsftpd returns is a security measure designed to prevent writable root access for FTP users by default. To resolve this issue there are two main options available.

Allowing Writable User-root Access

The simplest method is to alter the /etc/vsftpd.conf file once again and enable one particular setting:

#vi /etc/vsftpd.conf

Edit the file so it resembles the following:
# Allow users to write to their root directory


With allow_writeable_chroot enabled following a service vsftpd restart, you can now successfully FTP into your server remotely as your newly created user:

Status: Connecting to
Status: Connection established, waiting for welcome message...
Response: 220 (vsFTPd 3.0.2)
Command: USER foobar
Response: 331 Please specify the password.
Command: PASS ****************
Response: 230 Login successful.

Using Writeable Subdirectories
The other option to maintain slightly stronger security is not to enable allow_writeable_chroot as outlined above, but instead to create a new subdirectory in the user’s root directory with write access:

#chown root:root /home/foobar
#mkdir /home/foobar/uploads
#chown foobar:foobar /home/foobar/uploads
#service vsftpd restart

Now when you connect remotely to your FTP server as the new user, that user will not have write access to the root directory, but will instead have full write access to upload files into the newly created uploads directory instead.

Securing Your FTP With SSL

While standard unencrypted FTP access as outlined so far is sufficient in many cases, when transferring sensitive information over FTP it is useful to utilize a more secure connection using SSL.

To begin you’ll likely need to generate a new SSL certificate with the following command, following the prompts as appropriate to complete the process:

#openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem

Now you must ensure that vsftpd is aware of the SSL certificate. Open the /etc/vsftpd.conf file once again:

#vi /etc/vsftpd.conf

Look near the bottom of the file for two rsa_ settings like this, indicating the location of the SSL certificate that was just created:


If those lines don’t exist or match the appropriate path to the SSL certificate created, update them accordingly.

Additionally, there are a number of configuration settings to handle SSL connections, particularly forcing use of the TLS protocol which is ideal:


Some of the settings are self-explanatory, but the key components are the overall enabling of SSL, the restriction to use only TLS, and disallowing anonymous access.

With the settings added and the file saved, once again restart the vsftpd service:

#service vsftpd restart

Now your FTP server is ready to accept secure connections using “FTP over TLS” encryption. Using a client such as FileZilla, you will be presented with a certificate popup asking to verify the newly created SSL certification.

Upon accepting you will now be securely connected and transfers will be encrypted via SSL:

Status: Connecting to
Status: Connection established, waiting for welcome message...
Response: 220 (vsFTPd 3.0.2)
Command: AUTH TLS
Response: 234 Proceed with negotiation.
Status: Initializing TLS...
Status: Verifying certificate...
Command: USER foobar
Status: TLS/SSL connection established.
Response: 331 Please specify the password.
Command: PASS ****************
Response: 230 Login successful.

Install Configure VSFTPD on CentOS 6

First please make sure to update CentOS 6 systems with the current files with command yum -y update

#yum -y update
Loaded plugins: fastestmirror
Setting up Update Process
base | 3.7 kB 00:00
base/primary_db | 4.7 MB 00:04

Then move forward to install VSFTPD with any required packages with yum -y install vsftpd

#yum -y install vsftpd
Loaded plugins: fastestmirror
Setting up Install Process
Determining fastest mirrors
* base:
* extras:
* updates:
Resolving Dependencies
--> Running transaction check
---> Package vsftpd.x86_64 0:2.2.2-21.el6 will be installed
--> Finished Dependency Resolution
Dependencies Resolved

After VSFTPD installation has been complete, now edit and configure vsftpd.conf file

#vi /etc/vsftpd/vsftpd.conf
# Allow anonymous FTP (Beware - allowed by default if you comment this out).
# Uncomment this to allow local users to log in.
# Uncomment this to enable any form of FTP write command.
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
# (default follows)

Exit and save the file with command :wq
Then restart the vsftpd service with command service vsftpd restart

#service vsftpd restart

Set the vsftpd service to start at boot with command chkconfig vsftpd on

#chkconfig vsftpd on

Add VSFTPD user

# useradd user
# passwd user
Changing password for user user.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

You will need to create a vsftp.chroot_list file and enter users who do not use chroot. Ever user chroots by default. Therefore, create a chroot_list file, even if the file is going to remain empty:

#touch /etc/vsftpd/vsftpd.chroot_list

Once the vsftpd.chroot_list file has been created, restart vsftpd again

#service vsftpd restart

Test VSFTPD user log in to FTP Server with ftp client application, this example using FileZilla