Make FTP server secure on Linux : RHEL, CentOS, UBUNTU

To install FTP on Linux Server, click here

1) Open vsftpd.conf (/etc/vsftpd.conf or/etc/vsftpd/vsftpd.conf)
To prevent anonymous log-in, Set anonymous_enable=NO
 In vsftpd.conf, if anonymous_enable=YES, There is no need to put username & password. If you put only hostname and try to log-in, you can log-in. This situation is very dangerous.
For security purpose, Always set this attribute NO. 

2) These are the harmful content for your vsftpd.
If your vsftpd file (/etc/pam.d/vsftpd) has following content, it will allow blank or wrong password. It is a threat for your security.

auth sufficient /lib/security/pam_pwdfile.so pwdfile /home/ftp/passwd
auth required pam_shells.so
account required pam_permit.so

Never make auth sufficient , it should be required always.

Never leave your vsftpd file with above content.

3) Never allow blank or wrong password for ftp user 
Make Sure your vsftpd file has following content

If it is Debian, Ubuntu

auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed

@include common-account

@include common-session

@include common-auth

auth required pam_shells.so

If it is CentOS, RHEL

session    optional     pam_keyinit.so    force revoke
auth       required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed
auth       required pam_shells.so
auth       include password-auth
session    include password-auth
session    required     pam_loginuid.so
account    include password-auth

4) When you make any changes in the file vsftpd.conf, make sure you have restarted the vsftpd.

Install FTP on Linux : CentOS, RHEL, UBUNTU

vsftpd Configuration :

1) Install vsftpd using following command :

   If it is Debian based (Ubuntu) Linux

$ sudo apt-get install vsftpd

   If it is RPM based (CentOS, RHEL) Linux

$ sudo yum install vsftpd

2) Make three changes in vsftpd.conf

   (Location of vsftpd.conf - /etc/vsftpd.conf or /etc/vsftpd/vsftpd.conf)

a)Uncomment line chroot_local_user=YES in vsftpd.conf

   This attribute will make jail for user to not move to the parent directory.

b)Define attribute local_root in vsftpd.conf

local_root=/opt/lampp/htdocs

This is the path of the directory where user should be jailed. User can not go to the parent directory.In this example user will be logged in htdocs and can not reach to the parent directory of htdocs. 

c)Allow users to upload file, set

local_enable=YES
write_enable_YES

Now user can log-in to the server by ftp using username and password.

host : IP of the server
username : user of the server except root
password : password of the user

3) To create user for ftp : 

$ sudo adduser -c 'FTP USER ec2' -m ec2

   Where ec2 is the username for ftp. To set password for this user :

$ sudo passwd ec2

4) FTP works on port 21. you can close the port or stop the service using 

$ service vsftpd stop

   and open the port or start the service using

$ service vsftpd start

5) If you are using CentOS/RHEL servers, Add following line in your iptables file 

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT

Path of iptables file :/etc/sysconfig/iptables

   Save and close the file & Restart the iptables. 

$ service iptables restart

6) To prevent anonymous log-in, Set anonymous_enable=NO

 In vsftpd.conf, if anonymous_enable=YES, There is no need to put username & password. If you put only hostname and try to log-in, you can log-in.
For security purpose, make sure you have set this attribute NO.

7) By default root user can not log-in by ftp but log-in through sftp.

8) When you make any changes in the file vsftpd.conf, make sure you have restarted the vsftpd.