CentOS server – Vsftpd Howto

Last update: 2022-10-18

To set up your CentOS as a secure FTP server, follow the next couple steps

Install VSFTPD with

yum install vsftpd

Turn on vsftpd auto start with

(CentOS 6.x)

chkconfig --level 235 vsftpd on
service vsftpd start

(CentOS 7.x)

systemctl vsftpd enable
systemctl start vsftpd

Open vsftpd.conf

nano /etc/vsftpd/vsftpd.conf

and edit the next:

1. Change anonymous_enable=YES to anonymous_enable=NO


2. Uncomment chroot_local_user=YES line (In CentOS 5.x you will need to add this line)


3. Change the default port number from 21 to XXXXX (where XXXXX is above 1024) with


It this line doesn’t exist, paste it to the end of the file. Be sure that port XXXXX is accessible.

4. Prevent the FTP users to access any files outside of their home directories by uncommenting the chroot directive.


5. The vsftpd version that comes with Centos 7 does not permit  chrooted local users to write by default. To “fix” this, you’ll need to add the next line:


Restart vsftpd with service vsftpd restart. Please keep in mind that changing default port number doesn’t mean that your server is 100% secured. It will help you to avoid random dictionary attacks and your log files will be much smaller. Good password is a MUST.

Other options

6. Passive FTP Connections

Vsftpd can use any port for passive FTP connections (example when server is behind the router). Specify the minimum and maximum range of ports and later open the range in our router. Also, replace the xxx.xxx.xxx.xxx with your public IP (IP on the WAN side of the router)

Add the following lines to the configuration file


7. Limiting User Login

To allow only certain users to login to the FTP server add the following lines after the userlist_enable=YES line


Now you need to explicitly specify which users are able to login by adding the user names to the /etc/vsftpd/user_list file (one user per line)

8. Securing Transmissions with SSL/TLS

To encrypt the FTP transmissions with SSL/TLS, you’ll need to have an SSL certificate and configure the FTP server to use it. If you have a domain or subdomain pointing to the FTP server’s IP address you can easily generate a free Let’s Encrypt SSL certificate. Also, you can use an existing certificate signed by a trusted CA or you can create a self-signed certificate with.

sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/vsftpd/vsftpd.pem -out /etc/vsftpd/vsftpd.pem

Add the next lines in conf file (in case your using LE, set up the path to LE generated pem files)


9. Other options

To enable dual log files (by default log goes to xferlog) add


10. Restart vsftpd with

systemctl restart vsftpd

11. Opening the Firewall

If you are running a firewall you’ll need to allow FTP traffic.

To open port xxxx (FTP command port), port yyyy (FTP data port) and 40000-40100 (Passive ports range), issue the following commands

firewall-cmd --permanent --add-port=yyyy-xxxx/tcp
firewall-cmd --permanent --add-port=40000-40100/tcp

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.