In this blog post we will see how to install FTP server on Rocky Linux 8. Let us start with installing the “vsftpd” packages followed by configuration.
Prior to this if you need support on installing the Rocky Linux 8 refer to our previous blog post How to Install Rocky Linux 8
Introduction
FTP (File Transfer Protocol) is a network protocol for transmitting files between computers over Transmission Control Protocol/Internet Protocol (TCP/IP) connections. Within the TCP/IP suite, FTP is considered an application layer protocol.
FTP Secure (FTPS). Sometimes referred to as FTP Secure Sockets Layer (FTP-SSL), this approach enables implicit Transport Layer Security (TLS) as soon as an FTP connection is established. FTPS was initially used to help enable a more secure form of FTP data transfer. It typically defaults to using port 990.
FTP over explicit SSL/TLS (FTPES). This approach enables explicit TLS support by upgrading an FTP connection over port 21 to an encrypted connection. This is a commonly used approach by web and file sharing services to enable secure file transfers.
Installation & Configuration
Step 1 : Install the required package
[root@ftp-server ~]# dnf -y install vsftpdStep 2: Once the package is installed you should be able to find the configuration file. Make sure the the file looks like below
[root@ftp-server ~]# vi etc/vsftpd/vsftpd.conf
# line 12 : make sure value is [NO] (no anonymous)
anonymous_enable=NO
# line 82,83 : uncomment ( allow ascii mode )
ascii_upload_enable=YES
ascii_download_enable=YES
# line 100,101 : uncomment ( enable chroot )
chroot_local_user=YES
chroot_list_enable=YES
# line 103 : uncomment ( chroot list file )
chroot_list_file=/etc/vsftpd/chroot_list
# line 109 : uncomment
ls_recurse_enable=YES
# line 114 : set YES if listen only IPv4
# if listen both IPv4 and IPv6, set NO
listen=NO
# line 123 : set NO if not listen IPv6
# if listen both IPv4 and IPv6, set YES
listen_ipv6=YES
# add to the end
# specify root directory
# if not specify, users' home directory become FTP home directory
local_root=public_html
# use local time
use_localtime=YES
# turn off for seccomp filter (if cannot login, add this line)
seccomp_sandbox=NOStep 3 : Update the User to enable them for moving into their home directory
[root@ftp-server ~]# vi /etc/vsftpd/chroot_list
# add users you allow to move over their home directory
adminStep 4 : Enable the FTP services
[root@ftp-server ~]# systemctl enable --now vsftpdStep 5 : If SELinux is enabled change the context
[root@ftp-server ~]# setsebool -P ftpd_full_access onStep 6 : Allow Firewall ports for FTP services
[root@ftp-server ~]# firewall-cmd --add-service=ftp
success
[root@ftp-server ~]# firewall-cmd --runtime-to-permanent
successTill here the FTP services is now running successfully. Further we will see how to enable SSL/TLS for a secured FTP connection.
Step 7 : If you intend to use any other CERT from 3rd Party vendor this step is not required. You are free to use any of the authority for your SSL certs List of Authority providing SSL Certs
We are Creating the Self-signed Certificate for this blog
[root@ftp-server ~]# cd /etc/pki/tls/certs
[root@ftp-server certs]# openssl req -x509 -nodes -newkey rsa:2048 -keyout vsftpd.pem -out vsftpd.pem -days 3650
Generating a RSA private key
.....+++++
................+++++
writing new private key to 'vsftpd.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:IN # country code
State or Province Name (full name) []:Karnataka # State
Locality Name (eg, city) [Default City]:Bangalore # city
Organization Name (eg, company) [Default Company Ltd]:The IT Company # company
Organizational Unit Name (eg, section) []:IT Infra # department
Common Name (eg, your name or your server's hostname) []:www.linuxquery.org # server's FQDN
Email Address []:root@linuxquery.org # admin's emailChange the required permission for the pem files
[root@ftp-server certs]# chmod 600 vsftpd.pemStep 8 : Configure the VSFTP to use the SSL/TLS. Adjust the file as per the below
[root@ftp-server ~]# vi /etc/vsftpd/vsftpd.conf
# add to the end : enable SSL/TLS
rsa_cert_file=/etc/pki/tls/certs/vsftpd.pem
ssl_enable=YES
force_local_data_ssl=YES
force_local_logins_ssl=YESStep 9 : Allow the firewall ports followed by the restart of the FTP services
[root@ftp-server ~]# vi /etc/vsftpd/vsftpd.conf
# add to the end
# fix passive ports with any range you like
pasv_enable=YES
pasv_min_port=60000
pasv_max_port=60100
[root@ftp-server ~]# firewall-cmd --add-port=60000-60100/tcp
success
[root@ftp-server ~]# firewall-cmd --runtime-to-permanent
success
[root@ftp-server ~]# systemctl restart vsftpdNow you can test the FTP client using Linux or Windows machines. In our next post we will show on how to configure clients for FTP