CentOS 8 system FTP server installation and passive mode configuration detailed tutorial

This is a ftp server installation for beginners.

1. Understand the basics

FTP: File Transfer Protocol (FTP).

FTP is one of the oldest file transfer protocols in history and is used in many software systems. For example, WordPress backend updates require FTP services.

FTP uses TCP protocol transmission instead of UDP.

FTP uses two types of ports: control port 21 and transmission port.

There are two modes for FTP transmission, passive mode (PASV) and active mode (PORT).

During the transmission process, whether it is passive mode or active mode, the [client] and [port 21 on the server] exchange relevant information such as username and password and confirm which mode to use for transmission. If it is active mode, the client and server exchange data on [port 20 on the server]. If it is passive mode, the server will confirm one or more random ports of its own, and the client needs to exchange data with this port on the server.

VSFTPD is a widely used FTP server software. FTP commands are client operation commands.

There is also SFTP. SFTP and FTP are similar in name only and should not be simply understood as secure FTP. It is a file transfer method provided by the ssh protocol. Many cloud servers come with ssh connections for easy remote operation, so even if you have not successfully configured FTP, you may be able to use SFTP for transmission. SFTP only uses port 22.

2. Confirm the system environment

The personal FTP server used is Alibaba Cloud's ECS server. Virtual hosts may not support some configurations, but many virtual hosts come with built-in FTP services.

The system is Alibaba Cloud Linux 3.2104 64-bit, compatible with Centos8 instructions. If you are using another version of the system, you need to confirm whether some instructions can be used.

The package manager used is DNF. This is an alternative version of YUM, compatible with most YUM commands. The package manager allows you to easily install and update system software using the default path, reducing problems caused by setting the installation path. It is recommended for beginners.

Before further operation, we can confirm whether your system has installed the relevant components through the following instructions:

whereis vsftpd

If vsftpd is not installed on the system, it will return

VSFTPD:

Otherwise, a directory similar to the following will be returned

vsftpd: /usr/sbin/vsftpd /etc/vsftpd /usr/share/man/man8/vsftpd.8.gz

There are three directories here, separated by spaces. In the default DNF installation of CENTOS8, /etc/vsftpd is the default installation location.

3. Install ftp command [optional]

The ftp command allows you to connect to your own FTP server on the server side, avoiding interference from firewalls and making it easier to troubleshoot problems. Not required, but recommended.

dnf install ftp

You can use it directly after installation.

Linked Server:

ftp XXX.XXX.XXX.XXX

XXX.XXX.XXX.XXX represents the IP address. You can also use ftp localhost to connect to the local server.

Exit the server

quit

More content is not necessary for beginners. If you want to know more, please search it yourself.

4. Install VSFTPD

dnf install vsftpd

5. Set up local users

useradd xxx
passwd xxx

XXX represents your username. Add users via useradd and modify passwords via passwd

It is worth noting that the users added in this way are users of the CENTOS system, not users of the vsftpd software. Some of the settings that are changed are also for system users.

You can also use virtual users and map them to system users, but the related settings are a bit cumbersome for novices. Please search for more information.

6. Configure vsftpd's conf file

As mentioned before, the default installation path for dnf installation under CENTOS8 is /etc/vsftpd. The configuration file for vsftpd is here.

This article uses passive mode links. The main parameters that need to be modified are as follows ([ ] and the contents in [ ] are annotations for related settings, please do not write them into the settings file)

Disable PORT mode

connect_from_port_20=NO [disabled the transmission port used by PORT mode]

Enable PASV mode

listen=YES
listen_ipv6=NO [PASV mode will return its randomly assigned connection address and port to the client. The return value is a 6-bit number: XXX,XXX,XXX,XXX,a,b. The first four digits are the IP address, and the last two digits are the port value calculated using the a*256+b method. If this is enabled, the value will be recognized as an IPV6 address, which will cause complications.
pasv_enable=YES [enable PASV mode]
pasv_min_port=xxxx
pasv_max_port=xxxx [Specifies the minimum and maximum port numbers assigned by the server. If not specified, the server may be configured with a port number that overlaps with the port of other software, resulting in errors. It is recommended to allocate a larger port to avoid conflicts, but a port that is too large may exceed the range of the server.
pasv_addr_resolve=YES [Very important. Allow IP address modification. 】
pasv_address=XXX.XXX.XXX.XXX【Very important. This address is the public address of your server. In PASV mode, the server returns a 6-bit address and port. If you do not set the above two items, the private network IP address will be returned and the remote connection will not be able to find your address. 】
pasv_promiscuous=YES [YES turns off security checks. There is a certain risk. Under normal circumstances, the server will check whether the IP addresses of the two client connections are consistent. If they are inconsistent, the connection will be rejected. 】

Recommended security settings to modify

anonymous_enable=NO [Anonymous users are prohibited]
chroot_local_user=YES [Prohibit users from accessing files outside the specified root directory]
allow_writeable_chroot=NO

7. Coordination of configuration system related software

Setting nologin

Modify the passwd file, usually in the /etc path, and change /bin/bash to /sbin/nologin to prohibit your ftp username and password from logging into the system directly

Modify the root directory

Modify the passwd file and replace the directory address with the address you want the ftp user to access.

Modify directory permissions

For this part, it is recommended to find a book specifically introducing permissions. I set the permissions to 755.

Root directory permissions may cause different errors depending on your configuration file.

pam file

After changing the user's nologin, you need to search for the system pam.d folder (usually in the etc path). There is an auth required pam_shells.so. When you change it to nologin, it will not match this and an error will occur. Comment it out.

If you have other setups, you may need to modify this file further.

Open ports to external networks

This step includes two things. One is to open the server's firewall, and the other is that your server provider may have an external security group.

Open the server's firewall

CENTOS installs firewalld by default. If your system is iptables, please search for it yourself. Selunix also needs related settings, but because it is easy to make mistakes, many people turn it off by default.

systemctl status firewalld [Check whether firewalld is enabled]

firewall-cmd --add-port=xxx-xxx/tcp --permanent [xxx-xxx represents the port range configured in the setting file, small on the left and large on the right]
firewall-cmd --add-port=21/tcp --permanent [Open port 21 for the control link. If you do not disable PORT mode, you still need to open port 20]
firewall-cmd --reload [Reload settings]

Open service provider's external security group

Taking Alibaba Cloud as an example, in the console-server-security group, make similar configurations in the inbound direction, set the PASV port range in the setting file, and the 21st port of the control link (if the PORT mode is not closed, you also need to open port 20)

8. Test for possible errors

Log in via FTP command and IP address on the server and remote client. Windows can be logged in through the resource manager ftp://XXX,XXX,XXX,XXX (public IP address), can be tested through the cmd command, or using ftp software.

1. If the server can log in but the remote server cannot, then check the firewall settings.

2. If the error "227 Entering Passive Mode" appears, it means that pasv_addr_resolve=YES and pasv_address=XXX.XXX.XXX.XXX are not set correctly. The address returned by the server is a private network address or an incorrect IP address, and the client cannot connect to it.

I haven’t encountered any more problems yet, and I have updated my wordpress using FTP after configuring as above. If there are any mistakes or omissions, please correct me. Thanks for reading.

This is the end of this article about the installation and passive mode configuration of the FTP server on the centos8 system - a beginner-friendly article. For more relevant content about the FTP server on the centos8 system, please search for previous articles on 123WORDPRESS.COM or continue to browse the related articles below. I hope everyone will support 123WORDPRESS.COM in the future!