CentOS FTP Server Case Analysis: Common Configurations and Troubleshooting Scenarios

Case 1: Basic vsftpd Setup with Local User Access

This case focuses on deploying a secure FTP server for local users, disabling anonymous access, and restricting users to their home directories.

Key Steps

1. Install vsftpd: Use yum to install the vsftpd package (the default secure FTP daemon for CentOS).

   sudo yum install vsftpd -y
   

2. Configure Core Parameters: Modify /etc/vsftpd/vsftpd.conf to disable anonymous login (anonymous_enable=NO), allow local user login (local_enable=YES), enable file uploads (write_enable=YES), and restrict users to their home directories (chroot_local_user=YES). To allow writes in the chroot directory, add allow_writeable_chroot=YES.
3. Start and Enable Service: Start the vsftpd service and enable it to launch at boot.

   sudo systemctl start vsftpd
   sudo systemctl enable vsftpd
   

4. Firewall and SELinux Setup: Open FTP (port 21) and passive mode ports (e.g., 30000-31000) in the firewall. For SELinux, enable FTP access to home directories with:

   sudo firewall-cmd --permanent --add-service=ftp
   sudo firewall-cmd --permanent --add-port=30000-31000/tcp
   sudo firewall-cmd --reload
   sudo setsebool -P ftpd_full_access on
   

5. Create Local Users: Add a user (e.g., ftpuser) with a home directory and set a password. Restrict shell access to prevent shell logins:

   sudo useradd -m -s /sbin/nologin ftpuser
   sudo passwd ftpuser
   

Purpose

This setup ensures only authenticated local users can access the server, with each user confined to their home directory—preventing unauthorized access to system files. Passive mode configuration resolves common NAT/firewall connectivity issues.

Case 2: Virtual Users with Dedicated Directories

For scenarios requiring isolated FTP accounts (e.g., client-specific access), virtual users (non-system accounts mapped to system users) are ideal. This case covers creating virtual users with custom home directories and permissions.

Key Steps

1. Install Required Tools: Install db4-utils to manage virtual user credentials (stored in a hashed database).

   sudo yum install db4 db4-utils -y
   

2. Create Virtual User Credentials: Create a text file (/etc/vsftpd/vuser_passwd.txt) with one username/password pair per line (e.g., ftpuser1/pass1). Generate a hashed database:

   db_load -T -t hash -f /etc/vsftpd/vuser_passwd.txt /etc/vsftpd/vuser_passwd.db
   

3. Configure PAM Authentication: Modify /etc/pam.d/vsftpd to use the virtual user database. Comment out existing lines and add:

   auth required pam_userdb.so db=/etc/vsftpd/vuser_passwd
   account required pam_userdb.so db=/etc/vsftpd/vuser_passwd
   

4. Set Up Virtual User Homes: Create a directory for virtual users (e.g., /var/ftp/virtual_users) and individual subdirectories (e.g., /var/ftp/virtual_users/ftpuser1). Set ownership to the virtual user and configure permissions:

   sudo mkdir -p /var/ftp/virtual_users/ftpuser1
   sudo useradd -d /var/ftp/virtual_users/ftpuser1 -s /sbin/nologin ftpvirtuser
   sudo chown ftpvirtuser:ftpvirtuser /var/ftp/virtual_users/ftpuser1
   

5. Configure User-Specific Settings: Create a config file for each virtual user (e.g., /etc/vsftpd/vuser_conf/ftpuser1) with custom options (e.g., local_root=/var/ftp/virtual_users/ftpuser1, write_enable=YES).
6. Modify Main Config: Update /etc/vsftpd/vsftpd.conf to enable virtual users (guest_enable=YES), map virtual users to the system user (guest_username=ftpvirtuser), and specify the config directory (user_config_dir=/etc/vsftpd/vuser_conf).
7. Restart Service: Apply changes by restarting vsftpd.

   sudo systemctl restart vsftpd
   

Purpose

Virtual users provide enhanced security by separating FTP access from system accounts. Each virtual user has a dedicated directory with customizable permissions, ideal for multi-client environments where isolation is critical.

Case 3: Troubleshooting Common FTP Issues

FTP deployments often face connectivity or permission problems. This case outlines solutions for three frequent issues.

Issue 1: Connection Refused (Port 21 Closed)

Symptoms: Clients cannot connect to the FTP server (error: “Connection refused”).
Root Cause: The vsftpd service is not running, or the firewall blocks port 21.
Solution:

• Start the vsftpd service and enable it at boot:

  sudo systemctl start vsftpd
  sudo systemctl enable vsftpd
  

• Open port 21 in the firewall:

  sudo firewall-cmd --permanent --add-service=ftp
  sudo firewall-cmd --reload
  

Issue 2: 500 OOPS: Cannot Change Directory

Symptoms: Users can log in but cannot access their home directory (error: “500 OOPS: cannot change directory:/home/username”).
Root Cause: SELinux prevents FTP access to user home directories (default ftp_home_dir setting is off).
Solution: Enable SELinux support for FTP home directories:

sudo setsebool -P ftp_home_dir on

Issue 3: 553 Could Not Create File

Symptoms: Users can upload files but receive “553 Could not create file” errors.
Root Cause: The target directory lacks write permissions for the FTP user, or SELinux blocks file creation.
Solution:

• Grant write permissions to the directory (e.g., /var/ftp/pub):

  sudo chmod 777 /var/ftp/pub
  

• If SELinux is enforcing, set the correct context for the directory:

  sudo chcon -t public_content_rw_t /var/ftp/pub
  

Purpose

These troubleshooting steps address the most common FTP issues, ensuring reliable connectivity and file transfer capabilities. SELinux and firewall configurations are critical to resolving permission-related problems.