21.2.2. The vsftpd Server

The Very Secure FTP Daemon (vsftpd) is designed from the ground up to be fast, stable, and, most importantly, secure. vsftpd is the only stand-alone FTP server distributed with Red Hat Enterprise Linux, due to its ability to handle large numbers of connections efficiently and securely.
The security model used by vsftpd has three primary aspects:
  • Strong separation of privileged and non-privileged processes — Separate processes handle different tasks, and each of these processes runs with the minimal privileges required for the task.
  • Tasks requiring elevated privileges are handled by processes with the minimal privilege necessary — By taking advantage of compatibilities found in the libcap library, tasks that usually require full root privileges can be executed more safely from a less privileged process.
  • Most processes run in a chroot jail — Whenever possible, processes are change-rooted to the directory being shared; this directory is then considered a chroot jail. For example, if the /var/ftp/ directory is the primary shared directory, vsftpd reassigns /var/ftp/ to the new root directory, known as /. This disallows any potential malicious hacker activities for any directories not contained in the new root directory.
Use of these security practices has the following effect on how vsftpd deals with requests:
  • The parent process runs with the least privileges required — The parent process dynamically calculates the level of privileges it requires to minimize the level of risk. Child processes handle direct interaction with the FTP clients and run with as close to no privileges as possible.
  • All operations requiring elevated privileges are handled by a small parent process — Much like the Apache HTTP Server, vsftpd launches unprivileged child processes to handle incoming connections. This allows the privileged, parent process to be as small as possible and handle relatively few tasks.
  • All requests from unprivileged child processes are distrusted by the parent process — Communication with child processes is received over a socket, and the validity of any information from child processes is checked before being acted on.
  • Most interactions with FTP clients are handled by unprivileged child processes in a chroot jail — Because these child processes are unprivileged and only have access to the directory being shared, any crashed processes only allow the attacker access to the shared files.

21.2.2.1. Starting and Stopping vsftpd

The vsftpd RPM installs the /etc/rc.d/init.d/vsftpd script, which can be accessed using the service command.
To start the server, type the following as root:
~]# service vsftpd start
To stop the server, as type:
~]# service vsftpd stop
The restart option is a shorthand way of stopping and then starting vsftpd. This is the most efficient way to make configuration changes take effect after editing the configuration file for vsftpd.
To restart the server, as type the following as root:
~]# service vsftpd restart
The condrestart (conditional restart) option only starts vsftpd if it is currently running. This option is useful for scripts, because it does not start the daemon if it is not running. The try-restart option is a synonym.
To conditionally restart the server, as root type:
~]# service vsftpd condrestart
By default, the vsftpd service does not start automatically at boot time. To configure the vsftpd service to start at boot time, use an initscript utility, such as /sbin/chkconfig, /usr/sbin/ntsysv, or the Services Configuration Tool program. See Chapter 12, Services and Daemons for more information regarding these tools.

21.2.2.2. Starting Multiple Copies of vsftpd

Sometimes, one computer is used to serve multiple FTP domains. This is a technique called multihoming. One way to multihome using vsftpd is by running multiple copies of the daemon, each with its own configuration file.
To do this, first assign all relevant IP addresses to network devices or alias network devices on the system. For more information about configuring network devices, device aliases, see Chapter 10, NetworkManager. For additional information about network configuration scripts, see Chapter 11, Network Interfaces.
Next, the DNS server for the FTP domains must be configured to reference the correct machine. For information about BIND, the DNS protocol implementation used in Red Hat Enterprise Linux, and its configuration files, see Section 17.2, “BIND”.
For vsftpd to answer requests on different IP addresses, multiple copies of the daemon must be running. In order to make this possible, a separate vsftpd configuration file for each required instance of the FTP server must be created and placed in the /etc/vsftpd/ directory. Note that each of these configuration files must have a unique name (such as /etc/vsftpd/vsftpd-site-2.conf) and must be readable and writable only by the root user.
Within each configuration file for each FTP server listening on an IPv4 network, the following directive must be unique:
listen_address=N.N.N.N
Replace N.N.N.N with a unique IP address for the FTP site being served. If the site is using IPv6, use the listen_address6 directive instead.
Once there are multiple configuration files present in the /etc/vsftpd/ directory, all configured instances of the vsftpd daemon can be started by executing the following command as root:
~]# service vsftpd start
See Section 21.2.2.1, “Starting and Stopping vsftpd” for a description of other available service commands.
Individual instances of the vsftpd daemon can be launched from a root shell prompt using the following command:
~]# vsftpd /etc/vsftpd/configuration-file
In the above command, replace configuration-file with the unique name of the requested server's configuration file, such as vsftpd-site-2.conf.
Other directives to consider altering on a per-server basis are:
  • anon_root
  • local_root
  • vsftpd_log_file
  • xferlog_file
For a detailed list of directives that can be used in the configuration file of the vsftpd daemon, see Section 21.2.2.5, “Files Installed with vsftpd”.

21.2.2.3. Encrypting vsftpd Connections Using TLS

In order to counter the inherently insecure nature of FTP, which transmits user names, passwords, and data without encryption by default, the vsftpd daemon can be configured to utilize the TLS protocol to authenticate connections and encrypt all transfers. Note that an FTP client that supports TLS is needed to communicate with vsftpd with TLS enabled.

Note

SSL (Secure Sockets Layer) is the name of an older implementation of the security protocol. The new versions are called TLS (Transport Layer Security). Only the newer versions (TLS) should be used as SSL suffers from serious security vulnerabilities. The documentation included with the vsftpd server, as well as the configuration directives used in the vsftpd.conf file, use the SSL name when referring to security-related matters, but TLS is supported and used by default when the ssl_enable directive is set to YES.
Set the ssl_enable configuration directive in the vsftpd.conf file to YES to turn on TLS support. The default settings of other TLS-related directives that become automatically active when the ssl_enable option is enabled provide for a reasonably well-configured TLS set up. This includes, among other things, the requirement to only use the TLS v1 protocol for all connections (the use of the insecure SSL protocol versions is disabled by default) or forcing all non-anonymous logins to use TLS for sending passwords and data transfers.

Example 21.10. Configuring vsftpd to Use TLS

In this example, the configuration directives explicitly disable the older SSL versions of the security protocol in the vsftpd.conf file:
ssl_enable=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
Restart the vsftpd service after you modify its configuration:
~]# service vsftpd restart
See the vsftpd.conf(5) manual page for other TLS-related configuration directives for fine-tuning the use of TLS by vsftpd. Also, see Section 21.2.2.6, “vsftpd Configuration Options” for a description of other commonly used vsftpd.conf configuration directives.

21.2.2.4. SELinux Policy for vsftpd

The SELinux policy governing the vsftpd daemon (as well as other ftpd processes), defines a mandatory access control, which, by default, is based on least access required. In order to allow the FTP daemon to access specific files or directories, appropriate labels need to be assigned to them.
For example, in order to be able to share files anonymously, the public_content_t label must be assigned to the files and directories to be shared. You can do this using the chcon command as root:
~]# chcon -R -t public_content_t /path/to/directory
In the above command, replace /path/to/directory with the path to the directory to which you want to assign the label. Similarly, if you want to set up a directory for uploading files, you need to assign that particular directory the public_content_rw_t label. In addition to that, the allow_ftpd_anon_write SELinux Boolean option must be set to 1. Use the setsebool command as root to do that:
~]# setsebool -P allow_ftpd_anon_write=1
If you want local users to be able to access their home directories through FTP, which is the default setting on Red Hat Enterprise Linux 6, the ftp_home_dir Boolean option needs to be set to 1. If vsftpd is to be allowed to run in standalone mode, which is also enabled by default on Red Hat Enterprise Linux 6, the ftpd_is_daemon option needs to be set to 1 as well.
See the ftpd_selinux(8) manual page for more information, including examples of other useful labels and Boolean options, on how to configure the SELinux policy pertaining to FTP. Also, see the Red Hat Enterprise Linux 6 Security-Enhanced Linux for more detailed information about SELinux in general.

21.2.2.5. Files Installed with vsftpd

The vsftpd RPM installs the daemon (vsftpd), its configuration and related files, as well as FTP directories onto the system. The following lists the files and directories related to vsftpd configuration:
  • /etc/pam.d/vsftpd — The Pluggable Authentication Modules (PAM) configuration file for vsftpd. This file specifies the requirements a user must meet to log in to the FTP server. For more information on PAM, see the Using Pluggable Authentication Modules (PAM) chapter of the Red Hat Enterprise Linux 6 Single Sign-On and Smart Cards guide.
  • /etc/vsftpd/vsftpd.conf — The configuration file for vsftpd. See Section 21.2.2.6, “vsftpd Configuration Options” for a list of important options contained within this file.
  • /etc/vsftpd/ftpusers — A list of users not allowed to log in to vsftpd. By default, this list includes the root, bin, and daemon users, among others.
  • /etc/vsftpd/user_list — This file can be configured to either deny or allow access to the users listed, depending on whether the userlist_deny directive is set to YES (default) or NO in /etc/vsftpd/vsftpd.conf. If /etc/vsftpd/user_list is used to grant access to users, the user names listed must not appear in /etc/vsftpd/ftpusers.
  • /var/ftp/ — The directory containing files served by vsftpd. It also contains the /var/ftp/pub/ directory for anonymous users. Both directories are world-readable, but writable only by the root user.

21.2.2.6. vsftpd Configuration Options

Although vsftpd may not offer the level of customization other widely available FTP servers have, it offers enough options to satisfy most administrators' needs. The fact that it is not overly feature-laden limits configuration and programmatic errors.
All configuration of vsftpd is handled by its configuration file, /etc/vsftpd/vsftpd.conf. Each directive is on its own line within the file and follows the following format:
directive=value
For each directive, replace directive with a valid directive and value with a valid value.

Important

There must not be any spaces between the directive, equal symbol, and the value in a directive.
Comment lines must be preceded by a hash symbol (#) and are ignored by the daemon.
For a complete list of all directives available, see the man page for vsftpd.conf. For an overview of ways to secure vsftpd, see the Red Hat Enterprise Linux 6 Security Guide.
The following is a list of some of the more important directives within /etc/vsftpd/vsftpd.conf. All directives not explicitly found or commented out within the vsftpd's configuration file are set to their default value.
21.2.2.6.1. Daemon Options
The following is a list of directives that control the overall behavior of the vsftpd daemon.
  • listen — When enabled, vsftpd runs in standalone mode, which means that the daemon is started independently, not by the xinetd super-server. Red Hat Enterprise Linux 6 sets this value to YES. Note that the SELinux ftpd_is_daemon Boolean option needs to be set for vsftpd to be allowed to run in standalone mode. See Section 21.2.2.4, “SELinux Policy for vsftpd” and to ftpd_selinux(8) for more information on vsftpd's interaction with the default SELinux policy. This directive cannot be used in conjunction with the listen_ipv6 directive.
    The default value is NO. On Red Hat Enterprise Linux 6, this option is set to YES in the configuration file.
  • listen_ipv6 — When enabled, vsftpd runs in standalone mode, which means that the daemon is started independently, not by the xinetd super-server. With this directive, it only listens on IPv6 sockets. Note that the SELinux ftpd_is_daemon Boolean option needs to be set for vsftpd to be allowed to run in standalone mode. See Section 21.2.2.4, “SELinux Policy for vsftpd” and to ftpd_selinux(8) for more information on vsftpd's interaction with the default SELinux policy. This directive cannot be used in conjunction with the listen directive.
    The default value is NO.
  • session_support — When enabled, vsftpd attempts to maintain login sessions for each user through Pluggable Authentication Modules (PAM). For more information, see the Using Pluggable Authentication Modules (PAM) chapter of the Red Hat Enterprise Linux 6 Single Sign-On and Smart Cards and the PAM man pages. If session logging is not necessary, disabling this option allows vsftpd to run with less processes and lower privileges.
    The default value is YES.
21.2.2.6.2. Log In Options and Access Controls
The following is a list of directives that control the login behavior and access-control mechanisms.
  • anonymous_enable — When enabled, anonymous users are allowed to log in. The user names anonymous and ftp are accepted.
    The default value is YES.
    See Section 21.2.2.6.3, “Anonymous User Options” for a list of directives affecting anonymous users.
  • banned_email_file — If the deny_email_enable directive is set to YES, this directive specifies the file containing a list of anonymous email passwords that are not permitted access to the server.
    The default value is /etc/vsftpd/banned_emails.
  • banner_file — Specifies the file containing text displayed when a connection is established to the server. This option overrides any text specified in the ftpd_banner directive.
    There is no default value for this directive.
  • cmds_allowed — Specifies a comma-delimited list of FTP commands allowed by the server. All other commands are rejected.
    There is no default value for this directive.
  • deny_email_enable — When enabled, any anonymous user utilizing email passwords specified in /etc/vsftpd/banned_emails are denied access to the server. The name of the file referenced by this directive can be specified using the banned_email_file directive.
    The default value is NO.
  • ftpd_banner — When enabled, the string specified within this directive is displayed when a connection is established to the server. This option can be overridden by the banner_file directive.
    By default, vsftpd displays its standard banner.
  • local_enable — When enabled, local users are allowed to log in to the system. Note that the SELinux ftp_home_dir Boolean option needs to be set for this directive to work as expected. See Section 21.2.2.4, “SELinux Policy for vsftpd” and to ftpd_selinux(8) for more information on vsftpd's interaction with the default SELinux policy.
    The default value is NO. On Red Hat Enterprise Linux 6, this option is set to YES in the configuration file.
    See Section 21.2.2.6.4, “Local-User Options” for a list of directives affecting local users.
  • pam_service_name — Specifies the PAM service name for vsftpd.
    The default value is ftp. On Red Hat Enterprise Linux 6, this option is set to vsftpd in the configuration file.
  • tcp_wrappers — When enabled, TCP wrappers are used to grant access to the server. If the FTP server is configured on multiple IP addresses, the VSFTPD_LOAD_CONF environment variable can be used to load different configuration files based on the IP address being requested by the client.
    The default value is NO. On Red Hat Enterprise Linux 6, this option is set to YES in the configuration file.
  • userlist_deny — When used in conjunction with the userlist_enable directive and set to NO, all local users are denied access unless their user name is listed in the file specified by the userlist_file directive. Because access is denied before the client is asked for a password, setting this directive to NO prevents local users from submitting unencrypted passwords over the network.
    The default value is YES.
  • userlist_enable — When enabled, users listed in the file specified by the userlist_file directive are denied access. Because access is denied before the client is asked for a password, users are prevented from submitting unencrypted passwords over the network.
    The default value is NO. On Red Hat Enterprise Linux 6, this option is set to YES in the configuration file.
  • userlist_file — Specifies the file referenced by vsftpd when the userlist_enable directive is enabled.
    The default value is /etc/vsftpd/user_list, which is created during installation.
21.2.2.6.3. Anonymous User Options
The following lists directives that control anonymous user access to the server. To use these options, the anonymous_enable directive must be set to YES.
  • anon_mkdir_write_enable — When enabled in conjunction with the write_enable directive, anonymous users are allowed to create new directories within a parent directory that has write permissions.
    The default value is NO.
  • anon_root — Specifies the directory vsftpd changes to after an anonymous user logs in.
    There is no default value for this directive.
  • anon_upload_enable — When enabled in conjunction with the write_enable directive, anonymous users are allowed to upload files within a parent directory that has write permissions.
    The default value is NO.
  • anon_world_readable_only — When enabled, anonymous users are only allowed to download world-readable files.
    The default value is YES.
  • ftp_username — Specifies the local user account (listed in /etc/passwd) used for the anonymous FTP user. The home directory specified in /etc/passwd for the user is the root directory of the anonymous FTP user.
    The default value is ftp.
  • no_anon_password — When enabled, the anonymous user is not asked for a password.
    The default value is NO.
  • secure_email_list_enable — When enabled, only a specified list of email passwords for anonymous logins is accepted. This is a convenient way of offering limited security to public content without the need for virtual users.
    Anonymous logins are prevented unless the password provided is listed in /etc/vsftpd/email_passwords. The file format is one password per line, with no trailing white spaces.
    The default value is NO.
21.2.2.6.4. Local-User Options
The following lists directives that characterize the way local users access the server. To use these options, the local_enable directive must be set to YES. Note that the SELinux ftp_home_dir Boolean option needs to be set for users to be able to access their home directories. See Section 21.2.2.4, “SELinux Policy for vsftpd” and to ftpd_selinux(8) for more information on vsftpd's interaction with the default SELinux policy.
  • chmod_enable — When enabled, the FTP command SITE CHMOD is allowed for local users. This command allows the users to change the permissions on files.
    The default value is YES.
  • chroot_list_enable — When enabled, the local users listed in the file specified in the chroot_list_file directive are placed in a chroot jail upon log in.
    If enabled in conjunction with the chroot_local_user directive, the local users listed in the file specified in the chroot_list_file directive are not placed in a chroot jail upon log in.
    The default value is NO.
  • chroot_list_file — Specifies the file containing a list of local users referenced when the chroot_list_enable directive is set to YES.
    The default value is /etc/vsftpd/chroot_list.
  • chroot_local_user — When enabled, local users are change-rooted to their home directories after logging in.
    The default value is NO.

    Warning

    Enabling chroot_local_user opens up a number of security issues, especially for users with upload privileges. For this reason, it is not recommended.
  • guest_enable — When enabled, all non-anonymous users are logged in as the user guest, which is the local user specified in the guest_username directive.
    The default value is NO.
  • guest_username — Specifies the user name the guest user is mapped to.
    The default value is ftp.
  • local_root — Specifies the directory vsftpd changes to after a local user logs in.
    There is no default value for this directive.
  • local_umask — Specifies the umask value for file creation. Note that the default value is in octal form (a numerical system with a base of eight), which includes a “0” prefix. Otherwise, the value is treated as a base-10 integer.
    The default value is 077. On Red Hat Enterprise Linux 6, this option is set to 022 in the configuration file.
  • passwd_chroot_enable — When enabled in conjunction with the chroot_local_user directive, vsftpd change-roots local users based on the occurrence of /./ in the home-directory field within /etc/passwd.
    The default value is NO.
  • user_config_dir — Specifies the path to a directory containing configuration files bearing the names of local system users that contain specific settings for those users. Any directive in a user's configuration file overrides those found in /etc/vsftpd/vsftpd.conf.
    There is no default value for this directive.
21.2.2.6.5. Directory Options
The following lists directives that affect directories.
  • dirlist_enable — When enabled, users are allowed to view directory lists.
    The default value is YES.
  • dirmessage_enable — When enabled, a message is displayed whenever a user enters a directory with a message file. This message resides within the current directory. The name of this file is specified in the message_file directive and is .message by default.
    The default value is NO. On Red Hat Enterprise Linux 6, this option is set to YES in the configuration file.
  • force_dot_files — When enabled, files beginning with a dot (.) are listed in directory listings, with the exception of the . and .. files.
    The default value is NO.
  • hide_ids — When enabled, all directory listings show ftp as the user and group for each file.
    The default value is NO.
  • message_file — Specifies the name of the message file when using the dirmessage_enable directive.
    The default value is .message.
  • text_userdb_names — When enabled, text user names and group names are used in place of UID and GID entries. Enabling this option may negatively affect the performance of the server.
    The default value is NO.
  • use_localtime — When enabled, directory listings reveal the local time for the computer instead of GMT.
    The default value is NO.
21.2.2.6.6. File Transfer Options
The following lists directives that affect directories.
  • download_enable — When enabled, file downloads are permitted.
    The default value is YES.
  • chown_uploads — When enabled, all files uploaded by anonymous users are owned by the user specified in the chown_username directive.
    The default value is NO.
  • chown_username — Specifies the ownership of anonymously uploaded files if the chown_uploads directive is enabled.
    The default value is root.
  • write_enable — When enabled, FTP commands which can change the file system are allowed, such as DELE, RNFR, and STOR.
    The default value is NO. On Red Hat Enterprise Linux 6, this option is set to YES in the configuration file.
21.2.2.6.7. Logging Options
The following lists directives that affect vsftpd's logging behavior.
  • dual_log_enable — When enabled in conjunction with xferlog_enable, vsftpd writes two files simultaneously: a wu-ftpd-compatible log to the file specified in the xferlog_file directive (/var/log/xferlog by default) and a standard vsftpd log file specified in the vsftpd_log_file directive (/var/log/vsftpd.log by default).
    The default value is NO.
  • log_ftp_protocol — When enabled in conjunction with xferlog_enable and with xferlog_std_format set to NO, all FTP commands and responses are logged. This directive is useful for debugging.
    The default value is NO.
  • syslog_enable — When enabled in conjunction with xferlog_enable, all logging normally written to the standard vsftpd log file specified in the vsftpd_log_file directive (/var/log/vsftpd.log by default) is sent to the system logger instead under the FTPD facility.
    The default value is NO.
  • vsftpd_log_file — Specifies the vsftpd log file. For this file to be used, xferlog_enable must be enabled and xferlog_std_format must either be set to NO or, if xferlog_std_format is set to YES, dual_log_enable must be enabled. It is important to note that if syslog_enable is set to YES, the system log is used instead of the file specified in this directive.
    The default value is /var/log/vsftpd.log.
  • xferlog_enable — When enabled, vsftpd logs connections (vsftpd format only) and file-transfer information to the log file specified in the vsftpd_log_file directive (/var/log/vsftpd.log by default). If xferlog_std_format is set to YES, file-transfer information is logged, but connections are not, and the log file specified in xferlog_file (/var/log/xferlog by default) is used instead. It is important to note that both log files and log formats are used if dual_log_enable is set to YES.
    The default value is NO. On Red Hat Enterprise Linux 6, this option is set to YES in the configuration file.
  • xferlog_file — Specifies the wu-ftpd-compatible log file. For this file to be used, xferlog_enable must be enabled and xferlog_std_format must be set to YES. It is also used if dual_log_enable is set to YES.
    The default value is /var/log/xferlog.
  • xferlog_std_format — When enabled in conjunction with xferlog_enable, only a wu-ftpd-compatible file-transfer log is written to the file specified in the xferlog_file directive (/var/log/xferlog by default). It is important to note that this file only logs file transfers and does not log connections to the server.
    The default value is NO. On Red Hat Enterprise Linux 6, this option is set to YES in the configuration file.

Important

To maintain compatibility with log files written by the older wu-ftpd FTP server, the xferlog_std_format directive is set to YES under Red Hat Enterprise Linux 6. However, this setting means that connections to the server are not logged. To both log connections in vsftpd format and maintain a wu-ftpd-compatible file-transfer log, set dual_log_enable to YES. If maintaining a wu-ftpd-compatible file-transfer log is not important, either set xferlog_std_format to NO, comment the line with a hash symbol (“#”), or delete the line entirely.
21.2.2.6.8. Network Options
The following lists directives that define how vsftpd interacts with the network.
  • accept_timeout — Specifies the amount of time for a client using passive mode to establish a connection.
    The default value is 60.
  • anon_max_rate — Specifies the maximum data transfer rate for anonymous users in bytes per second.
    The default value is 0, which does not limit the transfer rate.
  • connect_from_port_20 — When enabled, vsftpd runs with enough privileges to open port 20 on the server during active-mode data transfers. Disabling this option allows vsftpd to run with less privileges but may be incompatible with some FTP clients.
    The default value is NO. On Red Hat Enterprise Linux 6, this option is set to YES in the configuration file.
  • connect_timeout — Specifies the maximum amount of time a client using active mode has to respond to a data connection, in seconds.
    The default value is 60.
  • data_connection_timeout — Specifies maximum amount of time data transfers are allowed to stall, in seconds. Once triggered, the connection to the remote client is closed.
    The default value is 300.
  • ftp_data_port — Specifies the port used for active data connections when connect_from_port_20 is set to YES.
    The default value is 20.
  • idle_session_timeout — Specifies the maximum amount of time between commands from a remote client. Once triggered, the connection to the remote client is closed.
    The default value is 300.
  • listen_address — Specifies the IP address on which vsftpd listens for network connections.
    There is no default value for this directive.

    Note

    If running multiple copies of vsftpd serving different IP addresses, the configuration file for each copy of the vsftpd daemon must have a different value for this directive. See Section 21.2.2.2, “Starting Multiple Copies of vsftpd” for more information about multihomed FTP servers.
  • listen_address6 — Specifies the IPv6 address on which vsftpd listens for network connections when listen_ipv6 is set to YES.
    There is no default value for this directive.

    Note

    If running multiple copies of vsftpd serving different IP addresses, the configuration file for each copy of the vsftpd daemon must have a different value for this directive. See Section 21.2.2.2, “Starting Multiple Copies of vsftpd” for more information about multihomed FTP servers.
  • listen_port — Specifies the port on which vsftpd listens for network connections.
    The default value is 21.
  • local_max_rate — Specifies the maximum rate at which data is transferred for local users logged in to the server in bytes per second.
    The default value is 0, which does not limit the transfer rate.
  • max_clients — Specifies the maximum number of simultaneous clients allowed to connect to the server when it is running in standalone mode. Any additional client connections would result in an error message.
    The default value is 0, which does not limit connections.
  • max_per_ip — Specifies the maximum number of clients allowed to connect from the same source IP address.
    The default value is 50. The value 0 switches off the limit.
  • pasv_address — Specifies the IP address for the public-facing IP address of the server for servers behind Network Address Translation (NAT) firewalls. This enables vsftpd to hand out the correct return address for passive-mode connections.
    There is no default value for this directive.
  • pasv_enable — When enabled, passive-mode connections are allowed.
    The default value is YES.
  • pasv_max_port — Specifies the highest possible port sent to FTP clients for passive-mode connections. This setting is used to limit the port range so that firewall rules are easier to create.
    The default value is 0, which does not limit the highest passive-port range. The value must not exceed 65535.
  • pasv_min_port — Specifies the lowest possible port sent to FTP clients for passive-mode connections. This setting is used to limit the port range so that firewall rules are easier to create.
    The default value is 0, which does not limit the lowest passive-port range. The value must not be lower than 1024.
  • pasv_promiscuous — When enabled, data connections are not checked to make sure they are originating from the same IP address. This setting is only useful for certain types of tunneling.

    Warning

    Do not enable this option unless absolutely necessary as it disables an important security feature, which verifies that passive-mode connections originate from the same IP address as the control connection that initiates the data transfer.
    The default value is NO.
  • port_enable — When enabled, active-mode connects are allowed.
    The default value is YES.
21.2.2.6.9. Security Options
The following lists directives that can be used to improve vsftpd security.
  • isolate_network — If enabled, vsftpd uses the CLONE_NEWNET container flag to isolate the unprivileged protocol handler processes, so that they cannot arbitrarily call connect() and instead have to ask the privileged process for sockets (the port_promiscuous option must be disabled).
    The default value is YES.
  • isolate — If enabled, vsftpd uses the CLONE_NEWPID and CLONE_NEWIPC container flags to isolate processes to their IPC and PID namespaces to prevent them from interacting with each other.
    The default value is YES.
  • ssl_enable — Enables vsftpd's support for SSL (including TLS). SSL is used both for authentication and subsequent data transfers. Note that all other SSL-related options are only applicable if ssl_enable is set to YES.
    The default value is NO.
  • allow_anon_ssl — Specifies whether anonymous users should be allowed to use secured SSL connections.
    The default value is NO.
  • require_cert — If enabled, all SSL client connections are required to present a client certificate.
    The default value is NO.