vsftpd configuration file details

1. Default configuration:

1 > Allows anonymous and local users to log in.
anonymous_enable=YES
local_enable=YES
2 > The login name used by the anonymous user is ftp or anonymous, and the password is empty. Anonymous users cannot leave the anonymous user home directory /var/ftp, and can only download, not upload.
3 > The login name of the local user is the local user name, and the password is the password of the local user; Local users can read and write in their own directory; Local users can leave their own directories to switch to other directories with permission, and upload/download if permission permits.
write_enable=YES
4 > Local users written in file /etc/ vsftpd.ftpusers are not allowed to log in.

2. Configuration file format:

The content of vsftpd.conf is very simple, with one setting per line. Blank lines or lines beginning with # 1 will be ignored. There is only one format for the content, as shown below
option=value
Notice that you can't put a blank on both sides.

3. Anonymous user (anonymous) Settings

anonymous_enable = YES/NO (YES)
Controls whether anonymous users are allowed to login, YES allows anonymous login, NO does not. The default value is YES.
write_enable = YES/NO (YES)
Allow logins to have write permissions. Is a global setting, with a default value of YES.
no_anon_password = YES/NO (NO)
If this feature is enabled, you can log in anonymously without asking for a password. The default value is NO.
ftp_username=ftp
Define the username for the anonymous login. The default value is ftp.
anon_root=/var/ftp
When logging in anonymously, the directory you logged into. The default value is /var/ftp. Note that the ftp directory cannot be the 777 permission property, i.e. the anonymous user's home directory cannot have 777 permissions.
anon_upload_enable = YES/NO (NO)
If set to YES, anonymous logins are allowed to upload files (not directories), which is only valid if write_enable=YES. Of course, anonymous users must have write rights to the upper directory. The default value is NO.
anon_world_readable_only = YES/NO (YES)
If set to YES, anonymous logins are allowed to download the readable files (they can be downloaded to the local reader, not opened directly on the FTP server). The default value is YES.
anon_mkdir_write_enable = YES/NO (NO)
If set to YES, anonymous logon is allowed to have new directory permissions, which is only valid if write_enable=YES. Of course, anonymous users must have write rights to the upper directory. The default value is NO.
anon_other_write_enable = YES/NO (NO)
If set to YES, it allows anonymous logins to have more rights than uploading or creating a directory, such as deleting or renaming. (if anon_upload_enable=NO, the anonymous user cannot upload the file, but can delete or rename the existing file; If anon_mkdir_write_enable=NO, the anonymous user cannot upload or create a new folder, but can delete or rename existing folders. The default value is NO.
chown_uploads = YES/NO (NO)
Sets whether to change the owner of an anonymous user's uploaded file (not a directory). The default value is NO.
chown_username=username
Sets the owner name of the file (not the directory) uploaded by the anonymous user. It is not recommended to set it to root.
anon_umask=077
Set the umask value for anonymous logins when adding or uploading files. The default value is 077, and the corresponding permissions for the new file are 700.
deny_email_enable = YES/NO (NO)
If this is enabled, you must provide a file /etc/vsftpd/banner_emails with the content email address. If you log in anonymously, you will be asked to enter email address. If you enter email address in this file, you will not be allowed to enter it. The default value is NO.
banned_email_file=/etc/vsftpd/banner_emails
This file is used to enter email address, which is used only if deny_email_enable=YES. If you log in anonymously, you will be asked to enter email address. If you enter email address in this file, you will not be allowed to enter it.

4. Local user Settings

local_enable = YES/NO (YES)
Controls whether local users are allowed to log in. YES allows local users to log in, NO does not. The default value is YES.
local_root=/home/username
When the local user logs in, it will be changed to the defined directory. The default value is the home directory of each user.
write_enable = YES/NO (YES)
Allow logins to have write permissions. Is a global setting, and the default is YES.
local_umask=022
The value of umask when a local user adds a file. The default value is 077.
file_open_mode=0755
The local user has the same file permissions as chmod. The default value is 0666.

5. Welcome language setting

dirmessage_enable = YES/NO (YES)
If this option is enabled, the first time the user enters a directory, he or she checks to see if there is a.message file in that directory. If there is, the contents of that file will appear. The default value is on.
message_file=.message
Sets the directory message file to which the information to be displayed can be written. The default value is.message.
banner_file=/etc/vsftpd/banner
When a user logs in, the profile where this setting is located is displayed, usually as a welcome message or a description. The default value is none. If you have more welcome information, use this configuration item.
ftpd_banner=Welcome to BOB's FTP server
The string used to define the greeting is banner_file in the form of a file and ftpd_banner in the form of a string. Default is none.

6. Control whether the user is allowed to switch to the superior directory

By default, local users who log on to FTP can use the cd command to switch to another directory, which can pose a security risk to the system. You can control the user to switch directories through the following three configuration files.
chroot_list_enable = YES/NO (NO)
Sets whether to enable the user list file specified by the chroot_list_file configuration item. The default value is NO.
chroot_list_file=/etc/vsftpd.chroot_list
Used to specify a user list file that controls which users can switch to a parent directory in the user's home directory.
chroot_local_user = YES/NO (NO)
Used to specify whether the user in the user list file is allowed to switch to the parent directory. The default value is NO.
The following effects can be achieved through collocation:
When chroot_list_enable=YES, chroot_local_user=YES, users listed in the file /etc/ vsftpd.chroot_list can switch to other directories; Users that are not listed in a file cannot switch to another directory.
When chroot_list_enable=YES, chroot_local_user=NO, the user listed in the file /etc/ vsftpd.chroot_list cannot switch to another directory; Users that are not listed in the file can switch to other directories.
When chroot_list_enable=NO, chroot_local_user=YES, all users cannot switch to another directory.
When chroot_list_enable=NO, chroot_local_user=NO, all users can switch to other directories.

7. Data transmission mode setting

When transferring data, FTP can use base 2 mode or ASCII mode to upload or download data.
ascii_upload_enable = YES/NO (NO)
Set whether ASCII mode is enabled to upload data. The default value is NO.
ascii_download_enable = YES/NO (NO)
Sets whether ASCII mode is enabled to download data. The default value is NO.

8. Access control Settings

There are two control modes: one is to control host access, and the other is to control user access.
Control the host access:
tcp_wrappers = YES/NO (YES)
Set whether vsftpd is combined with tcp wrapper for host access control. The default value is YES. If enabled, the vsftpd server checks the Settings in /etc/ hosts.allow and /etc/ hosts.deny to determine whether the host requesting the connection is allowed to access the FTP server. These two files can act as a simple firewall.
For example, to allow only users from 192.168.0.1 to 192.168.0.254 to connect to the FTP server, add the following to the file /etc/ hosts.allow:
vsftpd:192.168.0. :allow
all:all :deny
Control user access:
Access control for users can be achieved through the vsftpd.user_list and ftpusers files in the /etc directory.
userlist_file=/etc/vsftpd.user_list
Controls user access to the FTP file, which contains the user name. 1 user name 1 line.
userlist_enable = YES/NO (NO)
Whether the vsftpd.user_list file is enabled.
userlist_deny = YES/NO (YES)
Determine whether users in the vsftpd.user_list file have access to the FTP server. If set to YES, users in the vsftpd.user_list file are not allowed to access FTP; if set to NO, only users in the vsftpd.user_list file can access FTP.
The /etc/vsftpd/ftpusers file is specifically used to define the list of users who are not allowed to access the FTP server (note: if userlist_enable=YES,userlist_deny=NO, then if there is a user in vsftpd.user_list and ftpusers, the user is not able to access FTP, ftpusers has a higher priority). By default, vsftpd.user_list and ftpusers are preconfigured with some internal system accounts that are not allowed to access the FTP server. If the system does not have these two files, then create these two files and add the user.

9. Access rate Settings

anon_max_rate=0
Set the maximum transmission speed to be used by the anonymous logon, B/s, 0 means the speed is not limited. The default value is 0.
local_max_rate=0
The maximum transmission speed used by local users is in B/s, with 0 indicating unrestricted speed. The default value is 0.

10. Timeout setting

accept_timeout=60
Set the timeout time in seconds for establishing an FTP connection. The default value is 60.
connect_timeout=60
Timeout in seconds for establishing a data connection in PORT mode. The default value is 60.
data_connection_timeout=120
Set the timeout time in seconds for establishing an FTP data connection. The default value is 120.
idle_session_timeout=300
Set how long it takes to disconnect the FTP server without doing anything to it in seconds. The default value is 300.

11. Log file Settings

xferlog_enable= YES/NO (YES)
Whether upload/download logging is enabled. If enabled, the information uploaded and downloaded will be fully documented in the files defined by xferlog_file. It is on by default.
xferlog_file=/var/log/vsftpd.log
Set the log file name and path, the default value is/var log/vsftpd log.
xferlog_std_format = YES/NO (NO)
If enabled, the log files will be written in standard xferlog format, like wu-ftpd 1. The default value is off.
log_ftp_protocol = YES | NO (NO)
If you enable this option, all FTP requests and responses will be record to the log, the default log file in/var log/vsftpd log. When this option is enabled, xferlog_std_format cannot be activated. This option is useful for debugging. The default value is NO.

12. Define user profiles

In vsftpd, you can define user profiles to enable different users to use different configurations.
user_config_dir=/etc/vsftpd/userconf
Sets the directory where the user profile resides. When the configuration item is set, after the user logs in to the server, the system will go to /etc/vsftpd/userconf directory, read the file with the current user name, and further configure the current user according to the configuration command in the file.
For example, if we define user_config_dir=/etc/vsftpd/userconf, and there are users test1,test2 on the host, then we will add two files named test1 and test2 in the directory of user_config_dir. If test1 is logged in, the Settings in test1 file under user_config_dir will be read. The default value is none. User profile can be used to control the access speed of different users. local_max_rate=XX can be defined in each user profile.

13.FTP working mode and port Settings

FTP works in two ways: PORT FTP (active mode) and PASV FTP (passive mode)
listen_port=21
Set the port on which the FTP server is listening to establish the connection, with a default value of 21.
connect_from_port_20=YES/NO
Specify that FTP USES port 20 for data transfer, with a default value of YES.
ftp_data_port=20
Set the port to be used for data connection in PORT mode, and the default value is 20.
pasv_enable = YES/NO (YES)
If set to YES, PASV working mode is used. If set to NO, PORT mode is used. The default value is YES, even in PASV mode.
pasv_max_port=0
In PASV mode, the largest port in the range of ports available for data connections, with 0 representing any port. The default value is 0.
pasv_min_port=0
In PASV mode, the smallest port in the range of ports available for data connections, with 0 representing any port. The default value is 0.

14. Connection-related Settings

listen = YES/NO (YES)
Set whether the vsftpd server is running in standalone mode. It is a good idea to run in standalone mode, where listen must be set to YES, which is the default. It is recommended not to change; there are many configuration commands associated with running the server that need to be in this mode to be effective. If set to NO, vsftpd will not run as a separate service, but will be controlled by xinetd service and its functions will be limited.
max_clients=0
Set the maximum number of connections allowed by vsftpd, with a default value of 0, to indicate unrestricted connections. If set to 100, 100 connections are allowed at the same time, and more than one connection will be rejected. Only works when running in standalone mode.
max_per_ip=0
Set the number of simultaneous connections per IP server allowed with FTP. The default value is 0, which means unrestricted. Only works in standalone mode.
listen_address = IP address
Set the FTP server to listen for the user's FTP request at the specified IP address. If not set, listen for all IP addresses bound to the server. Only works in standalone mode.
setproctitle_enable = YES/NO (NO)
Set whether each connection to the FTP server is represented by a different process. The default value is NO, and ps aux |grep ftp will have only one vsftpd process. If set to YES, there will be one vsftpd process per connection.

15. Virtual user Settings

Virtual users use PAM authentication.
pam_service_name=vsftpd
Setting PAM using the name, the default value is/etc/pam d/vsftpd.
guest_enable= YES/NO (NO)
Enable virtual users. The default value is NO.
guest_username=ftp
This is used to map virtual users. The default value is ftp.
virtual_use_local_privs = YES/NO (NO)
When this parameter is activated (YES), the virtual user USES the same permissions as the local user. When this parameter is turned off (NO), the virtual user USES the same permissions as the anonymous user. This parameter is turned off by default (NO).

16. Other Settings

text_userdb_names= YES/NO (NO)
Set whether to display UID, GID, or the specific username and group name when executing commands such as ls and la. The default value is NO, which is shown as UID and GID. If you want to display the username and group name, set it to YES.
ls_recurse_enable = YES/NO (NO)
If enabled, the user is allowed to use the command ls, R (which allows you to view files in subdirectories of the current directory). The default value is NO.
hide_ids = YES/NO (NO)
If this feature is enabled, the owner and group of all files are ftp, which means that users can log in to ls-al and see ftp for both file owners and groups. The default value is off.
download_enable = YES/NO (YES)
If set to NO, all files cannot be downloaded locally and the folder is not affected. The default value is YES.