How to Install VSFTPD


Install FTP server VSFTPD and hardening trough Fail2ban

Very Secure File Transfer Protocol Deamon (VSFTPD), as the service of the same name promises us, VSFTPD is a secure FTP daemon, which is used as the default FTP server by most Linux distributions, such as in Debian, Ubuntu, CentOS, Fedora, RHEL and more. VSFTPD provide a stable FTP server and is authorized under the GNU General Public License. VSFTPD is designed for secure and easy support for virtual clients with PAM (Pluggable Authentication Modules). This tutorial shows how to install VSFTPD and implement it with Fail2ban on Debian 10 (buster) or other Linux versions. Fail2ban is an intrusion prevention system written in Python that runs on any Linux operating system that includes a manipulable firewall.


The provision of VSFTPD on Debian as well as under Ubuntu as usual by running the apt package manager from the default repository.

CentOS and RHEL install VSFTPD using DNF Dandified Yum.

After the installation we take steps to configuring VSFTPD.

For CentOS / RHEL / Fedora, vsftpd.conf find on path /etc/vsftpd.

  If you don’t like VIM, you can edit using nano or ne. or whatever your favorite is,

We disable anonymous login and allow local users to write.

chroot jail for FTP users

chroot stands for change root and is a feature for Unix systems to change the root directory. chroot only affects the current process and its child processes, it is a simple jail mechanism in which the FTP server prevents users from accessing files outside of its directory. chroot is also an easy way to sandbox untrusted data. The chroot settings for VSFTPD users can be found in the file vsftpd.conf.

To configuring for chroot users, go to the line chroot_local_user and change to YES, as with chroot_list_enable

All users are chrooted, except for a few who are exempt by creating the file /etc/vsftpd.chroot_list to containing those users who are excluded from chroot.

  CentOS / RHEL path /etc/vsftpd/vsftpd.chroot_list

It is possible to completely lock out users, to refuse login for certain users, add following lines to the file vsftpd.conf.

Create a file vsftpd.userlist and add users to it. Add user per line like the service accounts, for example: vsftpd.userlist

SFTP encrypted authentication

So that passwords are not sent in clear text, add these options to the configuration file, some of which are already available, check them and change the options if necessary.

Note: The default is that SFTP is already enabled by the SSH daemon, so check the file /etc/ssh/sshd_config.

Hint! more recommended VSFTPD settings

VSFTPD protection with Fail2ban

To protect the FTP server from brute force attacks, Fail2ban is activated for VSFTPD. If there are a defined number of failed login attempts, the suspicious host is locked for a certain amount of time. For Fail2ban to work, the logs are important. For this purpose, Fail2ban is installed on the FTP server.

For Fail2ban and VSFTPD, create the file jail.local, if not already exist.

  The file jail.conf can also be copied, or individual blocks of the services can be added to jail.local.

The logs are important for the functionality of Fail2ban. The FTP server (VSFTPD) logs in to log file /var/log/vsftpd.log. Fail2ban is flexible and can be adapted to most requirements. If an additional service is used, which requires xferlog, it can be logged in both log files with dual_log_enable=YES.

  In the standard, /var/log/vsftpd.log is read out, which is predefined with the variable %(vsftpd_log)s.

The Fail2ban filter for vsftpd contains the file at /etc/fail2ban/filter.d/vsftpd.conf

The Fail2ban daemon must restart to apply changes.

Now check blocked IP addresses by Fail2ban you can be here as root run this fail2ban-client command.

How useful was this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?

Leave a Reply

Your email address will not be published. Required fields are marked *