When implementing user access control in VSFTPD, the configuration involves three critical directives in /etc/vsftpd.conf:
userlist_enable=YES
userlist_file=/etc/vsftpd.user_list
userlist_deny=NO
This configuration creates a whitelist system where only users specified in /etc/vsftpd.user_list can authenticate. The behavior changes significantly based on the userlist_deny parameter:
- userlist_deny=NO: Only listed users can login (whitelist)
- userlist_deny=YES: Listed users cannot login (blacklist)
From analyzing the provided configuration files, several potential issues emerge:
# Critical checkpoints for troubleshooting:
1. File permissions:
- vsftpd.user_list should be readable (chmod 644)
- vsftpd.conf should be world-readable (chmod 600)
2. Path verification:
- Absolute paths work best (/etc/vsftpd.user_list)
- Verify file exists at specified location
3. User spelling:
- Case-sensitive usernames
- No trailing whitespace
- One user per line
Here's a complete working configuration that implements user whitelisting:
# /etc/vsftpd.conf
listen=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_file=/var/log/vsftpd.log
xferlog_std_format=YES
chroot_local_user=YES
allow_writeable_chroot=YES
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
ssl_enable=NO
# Whitelist configuration
userlist_enable=YES
userlist_file=/etc/vsftpd.user_list
userlist_deny=NO
With matching user list file:
# /etc/vsftpd.user_list
streams
When connections hang without error messages:
- Check VSFTPD logs:
tail -f /var/log/vsftpd.log - Test with verbose FTP client:
lftp -d -u streams ftp://localhost - Verify PAM configuration:
/etc/pam.d/vsftpd - Test with alternate client:
ftp -v localhost
Remember that VSFTPD may require restart after config changes: systemctl restart vsftpd
For production environments, consider these hardening measures:
# Additional security settings
require_ssl_reuse=NO
ssl_ciphers=HIGH
pasv_min_port=40000
pasv_max_port=50000
Always verify firewall rules allow FTP traffic on both control (21) and data (20, pasv_range) ports.
When implementing user whitelisting in VSFTPD, many administrators encounter a puzzling situation where the FTP server becomes completely inaccessible once userlist_enable=YES is set, despite having a properly formatted user list file. The connection attempts simply time out without any authentication failure messages.
For proper user whitelisting in VSFTPD, you need these fundamental settings:
# Enable user list functionality
userlist_enable=YES
# Path to user list file (default is /etc/vsftpd.user_list)
userlist_file=/etc/vsftpd.user_list
# Reverse the meaning: NO means only listed users can log in
userlist_deny=NO
The most frequent issues that cause this behavior:
# 1. File permission issues
sudo chmod 600 /etc/vsftpd.user_list
sudo chown root:root /etc/vsftpd.user_list
# 2. Case sensitivity in usernames
# Ensure username matches exactly (including case)
grep -i "streams" /etc/passwd
# 3. Missing PAM configuration
# Check auth logs for PAM errors
sudo tail -f /var/log/auth.log
Here's a complete working configuration that implements whitelisting:
listen=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_file=/var/log/vsftpd.log
xferlog_std_format=YES
chroot_local_user=YES
allow_writeable_chroot=YES
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
ssl_enable=NO
# Whitelist configuration
userlist_enable=YES
userlist_file=/etc/vsftpd.user_list
userlist_deny=NO
When troubleshooting, enable verbose logging:
# Add to vsftpd.conf
debug_ssl=YES
log_ftp_protocol=YES
syslog_enable=YES
Then monitor logs in real-time:
sudo tail -f /var/log/vsftpd.log /var/log/auth.log /var/log/syslogRemember these security best practices:
- Always use TLS/SSL when possible
- Combine with chroot for better isolation
- Regularly audit user list file permissions
- Consider using vsftpd's built-in SSL rather than plain FTP