How to Restrict FTP Access to Specific Users in vsftpd Configuration


2 views

When configuring vsftpd to allow only specific users, you might find that despite setting up individual user configurations, other system users can still access the FTP server. This occurs because the base configuration doesn't explicitly deny access to unauthorized users.

To properly restrict access, you need three essential components in your vsftpd configuration:

local_enable=YES
user_config_dir=/etc/vsftpd_user_conf
userlist_enable=YES
userlist_file=/etc/vsftpd.user_list
userlist_deny=NO

Create the user list file and populate it with authorized users:

# Create the user list file
sudo touch /etc/vsftpd.user_list

# Add authorized users (one per line)
echo "foo" | sudo tee -a /etc/vsftpd.user_list
echo "bar" | sudo tee -a /etc/vsftpd.user_list

For user 'foo', the configuration file at /etc/vsftpd_user_conf/foo should contain:

local_root=/home/foo/ftpdir
anon_world_readable_only=NO
write_enable=YES
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
virtual_use_local_privs=YES
local_umask=022

Consider these extra security settings in your main vsftpd.conf:

chroot_local_user=YES
allow_writeable_chroot=YES
ssl_enable=YES
require_ssl_reuse=NO
ssl_ciphers=HIGH

After making these changes, restart vsftpd and test access:

sudo systemctl restart vsftpd

# Test with authorized user
ftp localhost

# Test with unauthorized user
ftp localhost

If you encounter permission problems, ensure:

  1. The user list file has correct permissions (600)
  2. User home directories have appropriate ownership
  3. SELinux contexts are properly set if applicable

When setting up vsftpd with local_enable=YES, you might notice it allows all system users to access the FTP server by default. This creates a security concern when you only want to grant access to specific users like foo in your example.

To properly restrict access, we need to combine three configuration approaches:

local_enable=YES
userlist_enable=YES
userlist_deny=NO
userlist_file=/etc/vsftpd.user_list

First, create the user list file:

sudo touch /etc/vsftpd.user_list
sudo chmod 600 /etc/vsftpd.user_list

Then add your allowed users (one per line):

foo
bar

Here's a complete secure configuration example:

listen=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
chroot_local_user=YES
allow_writeable_chroot=YES
userlist_enable=YES
userlist_deny=NO
userlist_file=/etc/vsftpd.user_list
pasv_min_port=40000
pasv_max_port=50000

For per-user settings (like your original example), maintain the user_config_dir approach:

user_config_dir=/etc/vsftpd_user_conf

Then for user foo:

# /etc/vsftpd_user_conf/foo
local_root=/home/foo/ftpdir
anon_world_readable_only=NO
write_enable=YES
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
virtual_use_local_privs=YES
local_umask=022

After making changes, restart vsftpd and test:

sudo systemctl restart vsftpd
ftp localhost

Try logging in with both allowed and disallowed users to verify the restrictions work as expected.

For production environments, consider additional measures:

  • Use SSL/TLS (set ssl_enable=YES)
  • Implement rate limiting
  • Configure proper firewall rules
  • Regularly audit user permissions