This small HOWTO describes how to configure vsftpd for an anonymous FTP site in order to make files available across your local network or the internet. The scenario this guide is based on is to quickly make a linux distribution’s installation tree available across the local network in order to be used for a network installation. In this example, I run an anonymous FTP service on my desktop computer making the CentOS installation tree available directly from its installation DVD. This should give you an idea about how to share files or directories that do not physically exist in the root directory of the FTP site.
vsftpd Configuration
Assuming vsftpd has already been installed in the standard location, the directory /etc/vsftpd/, which contains its configuration files, should exist. You can edit vsftpd’s default configuration file (/etc/vsftpd/vsftpd.conf), but in this example, we will create a new configuration file from scratch.
Create a new configuration file named /etc/vsftpd/vsftpd-anon.conf and open it in your favourite text editor and write down the directives that follow:
Set the server to run in standalone mode. This means that vsftpd will run into the background and handle the incoming requests on its own. The alternative method (listen=NO) would require you to set up a xinetd service. This would not be a bad idea, but for the sake of this example, it would be a waste of time.
listen=YES
The following directives prevent local users from logging in and enables anonymous access respectively.
local_enable=NO anonymous_enable=YES
The following directive disables write access to the ftp server’s filesystem. This is a global switch, so noone will be able to upload or modify any files on your ftp site.
write_enable=NO
Sets the root directory for anonymous connections. By default, this is /var/ftp/.
anon_root=/var/ftp
The following configuration directives are optional and can be safely omitted.
Limit the rate at which anonymous users can retrieve files.
anon_max_rate=2048000
Enable logging information about user logins an file transfers. The log file is located at /var/log/vsftpd.log.
xferlog_enable=YES
Set the interface and port the service will listen on. By default, vsftpd will bind to all local network interfaces on port 21, which is the standard port of the File Transfer Protocol. Note that listen_address accepts only numeric IP addresses (no hostnames).
listen_address=192.168.0.100 listen_port=21
The entire vsftpd-anon.conf file
# # Sample anonymous FTP server configuration # # Mandatory directives # listen=YES local_enable=NO anonymous_enable=YES write_enable=NO anon_root=/var/ftp # # Optional directives # anon_max_rate=2048000 xferlog_enable=YES listen_address=192.168.0.100 listen_port=21
Start or Stop the FTP server
Assuming you have created the supplementary vsftpd-anon.conf configuration file, run as user root:
vsftpd /etc/vsftpd/vsftpd-anon.conf
To stop the service run:
killall vsftpd
Alternatively, you can send the SIGTERM signal to a specific vsftpd process.
On the other hand, if you had edited vsftpd’s default configuration file, you could start/stop the service using the /etc/init.d/vsftpd initscript.
Sharing files and directories
An FTP server without any files is like having a swimming pool without any water in it. In order to make some files and directories available through your FTP service you have two options:
- Copy or move the files or directories inside the anon_root directory.
- Create bind mounts of the directories you want to share in the anon_root directory.
You may wonder why you cannot just create some symbolic links inside anon_root pointing to the directories you want to share. Even if you created those symlinks and connected to the service using an FTP client, you would notice that you are not permitted to reach the linked location. This happens because anonymous users are restricted (chrooted) to anon_root and, therefore, no location outside this directory is accessible using symlinks.
Bind mounts are the solution to this problem. When bind-mounting, you mount a directory (A) to another directory (B) on the same or different filesystem, so that the contents of directory A appear as contents of directory B. It’s like a symlink, but at a lower level of the filesystem and that’s why you can reach locations outside the chroot jail.
In our scenario, the installation tree of a Linux distribution is shared through the FTP service. It is assumed that the installation medium has been inserted into the drive and either the system or you have mounted it, for example, to the directory /media/CentOS/. We want the contents of the DVD to be accessible through the FTP server, so we need to bind-mount the DVD contents to a directory inside anon_root. As user ‘root‘ issue the following command:
mount --bind /media/CentOS /var/ftp/pub
Now, connecting to the FTP service you will notice that the contents of the pub/ directory is the CentOS installation tree.
It is quite obvious that, despite the fact that vsftpd does not support the creation of a virtual filesystem (mainly a virtual directory structure) internally, one can be easily implemented with bind-mounts.
Do not forget the firewall
When we run a server temporarily on the desktop computer, we tend to forget to open the necessary ports on the filewall. In the case of vsftpd, you should open port 21 or the port number you have assigned to the listen_port configuration directive. Please consult the documentation of your firewall management application about how to perform this action.
Further Reading
- All the supported configuration directives for vsftpd.
Set up an anonymous FTP server with vsftpd in less than a minute by George Notaras is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
Copyright © 2008 - Some Rights Reserved
FTP is an obsolete and outdated protocol.
Anyone using FTP should seriously consider using WebDAV.
Since DAV works over HTTP, you get all the benefits of HTTP that FTP cannot provide. For example: strong authentication, encryption, proxy support, and caching. It is true that you can get some of this through SSH, but the HTTP infrastructure is much more widely deployed than SSH. Further, SSH does not have the wide complement of tools, development libraries, and applications that HTTP does.
DAV transfers (well, HTTP transfers) are also more efficient than FTP. You can pipeline multiple transfers through a single TCP connection, whereas FTP requires a new connection for each file transferred (plus the control connection).
Although I haven’t used webdav as much, I agree and I will probably check it out extensively whenever I have enough spare time. However, this was supposed to be a very quick way to make the installation tree of the linux distribution available across the network and ftp seemed like the ideal solution for a quick setup.
Thanks for your feedback :-)
Anyone have instructions on how to set up WebDAV. Also, don’t you need a ftp
running server too?
My problem is when is use ftp://agile@localhost it works (with both httpd and vsftpd
running.)
But if I try it from another host if fails. Error in log file for vsftpd indicates
incorrect login. But I can login to vsftpd with /usr/bin/ftp without any problems.
Any leads on how to resolve the problem would be greatly appreciated.
Agile: You do not need an FTP server in order to setup webdav. You can consider WebDav as an FTP replacement.
As for the connectivity problems, please make sure that you have opened the relevant ports (21 for FTP, 80 for HTTP) in the server’s firewall. Having set up your firewall correctly, setup an anonymous FTP service as described in the article above, and try to connect from other machines.
Finally, you should not use “localhost” as the server address when connecting from other machines, but use the server’s IP instead.
“Create bind mounts of the directories you want to share in the anon_root directory.”
This does not work directly. You have to bind in a subfolder for it to work.
vsftpd has major issues IMO.
Exactly what i was looking for! Thanks mate!
i tried this
its working
but i am unable to open ftp on ms windows xp
Hi thanks for sharing this.
im having problems setting up vsftpd for a management server to support my cisco routers and switches infrastructure, the problem is that when trying to connect to the vsftpd server it asks for a username and password, which iv configured to be anonymous, but cisco does not support authentication, it just needs an ftp with no login requirements, can you please tell me how can i do this?
would be appreciated,
NL
@Nuno
> the problem is that when trying to connect to the vsftpd server it asks
> for a username and password, which iv configured to be anonymous,
> but cisco does not support authentication
I am not sure I understand what you mean here. On every FTP session you have to supply a username and a password. Even when connecting to anonymous FTP servers you have to supply the username anonymous and any password (in the old days we used to set our email address as the password). Also note that you should not create a user in your system called anonymous. This is just a built-in username in ftp servers to use in anonymous logins. You do not have to create such a user.
Hope it helps.
Why it is required to set up:
local_enable=NO ?
This means i cannot use my vsftp server for local user and anonymous at the same time ?
Best Regards
Yes, it can be used. This example is about setting up an anonymous ftp site, so local user access is disabled. That’s all.
Regards,
George