There are three ways to login to FTP service:

1. Anonymous Login: Default FTP username: anonymous
2. Local User Login: Users can be found in /etc/passwd
3. Virtual User Login: This is FTP-specific users. There are two ways to implement: local data files and database server

FTP virtual users can only access the resources provided by the FTP Server, which greatly enhanced the security.

Environment

Operating System: CentOS 7.5.1804
vsFTPd version: 3.0.2
vsFTPd Installation
yum -y install vsftpd

Dependencies Installation

CentOS 7 needs to have epel
yum -y install epel-release.noarch
Install Berkeley DB to create virtual user database file
yum -y install db4-utils
Install PAM to implement user authentication
yum -y install pam*

vsFTPd Configuration

Backup default configuration file
mv /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf.bak
Create a new configuration file
nano /etc/vsftpd/vsftpd.conf
Add configuration values

anonymous_enable=NO
local_enable=YES
local_umask=022
#tcp_wrappers=NO
reverse_lookup_enable=NO
pam_service_name=vsftpd
#userlist_enable=YES
userlist_deny=NO
userlist_file=/etc/vsftpd/user_list
#chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list
allow_writeable_chroot=YES
#listen=YES
listen_port=21
connect_from_port_20=YES
pasv_enable=YES
pasv_promiscuous=YES
pasv_min_port=8000
pasv_max_port=8100
#accept_timeout=120
connect_timeout=120
data_connection_timeout=180
idle_session_timeout=600
local_max_rate=0
#dirmessage_enable=NO
xferlog_enable=YES
xferlog_file=/var/log/vsftpd.log
#log_ftp_protocol=YES
xferlog_std_format=YES
guest_enable=YES
guest_username=root
virtual_use_local_privs=YES
user_config_dir=/etc/vsftpd/vuser_conf

Note：guest_username usually can be the owner of the folder (root, www, or ftp)

Virtual User Permission Configuration

Backup user_list (user list which allows accessing FTP service)
mv /etc/vsftpd/user_list /etc/vsftpd/user_list.bak
Create a new user_list file and add users to it (one user per line)
nano /etc/vsftpd/user_list
Create chroot_list file
touch /etc/vsftpd/chroot_list
If there is a user who is allowed to access the parent directories, add the user to the file (one user per line)

Virtual User Independent Configuration

Create a folder for virtual users
mkdir /etc/vsftpd/vuser_conf
Add virtual user independent configuration (usearname as filename)
nano /etc/vsftpd/vuser_conf/test
Add independent configuration to the user

local_root=/
write_enable=YES
download_enable=YES
anon_world_readable_only=NO
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES

Note: local_root is the root folder for this virtual user

Virtual User Authentication

Create an authentication file
nano /etc/vsftpd/vsftpd_vuser
Add username and password to vsftpd_vuser , odd line as username, even line as password

test
test123

Generate virtual user authentication file (every time the password has been changed)
db_load -T -t hash -f /etc/vsftpd/vsftpd_vuser /etc/vsftpd/vsftpd_vuser.db
Note: if error pops up

db_load: unexpected end of input data or key/data pair
db_load: odd number of key/data pairs

Please add a blank line at bottom in /etc/vsftpd/vsftpd_vuser then try again
Set permission to only allow root to read and write vsftpd_vuser.db
chmod 600 /etc/vsftpd/vsftpd_vuser.db

PAM Configuration

Backup vsftpd PAM authentication file
mv /etc/pam.d/vsftpd /etc/pam.d/vsftp.bak
Create a new PAM file
nano /etc/pam.d/vsftpd
(For 32-bit system) Add values to file /etc/pam.d/vsftpd

auth required pam_userdb.so db=/etc/vsftpd/vsftpd_vuser
account required pam_userdb.so db=/etc/vsftpd/vsftpd_vuser

(For 64-bit system) Add values to file /etc/pam.d/vsftpd

auth required pam_userdb.so db=/etc/vsftpd/vsftpd_vuser
account required pam_userdb.so db=/etc/vsftpd/vsftpd_vuser
auth required /lib64/security/pam_userdb.so db=/etc/vsftpd/vsftpd_vuser
account required /lib64/security/pam_userdb.so db=/etc/vsftpd/vsftpd_vuser

Firewall Configuration

Check ftp service status
firewall-cmd --permanent -query-service=ftp
If not, then enable ftp service
firewall-cmd --permanent --add-service=ftp
Add the command transport port and passive mode port to the FTP service

# Add command transport port 20/tcp to vsftpd
firewall-cmd --permanent --service=ftp --add-port=20/tcp
# Add passive mode port 8000-8100/tcp to vsftpd
firewall-cmd --permanent --service=ftp --add-port=8000-8100/tcp

List all permanent services
firewall-cmd --permanent --list-service
List all the information about FTP service
firewall-cmd --permanent --info-service=ftp

ftp
ports: 21/tcp 20/tcp 8000-8100/tcp
protocols:
source-ports:
modules: ftp
destination:

Reload firewall service
firewall-cmd --reload
Note: Aliyun server need to add inbound and outbound rules to port 20/tcp, 21/tcp, 8000-8100/tcp

FTP Client

FileZilla: Download Here
Configuration:

• Host: Host IP Address
• Port: Leave it blank if port has not been changed
• Protocol: FTP - File Transfer Protocol
• Encryption: Only use plain FTP (insecure)
• Logon Type: Normal
• User: test
• Password: test123