How to Create FTP Users on vsftpd
Platform: RHEL / CentOS 7/8 Service: vsftpd (Very Secure FTP Daemon)
1. Overview
This KB article provides step-by-step instructions for creating FTP users on a server running vsftpd. The server at satish.stradsolutions.com is confirmed active and running vsftpd (PID 6770). All FTP users must be valid Linux system users. Authentication is handled via PAM (pam_unix).
2. Prerequisites
Before creating FTP users, ensure the following:
You have root or sudo access to the server
✔ vsftpd service is running:
|
systemctl status vsftpd |
You know the user's intended home/FTP directory
vsftpd configuration is located at: /etc/vsftpd/vsftpd.conf
3. Step-by-Step: Creating an FTP User
Step 1 — Create the Linux System User
FTP users must be Linux OS-level users. Run the following command as root:
|
# Create user with a home directory useradd -m -d /home/ftpuser1 -s /sbin/nologin ftpuser1
# Set the user's password passwd ftpuser1 |
|
Flag |
Description |
|
-m |
Creates the home directory automatically (-m -> modify ) |
|
-d /home/ftpuser1 |
Specifies the home directory path |
|
-s /sbin/nologin |
Prevents SSH/shell login (FTP only — recommended for security) |
|
ftpuser1 |
The username (replace with desired name) |
Step 2 — Set Correct Directory Permissions
vsftpd requires that the user's home directory is NOT writable by the user if chroot_local_user is enabled. Set ownership correctly:
|
# Set correct ownership chown root:root /home/ftpuser1 chmod 755 /home/ftpuser1
# Create a writable subdirectory for uploads mkdir /home/ftpuser1/upload chown ftpuser1:ftpuser1 /home/ftpuser1/upload |
|
��� Note: If chroot_local_user=YES is set in vsftpd.conf, the root chroot directory must NOT be writable by the FTP user. Always use a subdirectory (e.g., /upload) for file transfers. |
Step 3 — Verify vsftpd Configuration
Check /etc/vsftpd/vsftpd.conf for these key settings:
|
# View current vsftpd config cat /etc/vsftpd/vsftpd.conf | grep -E 'local_enable|chroot|userlist|write_enable'
# Recommended settings for local FTP users: local_enable=YES # Allow local Linux users to log in write_enable=YES # Allow file uploads chroot_local_user=YES # Restrict users to their home directory allow_writeable_chroot=NO # Do NOT allow writable chroot root (use subdirs) userlist_enable=YES # Enable user list control userlist_deny=NO # Treat user_list as whitelist (allow list) |
Step 4 — Add User to the vsftpd User List (if enabled)
If userlist_enable=YES and userlist_deny=NO are set, only users in /etc/vsftpd/user_list are allowed to connect. Add the new user:
|
# Add user to vsftpd allow list echo 'ftpuser1' >> /etc/vsftpd/user_list
# Verify the user was added cat /etc/vsftpd/user_list |
|
⚠️ Warning: If userlist_deny=YES (deny mode), adding a user to user_list will BLOCK them. Know your configuration before editing. |
Step 5 — Reload vsftpd Service
After any configuration or user changes, reload or restart vsftpd:
|
# Reload vsftpd (applies config changes without dropping connections) systemctl reload vsftpd
# OR restart if reload doesn't work systemctl restart vsftpd
# Verify service is still running systemctl status vsftpd |
Step 6 — Test the FTP Connection
Test the new user's FTP access from the server itself or from a client:
|
# Test from the server (requires ftp client) ftp localhost # Enter username: ftpuser1 # Enter password when prompted
# Or test with curl curl -u ftpuser1:password ftp://satish.stradsolutions.com/ |
4. Quick Reference — Common Commands
|
Command |
Purpose |
|
useradd -m -s /sbin/nologin <user> |
Create FTP-only user (no shell) |
|
passwd <user> |
Set/change user password |
|
usermod -s /sbin/nologin <user> |
Convert existing user to FTP-only |
|
userdel -r <user> |
Delete user and home directory |
|
cat /etc/vsftpd/user_list |
View allowed/denied users |
|
echo '<user>' >> /etc/vsftpd/user_list |
Add user to vsftpd user list |
|
systemctl reload vsftpd |
Reload vsftpd config |
|
systemctl restart vsftpd |
Restart vsftpd service |
|
tail -f /var/log/secure |
Monitor FTP auth logs in real-time |
5. Troubleshooting
|
Issue |
Resolution |
|
500 OOPS: vsftpd: refusing to run with writable root inside chroot |
Run: chmod a-w /home/ftpuser1 (chroot dir must not be writable) |
|
530 Login incorrect |
Check password, PAM config, and /etc/vsftpd/ftpusers blacklist |
|
550 Permission denied on upload |
Ensure /home/ftpuser1/upload is owned by the FTP user |
|
421 Service not available |
Run: systemctl start vsftpd |
|
User not in user_list |
Append username to /etc/vsftpd/user_list and reload vsftpd |
|
User blocked by ftpusers file |
Remove user from /etc/vsftpd/ftpusers (this file always denies) |
6. Monitoring FTP Authentication Logs
Your server logs FTP auth events to /var/log/secure. Use these commands to monitor activity:
|
# View recent FTP auth events grep vsftpd /var/log/secure | tail -50
# Monitor in real-time tail -f /var/log/secure | grep vsftpd
# Count failed logins by IP (detect brute force) grep 'authentication failure' /var/log/secure | grep vsftpd \ | awk '{print $NF}' | sort | uniq -c | sort -rn |
|
��� Security Recommendation: Block repeated failed login IPs using firewalld or install fail2ban to automatically ban IPs with multiple failed FTP attempts. The IP 41.138.171.53 shows repeated failures in your current logs. |
7. Summary Checklist
Use this checklist when creating a new FTP user:
Create Linux user: useradd -m -s /sbin/nologin <username>
Set password: passwd <username>
Set directory permissions: chown root:root /home/<username> && chmod 755 /home/<username>
Create upload subdirectory and assign ownership
Add user to /etc/vsftpd/user_list (if userlist_enable=YES)
Reload vsftpd: systemctl reload vsftpd
Test login from FTP client or curl
Monitor /var/log/secure for any auth errors