This guide will show you how to install and configure an FTP(s) server in CentOS.



  • Operating System of (s)FTP server : CentOS 7



01. Update the system package resources

$ sudo yum update


02. (Optional) Install nano, a simple text editor. Or use the default editor “vi”.

$ sudo yum install nano -y


03. Install the SFTP package

$ sudo yum install vsftpd -y


04. Verify that Very Secure FTP  (VSFTP) has been installed by checking the version.

$ vsftpd -version


05. Start the service, since it is disabled by default

$ sudo systemctl start vsftpd


06. Set the service to automatically start on boot

$ sudo systemctl enable vsftpd


07. Create the firewall rules to allow FTP traffic on Port 21.

$ sudo firewall-cmd --zone=public --permanent --add-port=21/tcp
$ sudo firewall-cmd --zone=public --permanent --add-service=ftp
$ sudo firewall-cmd --reload


If an error saying that “FirewallD is not running” execute the following first then retry the commands

$ sudo systemctl enable firewalld
$ sudo systemctl start firewalld

# Check that the service is running
$ systemctl status firewalld



01. Backup the original version of the VSFTP configuration

$ sudo cp /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf.original


02. Edit the configuration file

$ sudo cp /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf.original


03. For FTP access for registered users. Applicable for registered Users with Password or SSH (or SFTP).

anonymous_enable NO

When enabled non-registered users will be able to access the FTP service. Set the value as “NO” to not allow anonymous access.

local_enable YES

Set value as “YES”

write_enable Value: YES

Uncomment this setting. Set value as “YES”

chroot_local_user Value: YES

Uncomment this setting. Limit the FTP users to their own directory. Set value as “YES”

chroot_list_file Value: /etc/vsftpd/chroot_list

Uncomment this setting and set the value as “/etc/vsftpd/chroot_list”.


Add the following configurations at the bottom.




04. Restart the service to apply the changes

$ sudo systemctl restart vsftpd


05. Check the status of the service to see if there are errors.

$ sudo systemctl status vsftpd


Configuration – SSL / FTPS

To secure the FTP with SSL/TLS certificate use the following steps. Note that if SSL is configured, anonymous access via Username and Password will not be allowed if you perform the following steps. Only SFTP or registered user with SSH keys configured will be allowed.

Also note that you can also provide or install your own/bought SSL certificate. In this example we will be creating a self-signed certificate.

01. Create the directory to place the SSL file

$ mkdir /etc/ssl/private/


02. Create a new certificate or ignore this and install/copy your own certificate. You will be asked for details on the SSL, this is also standard process if you bought an SSL certificate.

$ sudo openssl req -x509 -nodes -keyout /etc/ssl/private/vsftpd-selfsigned.pem -out /etc/ssl/private/vsftpd-selfsigned.pem -days 365 -newkey rsa:2048


Explanation for the parameters used

  • req – is a command for X.509 Certificate Signing Request (CSR) management.
  • x509 – means X.509 certificate data management.
  • days –  validity for the certificate, number of days before it expires
  • newkey – flag saying this is a new key
  • rsa:2048 – RSA key processor, will generate a 2048 bit private key
  • keyout – sets the key storage file
  • out – sets the certificate storage file


03. Enable the TCP port in the firewall

$ sudo firewall-cmd --zone=public --add-port=990/tcp --permanent

# For passive mode
$ sudo firewall-cmd --zone=public --add-port=40001-40100/tcp --permanent

# Apply the changes
$ sudo firewall-cmd --reload


04. Open the VSFTP configuration for editing

$ sudo nano /etc/vsftpd/vsftpd.conf


05. Add the following at the end of the file

# SSL configuration (TLS v1.2)

# configure the location of the SSL certificate and key file

# prevent anonymous users from using SSL
# force all non-anonymous logins to use SSL for data transfer

# force all non-anonymous logins to use SSL to send passwords

# Select the SSL ciphers VSFTPD will permit for encrypted SSL connections with the ssl_ciphers option.

# turn off SSL reuse

# For debug Purpose


06. Restart the service to apply the changes

$ sudo systemctl restart vsftpd


07. Check the status of the service to see if there are errors.

$ sudo systemctl status vsftpd


If you try to access the FTP server when using a client that does not use encryption. You will get the following message. Solution for this is to use an account with SFTP (User with SSH key) or FileZilla.


Adding an FTP User

01. Create a new FTP user

Note that using SSH requires the SSH service running. If it is not installed, follow the instructions here on how to install it.

$ sudo adduser {{username}}

$ sudo adduser sysad


Switch to the new user

$ sudo su - {{username}}

$ sudo su - sysad


Create SSH directory and update the permissions

$ cd ~
$ mkdir .ssh
$ chmod 700 .ssh
$ nano .ssh/authorized_keys


Set the content of the file with the public key of the user. It should contain something like. You can generate new key using online tools like the one here.


Update the permission of the authorized key

$ chmod 600 .ssh/authorized_keys


Exit from the user session.

$ exit


Restart the SSH service

$ sudo service sshd restart


02. Add a new user to the list FTP users.

$ echo {{username}} | sudo tee –a /etc/vsftpd/user_list

$ echo sysad | sudo tee –a /etc/vsftpd/user_list


03. Create the directory for the new user, and update the permissions. The following is only a sample structure for the user. Depending on the directory structure is designed the steps may be different. It will also disable accessing of the user directories from other users.

$ sudo mkdir –p /home/{{username}}/ftp/upload
$ sudo chmod 550 /home/{{username}}/ftp
$ sudo chmod 750 /home/{{username}}/ftp/upload
$ sudo chown –R {{username}}: /home/{{username}}/ftp

$ sudo mkdir -p /home/sysad/ftp/upload
$ sudo chmod 550 /home/sysad/ftp
$ sudo chmod 750 /home/sysad/ftp/upload
$ sudo chown -R sysad: /home/sysad/ftp


04. Create or update the chroot user list. These are the users who are “jailed”, meaning they can only access their own folders.

$ sudo nano /etc/vsftpd/chroot_list


Add the user to the file




Removing an FTP User

01. Access the server and execute the following command to remove the user. Add an “-r” before the username to remove the user files.

$ sudo userdel {{username}}

$ sudo userdel sysad


Remove also the user file.

$ sudo userdel -r {{username}}

$ sudo userdel -r sysad


Accessing the FTP Server

Via CLI (Ubuntu)

Registered User with SSH key

01. Add the Private key to the SSH session

$ ssh-add {{private-ssh-key}}

$ ssh-add sysad_key.private


02. Login via SFTP. Accept the fingerprint confirmation the first time this command is executed.

$ sftp {{username}}@{{hostname-or-ip-address}}

$ sftp [email protected]


03. To list the files and folders of the current working directory.

$ ls -l


04. To change to a directory use “cd”, and use “pwd” to see the current directory.

$ cd {{sub-directory}}

$ cd ftp


05. To download a file from the FTP server

$ get {{file-name}}

$ get sample.txt


06. To upload a file to the FTP server. Note that the files you can upload are dependent on the directory where you performed the FTP login. You can also specify an absolute path of the file or directory you want to upload.

$ put {{file-name}}

$ put sample.txt


Via FileZilla

01. On the “File” menu, select “Site Manager”.


02. Create a new site, and set the settings as follows. Then click on the “Connect” button.

Host “{{ip-address-or-hostname}}”

IP Address or Hostname of the FTP server

Port “22”

SFTP Port, 22 is the default

Protocol “SFTP – SSH File Transfer Protocol”
Logon Type “Key file”
User “{{os-username}}”

Example: sysad

Key file “{{key-file-path}}”

Key file in PPK format.



03. On successful authentication, the remote FTP server and its accessible folders will be visible.

For the anonymous user with accessible “pub” directory:


04. To download a file on the right side, there is “Remote site” section that looks like a file system directory and files. Select a file, then right-click to open the context menu. Then select “Download”. The file will be downloaded on the current value of the “Local site” on the left section.


05. To upload a file. Select or navigate the value what file you want to upload on the “Local site”. Then select or navigate the directory for the destination on the “Remote site”. Select the file from the “Local site”, right-click, then select “Upload”.

Select file from local


Click on the “Upload” option.

Previous Is Your Code Inclusive?
Next 7 Benefits Of Using VPN For Your Business