VSFTPD - Set up your FTP server on a CentOS 6x system

Warm Diwali wishes friends! 

Was wondering as what should I do on this festive day which is already spoiled by incessant rain, then felt like lets document something useful. So, here is one;

VSFTPD! Passive or Active, too much confusion? Here is how to set up both on a CentOS-6x system (should work on RHEL, Fedora based systems as well);


A. Installation is a breeze using YUM, do it like;
# yum install vsftpd -y

B. Some custom configuration 
     You may do the following in the "/etc/vsftpd/vsftpd.conf" file;

1. No anonymous login:
anonymous_enable=NO

2. I needed the full log like connection details of clients:

xferlog_std_format=NO

3. Add this;
log_ftp_protocol=YES

4. The following is to restrict FTP users to their directories. Not a good
           thing to allow them to peep into others' :-)

chroot_local_user=YES

6. I wanted specific users to have FTP access, thus I listed the users in
           "/etc/vsftpd/user_list" commenting the default ones;

           userlist_deny=NO
           (to make use of the file /etc/vsftpd/user_list, include only those users
           who needs FTP service)

7. Active OR Passive?

A. Specific to Active FTP:

pam_service_name=vsftpd
userlist_enable=YES
userlist_deny=NO
tcp_wrappers=YES
pasv_enable=NO


B. Specific to Passive FTP (open the passive port range in the
                    firewall):

##For passive ftp mode

pam_service_name=vsftpd
userlist_enable=YES
userlist_deny=NO
tcp_wrappers=YES

pasv_enable=YES
pasv_min_port=50000
pasv_max_port=50999
port_enable=YES
pasv_addr_resolve=YES
pasv_address=xxx.xxx.xxx.xxx   (Public IP of your FTP server,
                   may be it is needed as this Openstack instance is behind a NAT)


8. SELinux !
          (Modify the SELinux Boolean if you encounter "500 OOPS: cannot 
          change directory:/home/ Login failed.")

A. Grab the values:

# getsebool -a | grep ftp
allow_ftpd_anon_write --> off
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
ftp_home_dir --> off
ftpd_connect_db --> off
ftpd_use_fusefs --> off
ftpd_use_passive_mode --> on
httpd_enable_ftp_server --> off
tftp_anon_write --> off
tftp_use_cifs --> off
tftp_use_nfs --> off

B. Change the Home directory specific boolean value:

                # setsebool -P ftp_home_dir On
                (Do a man page for options)


C. Test the FTP server

         Create a FTP user (a system user) and set his login shell as /sbin/nologin (to
        deny him SSH access). Test your FTP server using command line FTP
        client or GUI based Filezilla (or any other client of your choice)