Set up an anonymous FTP server with vsftpd in less than a minute

This small HOWTO describes how to configure vsftpd for an anonymous FTP site in order to make files available across your local network or the internet. The scenario this guide is based on is to quickly make a linux distribution’s installation tree available across the local network in order to be used for a network installation. In this example, I run an anonymous FTP service on my desktop computer making the CentOS installation tree available directly from its installation DVD. This should give you an idea about how to share files or directories that do not physically exist in the root directory of the FTP site.

vsftpd Configuration

Assuming vsftpd has already been installed in the standard location, the directory /etc/vsftpd/, which contains its configuration files, should exist. You can edit vsftpd’s default configuration file (/etc/vsftpd/vsftpd.conf), but in this example, we will create a new configuration file from scratch.

Create a new configuration file named /etc/vsftpd/vsftpd-anon.conf and open it in your favourite text editor and write down the directives that follow:

Set the server to run in standalone mode. This means that vsftpd will run into the background and handle the incoming requests on its own. The alternative method (listen=NO) would require you to set up a xinetd service. This would not be a bad idea, but for the sake of this example, it would be a waste of time.

listen=YES

The following directives prevent local users from logging in and enables anonymous access respectively.

local_enable=NO
anonymous_enable=YES

The following directive disables write access to the ftp server’s filesystem. This is a global switch, so noone will be able to upload or modify any files on your ftp site.

write_enable=NO

Sets the root directory for anonymous connections. By default, this is /var/ftp/.

anon_root=/var/ftp

The following configuration directives are optional and can be safely omitted.

Limit the rate at which anonymous users can retrieve files.

anon_max_rate=2048000

Enable logging information about user logins an file transfers. The log file is located at /var/log/vsftpd.log.

xferlog_enable=YES

Set the interface and port the service will listen on. By default, vsftpd will bind to all local network interfaces on port 21, which is the standard port of the File Transfer Protocol. Note that listen_address accepts only numeric IP addresses (no hostnames).

listen_address=192.168.0.100
listen_port=21

The entire vsftpd-anon.conf file

#
# Sample anonymous FTP server configuration
#
# Mandatory directives
#
listen=YES
local_enable=NO
anonymous_enable=YES
write_enable=NO
anon_root=/var/ftp
#
# Optional directives
#
anon_max_rate=2048000
xferlog_enable=YES
listen_address=192.168.0.100
listen_port=21

Start or Stop the FTP server

Assuming you have created the supplementary vsftpd-anon.conf configuration file, run as user root:

vsftpd /etc/vsftpd/vsftpd-anon.conf

To stop the service run:

killall vsftpd

Alternatively, you can send the SIGTERM signal to a specific vsftpd process.

On the other hand, if you had edited vsftpd’s default configuration file, you could start/stop the service using the /etc/init.d/vsftpd initscript.

Sharing files and directories

An FTP server without any files is like having a swimming pool without any water in it. In order to make some files and directories available through your FTP service you have two options:

  1. Copy or move the files or directories inside the anon_root directory.
  2. Create bind mounts of the directories you want to share in the anon_root directory.

You may wonder why you cannot just create some symbolic links inside anon_root pointing to the directories you want to share. Even if you created those symlinks and connected to the service using an FTP client, you would notice that you are not permitted to reach the linked location. This happens because anonymous users are restricted (chrooted) to anon_root and, therefore, no location outside this directory is accessible using symlinks.

Bind mounts are the solution to this problem. When bind-mounting, you mount a directory (A) to another directory (B) on the same or different filesystem, so that the contents of directory A appear as contents of directory B. It’s like a symlink, but at a lower level of the filesystem and that’s why you can reach locations outside the chroot jail.

In our scenario, the installation tree of a Linux distribution is shared through the FTP service. It is assumed that the installation medium has been inserted into the drive and either the system or you have mounted it, for example, to the directory /media/CentOS/. We want the contents of the DVD to be accessible through the FTP server, so we need to bind-mount the DVD contents to a directory inside anon_root. As user ‘root‘ issue the following command:

mount --bind /media/CentOS /var/ftp/pub

Now, connecting to the FTP service you will notice that the contents of the pub/ directory is the CentOS installation tree.

It is quite obvious that, despite the fact that vsftpd does not support the creation of a virtual filesystem (mainly a virtual directory structure) internally, one can be easily implemented with bind-mounts.

Do not forget the firewall

When we run a server temporarily on the desktop computer, we tend to forget to open the necessary ports on the filewall. In the case of vsftpd, you should open port 21 or the port number you have assigned to the listen_port configuration directive. Please consult the documentation of your firewall management application about how to perform this action.

Further Reading

Set up an anonymous FTP server with vsftpd in less than a minute by George Notaras is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License. Permissions beyond the scope of this license may be available at Licensing Information.
Copyright © 2008 - Some Rights Reserved

George Notaras avatar

About George Notaras

George Notaras is the editor of G-Loaded Journal, a technical blog about Free and Open-Source Software. George, among other things, is a GNU/Linux enthusiast, a self-taught programmer and system administrator. He strongly believes that "knowledge is power" and has created this web site to share the IT knowledge and experience he has gained over the years with other people. George primarily uses CentOS and Fedora and spends some of his spare time developing open-source software. Follow George on Twitter: @gnotaras

11 responses on “Set up an anonymous FTP server with vsftpd in less than a minute

  1. D Permalink →

    FTP is an obsolete and outdated protocol.
    Anyone using FTP should seriously consider using WebDAV.

    Since DAV works over HTTP, you get all the benefits of HTTP that FTP cannot provide. For example: strong authentication, encryption, proxy support, and caching. It is true that you can get some of this through SSH, but the HTTP infrastructure is much more widely deployed than SSH. Further, SSH does not have the wide complement of tools, development libraries, and applications that HTTP does.

    DAV transfers (well, HTTP transfers) are also more efficient than FTP. You can pipeline multiple transfers through a single TCP connection, whereas FTP requires a new connection for each file transferred (plus the control connection).

  2. George Notaras Post authorPermalink →

    Although I haven’t used webdav as much, I agree and I will probably check it out extensively whenever I have enough spare time. However, this was supposed to be a very quick way to make the installation tree of the linux distribution available across the network and ftp seemed like the ideal solution for a quick setup.

    Thanks for your feedback :-)

  3. Agile Permalink →

    Anyone have instructions on how to set up WebDAV. Also, don’t you need a ftp
    running server too?

    My problem is when is use ftp://agile@localhost it works (with both httpd and vsftpd
    running.)

    But if I try it from another host if fails. Error in log file for vsftpd indicates
    incorrect login. But I can login to vsftpd with /usr/bin/ftp without any problems.

    Any leads on how to resolve the problem would be greatly appreciated.

  4. George Notaras Post authorPermalink →

    Agile: You do not need an FTP server in order to setup webdav. You can consider WebDav as an FTP replacement.

    As for the connectivity problems, please make sure that you have opened the relevant ports (21 for FTP, 80 for HTTP) in the server’s firewall. Having set up your firewall correctly, setup an anonymous FTP service as described in the article above, and try to connect from other machines.

    Finally, you should not use “localhost” as the server address when connecting from other machines, but use the server’s IP instead.

  5. dE Permalink →

    “Create bind mounts of the directories you want to share in the anon_root directory.”

    This does not work directly. You have to bind in a subfolder for it to work.

    vsftpd has major issues IMO.

  6. David D. Permalink →

    Exactly what i was looking for! Thanks mate!

  7. Pankaj Rana Permalink →

    i tried this
    its working
    but i am unable to open ftp on ms windows xp

  8. Nuno Permalink →

    Hi thanks for sharing this.
    im having problems setting up vsftpd for a management server to support my cisco routers and switches infrastructure, the problem is that when trying to connect to the vsftpd server it asks for a username and password, which iv configured to be anonymous, but cisco does not support authentication, it just needs an ftp with no login requirements, can you please tell me how can i do this?

    would be appreciated,

    NL

  9. George Notaras Post authorPermalink →

    @Nuno

    > the problem is that when trying to connect to the vsftpd server it asks
    > for a username and password, which iv configured to be anonymous,
    > but cisco does not support authentication

    I am not sure I understand what you mean here. On every FTP session you have to supply a username and a password. Even when connecting to anonymous FTP servers you have to supply the username anonymous and any password (in the old days we used to set our email address as the password). Also note that you should not create a user in your system called anonymous. This is just a built-in username in ftp servers to use in anonymous logins. You do not have to create such a user.

    Hope it helps.

  10. luciano Permalink →

    Why it is required to set up:
    local_enable=NO ?
    This means i cannot use my vsftp server for local user and anonymous at the same time ?

    Best Regards

    1. George Notaras Post authorPermalink →

      Yes, it can be used. This example is about setting up an anonymous ftp site, so local user access is disabled. That’s all.

      Regards,
      George