vsftpd

Contents

vsftpd

About

https://security.appspot.com/vsftpd.html
vsftpd Changelog
man 5 vsftpd.conf
man 8 vsftpd
man 5 ftpusers
Default log-files
- /var/log/vsftpd.log
- /var/log/xferlog
Hints
- Guests are if enabled mapped to username ftp (Please see option guest_username)

lftp

Installation

Install vsftpd

   1 apt install vstftd ca-certificates

Configure

Create users

Create an unpriviledged system user ftpsecure.
This user will have group nogroup, no home directory /nonexistent and no login-shell /usr/sbin/nologin.

   1 # adduser --system \
   2         --comment "Unpriviledged user for vsftpd" \
   3         ftpsecure
   4 # getent passwd ftpsecure
   5 ftpsecure:x:107:65534:Unpriviledged user for vsftpd,,,:/nonexistent:/usr/sbin/nologin

Configure the firewall

Define a firewall window in your perimeter firewall (e.g. 50000-50999). And if you are running a local firewall ensure connections in this window are also accepted.

User access control

/etc/ftpusers

   1 # /etc/ftpusers: list of users disallowed FTP access. See ftpusers(5).
   2 
   3 root
   4 daemon
   5 bin
   6 sys
   7 sync
   8 games
   9 man
  10 lp
  11 mail
  12 news
  13 uucp
  14 nobody

/etc/vsftpd.user_list

   1 ### THIS IS A POSITIVE LIST BECAUSE
   2 ### userlist_deny=NO (Default: YES)
   3 ### OTHER USERS ARE NOT ALLOWED TO CONNECT
   4 valid

If userlist_deny=YES, /etc/vsftpd.user_list could be a link to /etc/ftpusers

   1 ln -s /etc/ftpusers /etc/vsftpd.user_list

=== vsftpd banner ===

/etc/vsftpd.banner

   1 ###                                                                                                                                                                                                                                                         
   2 # Rockstable VSFTPD                                                                                                                                                                                                                                         
   3 #                                                                                                                                                                                                                                                           
   4 # If you are not authrorized to utilize this FTP service,                                                                                                                                                                                                   
   5 # disconnect iimmediately. Any malicous usage will be persecuted.                                                                                                                                                                                           
   6 ###                                                                                                                                                                                                                                                         
   7

vsftpd main configuration file

Quite a long file (toggle the display with the comments)
/etc/vsftpd.conf

   1 # Example config file /etc/vsftpd.conf
   2 #
   3 # The default compiled in settings are fairly paranoid. This sample file
   4 # loosens things up a bit, to make the ftp daemon more usable.
   5 # Please see vsftpd.conf.5 for all compiled in defaults.
   6 #
   7 # READ THIS: This example file is NOT an exhaustive list of vsftpd options.
   8 # Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
   9 # capabilities.
  10 #
  11 #
  12 # Run standalone?  vsftpd can run either from an inetd or as a standalone
  13 # daemon started from an initscript.
  14 listen=NO
  15 #
  16 # This directive enables listening on IPv6 sockets. By default, listening
  17 # on the IPv6 "any" address (::) will accept connections from both IPv6
  18 # and IPv4 clients. It is not necessary to listen on *both* IPv4 and IPv6
  19 # sockets. If you want that (perhaps because you want to listen on specific
  20 # addresses) then you must run two copies of vsftpd with two configuration
  21 # files.
  22 listen_ipv6=YES
  23 #
  24 # Allow anonymous FTP? (Disabled by default).
  25 anonymous_enable=NO
  26 #
  27 # Uncomment this to allow local users to log in.
  28 local_enable=YES
  29 #
  30 # Uncomment this to enable any form of FTP write command.
  31 write_enable=YES
  32 #
  33 # Default umask for local users is 077. You may wish to change this to 022,
  34 # if your users expect that (022 is used by most other ftpd's)
  35 #local_umask=022
  36 #
  37 # Uncomment this to allow the anonymous FTP user to upload files. This only
  38 # has an effect if the above global write enable is activated. Also, you will
  39 # obviously need to create a directory writable by the FTP user.
  40 #anon_upload_enable=YES
  41 #
  42 # Uncomment this if you want the anonymous FTP user to be able to create
  43 # new directories.
  44 #anon_mkdir_write_enable=YES
  45 #
  46 # Activate directory messages - messages given to remote users when they
  47 # go into a certain directory.
  48 dirmessage_enable=YES
  49 #
  50 # If enabled, vsftpd will display directory listings with the time
  51 # in  your  local  time  zone.  The default is to display GMT. The
  52 # times returned by the MDTM FTP command are also affected by this
  53 # option.
  54 use_localtime=YES
  55 #
  56 # Activate logging of uploads/downloads.
  57 #xferlog_enable=YES
  58 #
  59 # Make sure PORT transfer connections originate from port 20 (ftp-data).
  60 connect_from_port_20=YES
  61 #
  62 # If you want, you can arrange for uploaded anonymous files to be owned by
  63 # a different user. Note! Using "root" for uploaded files is not
  64 # recommended!
  65 #chown_uploads=YES
  66 #chown_username=whoever
  67 #
  68 # You may override where the log file goes if you like. The default is shown
  69 # below.
  70 #xferlog_file=/var/log/vsftpd.log
  71 #
  72 # If you want, you can have your log file in standard ftpd xferlog format.
  73 # Note that the default log file location is /var/log/xferlog in this case.
  74 #xferlog_std_format=YES
  75 #
  76 # You may change the default value for timing out an idle session.
  77 #idle_session_timeout=600
  78 #
  79 # You may change the default value for timing out a data connection.
  80 #data_connection_timeout=120
  81 #
  82 # It is recommended that you define on your system a unique user which the
  83 # ftp server can use as a totally isolated and unprivileged user.
  84 #nopriv_user=ftpsecure
  85 
  86 # Enable this and the server will recognise asynchronous ABOR requests. Not
  87 # recommended for security (the code is non-trivial). Not enabling it,
  88 # however, may confuse older FTP clients.
  89 #async_abor_enable=YES
  90 #
  91 # By default the server will pretend to allow ASCII mode but in fact ignore
  92 # the request. Turn on the below options to have the server actually do ASCII
  93 # mangling on files when in ASCII mode.
  94 # Beware that on some FTP servers, ASCII support allows a denial of service
  95 # attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
  96 # predicted this attack and has always been safe, reporting the size of the
  97 # raw file.
  98 # ASCII mangling is a horrible feature of the protocol.
  99 #ascii_upload_enable=YES
 100 #ascii_download_enable=YES
 101 #
 102 # You may fully customise the login banner string:
 103 #ftpd_banner=Welcome to blah FTP service.
 104 #
 105 # You may specify a file of disallowed anonymous e-mail addresses. Apparently
 106 # useful for combatting certain DoS attacks.
 107 #deny_email_enable=YES
 108 # (default follows)
 109 #banned_email_file=/etc/vsftpd.banned_emails
 110 #
 111 # You may restrict local users to their home directories.  See the FAQ for
 112 # the possible risks in this before using chroot_local_user or
 113 # chroot_list_enable below.
 114 #chroot_local_user=YES
 115 #
 116 # You may specify an explicit list of local users to chroot() to their home
 117 # directory. If chroot_local_user is YES, then this list becomes a list of
 118 # users to NOT chroot().
 119 # (Warning! chroot'ing can be very dangerous. If using chroot, make sure that
 120 # the user does not have write access to the top level directory within the
 121 # chroot)
 122 #chroot_local_user=YES
 123 #chroot_list_enable=YES
 124 # (default follows)
 125 #chroot_list_file=/etc/vsftpd.chroot_list
 126 #
 127 # You may activate the "-R" option to the builtin ls. This is disabled by
 128 # default to avoid remote users being able to cause excessive I/O on large
 129 # sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
 130 # the presence of the "-R" option, so there is a strong case for enabling it.
 131 #ls_recurse_enable=YES
 132 #
 133 # Customization
 134 #
 135 # Some of vsftpd's settings don't fit the filesystem layout by
 136 # default.
 137 #
 138 # This option should be the name of a directory which is empty.  Also, the
 139 # directory should not be writable by the ftp user. This directory is used
 140 # as a secure chroot() jail at times vsftpd does not require filesystem
 141 # access.
 142 secure_chroot_dir=/var/run/vsftpd/empty
 143 #
 144 # This string is the name of the PAM service vsftpd will use.
 145 pam_service_name=vsftpd
 146 #
 147 # This option specifies the location of the RSA certificate to use for SSL
 148 # encrypted connections.
 149 #rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
 150 #rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
 151 #ssl_enable=NO
 152 #
 153 # Uncomment this to indicate that vsftpd use a utf8 filesystem.
 154 #utf8_filesystem=YES
 155 
 156 
 157 ### CUSTOM CONFIGURATION
 158 
 159 #This option is the name of a file containing text to display when someone connects to the server.
 160 #If set, it overrides the banner string provided by the ftpd_banner option.
 161 #Default: (none)
 162 banner_file=/etc/vsftpd.banner
 163 
 164 #This string option allows you to override the greeting banner
 165 #displayed by vsftpd when a connection first comes in.
 166 #Default: (none - default vsftpd banner is displayed)
 167 #ftpd_banner=
 168 
 169 
 170 ### TLS
 171 #This option specifies the location of the RSA certificate
 172 #to use for SSL encrypted connections.
 173 #Default: /usr/share/ssl/certs/vsftpd.pem
 174 rsa_cert_file=/etc/letsencrypt/live/static1.rockstable.it/fullchain.pem
 175 
 176 #This option specifies the location of the RSA private key
 177 #to use for SSL encrypted connections.
 178 #If this option is not set,
 179 #the private key is expected to be in the same file as the certificate.
 180 #Default: (none)
 181 rsa_private_key_file=/etc/letsencrypt/live/static1.rockstable.it/privkey.pem
 182 
 183 #This option is the name of a file to load Certificate Authority certs from,
 184 #for the purpose of validating client certs.
 185 #The loaded certs are also advertised to the client,
 186 #to cater for TLSv1.0 clients such as the z/OS FTP client.
 187 #Regrettably, the default SSL CA cert paths are not used,
 188 #because of vsftpd's use of restricted filesystem spaces (chroot).
 189 #(Added in v2.0.6).
 190 #Default: (none)
 191 #ca_certs_file=
 192 
 193 #This option specifies the location of the DSA certificate
 194 #to use for SSL encrypted connections.
 195 #Default: (none - an RSA certificate suffices)
 196 #dsa_cert_file=
 197 
 198 #This option specifies the location of the DSA private key
 199 #to use for SSL encrypted connections.
 200 #If this option is not set,
 201 #the private key is expected to be in the same file as the certificate.
 202 #Default: (none)
 203 #dsa_private_key_file=
 204 
 205 #If enabled, and vsftpd was compiled against OpenSSL,
 206 #vsftpd will support secure connections via SSL.
 207 #This applies to the control connection (including login) and also data connections.
 208 #You'll need a client with SSL support too.
 209 #NOTE!! Beware enabling this option.
 210 #Only enable it if you need it.
 211 #vsftpd can make no guarantees about the security of the OpenSSL libraries.
 212 #By enabling this option, you are declaring
 213 #that you trust the security of your installed OpenSSL library.
 214 #Default: NO
 215 ssl_enable=YES
 216 
 217 #If true, OpenSSL connection diagnostics are dumped to the vsftpd log file.
 218 #(Added in v2.0.6).
 219 #Default: NO
 220 #debug_ssl=NO
 221 
 222 #If enabled, an SSL handshake is the first thing expect on all connections (the FTPS protocol).
 223 #To support explicit SSL and/or plain text too,
 224 #a separate vsftpd listener process should be run.
 225 #Default: NO
 226 #implicit_ssl=NO
 227 
 228 #If set to yes, all SSL data connections are required to exhibit SSL session reuse
 229 #(which proves that they know the same master secret as the control channel).
 230 #Although this is a secure default,
 231 #it may break many FTP clients, so you may want to disable it.
 232 #For a discussion of the consequences,
 233 #see http://scarybeastsecurity.blogspot.com/2009/02/vsftpd-210-released.html
 234 #(Added in v2.1.0).
 235 #Default: YES
 236 require_ssl_reuse=YES
 237 
 238 #If enabled, vsftpd will request (but not necessarily require; see require_cert)
 239 #a certificate on incoming SSL connections.
 240 #Normally this should not cause any trouble at all,
 241 #but IBM zOS seems to have issues.
 242 #(New in v2.0.7).
 243 #Default: YES
 244 #ssl_request_cert=YES
 245 
 246 #Only applies if ssl_enable is activated.
 247 #If enabled, this option will permit SSL v2 protocol connections.
 248 #TLS v1 connections are preferred.
 249 #Default: NO
 250 ssl_sslv2=NO
 251 
 252 #Only applies if ssl_enable is activated.
 253 #If enabled, this option will permit SSL v3 protocol connections.
 254 #TLS v1 connections are preferred.
 255 #Default: NO
 256 ssl_sslv3=NO
 257 
 258 #Only applies if ssl_enable is activated.
 259 #If enabled, this option will permit TLS v1 protocol connections.
 260 #TLS v1 connections are preferred.
 261 #Default: YES
 262 ssl_tlsv1=NO
 263 
 264 #If enabled, SSL data uploads are required to terminate via SSL, not an EOF on the socket.
 265 #This option is required to be sure
 266 #that an attacker did not terminate an upload prematurely with a faked TCP FIN.
 267 #Unfortunately, it is not enabled by default because so few clients get it right.
 268 #(New in v2.0.7).
 269 #Default: NO
 270 strict_ssl_read_eof=NO
 271 
 272 #If enabled, SSL data downloads are required to terminate via SSL, not an EOF on the socket.
 273 #This is off by default as I was unable to find a single FTP client that does this.
 274 #It is minor.
 275 #All it affects is our ability to tell
 276 #whether the client confirmed full receipt of the file.
 277 #Even without this option, the client is able to check the integrity of the download.
 278 #(New in v2.0.7).
 279 #Default: NO
 280 strict_ssl_write_shutdown=NO
 281 
 282 #This option can be used to select which SSL ciphers
 283 #vsftpd will allow for encrypted SSL connections.
 284 #See the ciphers man page for further details.
 285 #Note that restricting ciphers can be a useful security precaution
 286 #as it prevents malicious remote parties
 287 #forcing a cipher which they have found problems with.
 288 #Default: DES-CBC3-SHA
 289 ssl_ciphers=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
 290 
 291 #Only applies if ssl_enable is active.
 292 #If set to YES, anonymous users will be allowed to use secured SSL connections.
 293 #Default: NO
 294 allow_anon_ssl=YES
 295 
 296 #Only applies if ssl_enable is activated.
 297 #If activated, all anonymous logins are forced to use a secure SSL
 298 #connection in order to send and receive data on data connections.
 299 #Default: NO
 300 force_anon_data_ssl=YES
 301 
 302 #Only applies if ssl_enable is activated.
 303 #If activated, all anonymous logins are forced to use a secure SSL
 304 #connection in order to send the password.
 305 #Default: NO
 306 force_anon_logins_ssl=YES
 307 
 308 #Only applies if ssl_enable is activated.
 309 #If activated, all non-anonymous logins are forced to use a secure
 310 #SSL connection in order to send and receive data on data connections.
 311 #Default: YES
 312 force_local_data_ssl=YES
 313 
 314 #Only applies if ssl_enable is activated.
 315 #If activated, all non-anonymous logins are forced to use a secure
 316 #SSL connection in order to send the password.
 317 #Default: YES
 318 force_local_logins_ssl=YES
 319 
 320 
 321 ### PASSIV MODE
 322 #Set to NO if you want to disallow the PASV method of obtaining a data connection.
 323 #Default: YES
 324 #pasv_enable=YES
 325 
 326 #Set to YES if you want to disable the PASV security check
 327 #that ensures the data connection originates
 328 #from the same IP address as the control connection.
 329 #Only enable if you know what you are doing!
 330 #The only legitimate use for this is
 331 #in some form of secure tunnelling scheme,
 332 #or perhaps to facilitate FXP support.
 333 #Default: NO
 334 #pasv_promiscuouas=NO
 335 
 336 #Use this option to override the IP address
 337 #that vsftpd will advertise in response to the PASV command.
 338 #Provide a numeric IP address, unless pasv_addr_resolve is enabled,
 339 #in which case you can provide a hostname
 340 #which will be DNS resolved for you at startup.
 341 #Default: (none - the address is taken from the incoming connected socket)
 342 #pasv_address =
 343 
 344 #Set to YES if you want to use a hostname (as opposed to IP address) in the pasv_address option.
 345 #Default: NO
 346 #pasv_addr_resolve=NO
 347 
 348 #The minimum port to allocate for PASV style data connections.
 349 #Can be used to specify a narrow port range to assist firewalling.
 350 #Default: 0 (use any port)
 351 pasv_min_port=50000
 352 
 353 #The maximum port to allocate for PASV style data connections.
 354 #Can be used to specify a narrow port range to assist firewalling.
 355 #Default: 0 (use any port)
 356 pasv_max_port=50999
 357 
 358 
 359 ### USER LISTS
 360 #If enabled, vsftpd will load a list of usernames, from the filename given by userlist_file.
 361 #If a user tries to log in using a name in this file, they will be denied before they are asked for a password.
 362 #This may be useful in preventing cleartext passwords being transmitted.
 363 #See also userlist_deny.
 364 #Default: NO
 365 userlist_enable=YES
 366 
 367 #This option is examined if userlist_enable is activated.
 368 #If you set this setting to NO, then users will be denied login
 369 #unless they are explicitly listed in the file specified by userlist_file.
 370 #When login is denied, the denial is issued before the user is asked for a password.
 371 #Default: YES
 372 userlist_deny=NO
 373 
 374 #This option is the name of the file loaded when the userlist_enable option is active.
 375 #Default: /etc/vsftpd.user_list
 376 userlist_file=/etc/vsftpd.user_list
 377 
 378 #This powerful option allows the override of any config option
 379 #specified in the manual page, on a per-user basis.
 380 #Usage is simple, and is best illustrated with an example.
 381 #If you set user_config_dir to be /etc/vsftpd_user_conf and
 382 #then log on as the user "chris",
 383 #then vsftpd will apply the settings in the file
 384 #/etc/vsftpd_user_conf/chris for the duration of the session.
 385 #The format of this file is as detailed in this manual page!
 386 #PLEASE NOTE that not all settings are effective on a per-user basis.
 387 #For example, many settings only prior to the user's session being started.
 388 #Examples of settings which will not affect any behviour on a per-user basis include
 389 #listen_address, banner_file, max_per_ip, max_clients, xferlog_file, etc.
 390 #Default: (none)
 391 user_config_dir=/etc/vsftpd_user_conf
 392 
 393 #After this many login failures, the session is killed.
 394 #Default: 3
 395 #max_login_fails=3
 396 
 397 
 398 ### PRIVILEGE SEPARATION
 399 #This is the name of the user that is used by vsftpd when it wants to be totally unprivileged.
 400 #Note that this should be a dedicated user,
 401 #rather than nobody.
 402 #The user nobody tends to be used for rather a lot of important things on
 403 #most machines.
 404 #Default: nobody
 405 nopriv_user=ftpsecure
 406 
 407 
 408 ### CHROOT
 409 #This option should be the name of a directory which is empty.
 410 #Also,
 411 #the directory should not be writable by the ftp user.
 412 #This directory is used as a secure chroot() jail
 413 #at times vsftpd does not require filesystem access.
 414 #Default: /var/run/vsftpd/empty
 415 #secure_chroot_dir=/var/run/vsftpd/empty
 416 
 417 #If activated, you may provide a list of local users
 418 #who are placed in a chroot() jail in their home directory upon login.
 419 #The meaning is slightly different if chroot_local_user is set to YES.
 420 #In this case,
 421 #the list becomes a list
 422 #of users which are NOT to be placed in a chroot() jail.
 423 #By default,
 424 #the file containing this list is /etc/vsftpd.chroot_list,
 425 #but you may override this with the chroot_list_file setting.
 426 #Default: NO
 427 chroot_list_enable=YES
 428 
 429 #The option is the name of a file containing a list of local users
 430 #which will be placed in a chroot() jail in their home directory.
 431 #This option is only relevant if the option chroot_list_enable is enabled.
 432 #If the option chroot_lo‐
 433 #cal_user is enabled,
 434 #then the list file becomes a list of users to NOT place in a chroot() jail.
 435 #Default: /etc/vsftpd.chroot_list
 436 ### USERS IN POSITIVE USER_LIST ARE ALSO CHROOTED
 437 chroot_list_file=/etc/vsftpd.user_list
 438 
 439 #If set to YES, local users will be (by default)
 440 #placed in a chroot() jail in their home directory after login.
 441 #Warning: This option has security implications,
 442 #especially if the users have upload permission,
 443 #or shell access.
 444 #Only enable if you know what you are doing.
 445 #Note that these security implications are not vsftpd specific.
 446 #They apply to all FTP daemons which offer to put local users in chroot() jails.
 447 #Default: NO
 448 ### LEAVE THIS OPTION SET TO "NO", TO AVOID ACCIDENTIALLY NEGATING chroot_list_enable
 449 chroot_local_user=NO
 450 
 451 #If enabled, along with chroot_local_user,
 452 #then a chroot() jail location may be specified on a per-user basis.
 453 #Each user's jail is derived from their home directory string in /etc/passwd.
 454 #The occurrence of /./ in the home directory
 455 #string denotes that the jail is at that particular location in the path.
 456 #Default: NO
 457 #passwd_chroot_enable=NO
 458 
 459 ### A WRITABLE ROOT DIRECTOY OF A CHROOT SHOULD BE AVOIDED
 460 ### TO PROTECT THE DOT FILES AND TO MITIGATE THE ROARING BEAST ATTACK
 461 #allow_writeable_chroot=YES
 462 
 463 ### LOGGING
 464 #This option is the name of the file to which we write the vsftpd style log file.
 465 #This log is only written if the option xferlog_enable is set,
 466 #and xferlog_std_format is NOT set.
 467 #Alternatively, it is written if you have set the option dual_log_enable.
 468 #One further complication - if you have set syslog_enable,
 469 #then this file is not written and output is sent to the system log instead.
 470 #Default: /var/log/vsftpd.log
 471 vsftpd_log_file=/var/log/vsftpd.log
 472 
 473 #This option is the name of the file to which we write the wu-ftpd style transfer log.
 474 #The transfer log is only written if the option xferlog_enable is set,
 475 #along with xferlog_std_format.
 476 #Alternatively, it is written if you have set the option dual_log_enable.
 477 #Default: /var/log/xferlog
 478 xferlog_file=/var/log/xferlog
 479 
 480 #If enabled, a log file will be maintained detailling uploads and downloads.
 481 #By default, this file will be placed at /var/log/vsftpd.log,
 482 #but this location may be overridden using the configuration setting vsftpd_log_file.
 483 #Default: NO (but the sample config file enables it)
 484 xferlog_enable=YES
 485 
 486 #If enabled, the transfer log file will be written in standard xferlog format,
 487 #as used by wu-ftpd.
 488 #This is useful because you can reuse existing transfer statistics generators.
 489 #The default format is more readable, however.
 490 #The default location for this style of log file is /var/log/xferlog,
 491 #but you may change it with the setting xferlog_file.
 492 #Default: NO
 493 xferlog_std_format=NO
 494 
 495 #If enabled, then any log output
 496 #which would have gone to /var/log/vsftpd.log
 497 #goes to the system log instead.
 498 #Logging is done under the FTPD facility.
 499 #Default: NO
 500 #syslog_enable=NO
 501 
 502 #When enabled, all FTP requests and responses are logged,
 503 #providing the option xferlog_std_format is not enabled.
 504 #Useful for debugging.
 505 #Default: NO
 506 #log_ftp_protocol=YES
 507 
 508 #When enabled, this prevents vsftpd from taking a file lock when writing to log files.
 509 #This option should generally not be enabled.
 510 #It exists to workaround operating system bugs such as the Solaris / Veritas filesystem combination
 511 #which has been observed to sometimes exhibit hangs trying to lock log files.
 512 #Default: NO
 513 #no_log_lock=NO
 514 
 515 #If enabled, two log files are generated in parallel,
 516 #going by default to /var/log/xferlog and /var/log/vsftpd.log.
 517 #The former is a wu-ftpd style transfer log,
 518 #parseable by standard tools.
 519 #The latter is vsftpd's own style log.
 520 #Default: NO
 521 #dual_log_enable=NO
 522

Restart the vsftpd.service

   1 systemctl restart vsftpd.service

Skeleton dir

It may be nice to prepare the skeleton directory /etc/skel to contain some writable directories like "ftp" or "www"

   1 install -o root -g root -m 0750 -d /etc/skel/www

Test connection

Create two users on the FTP server with the same password

   1 for UNAME in "valid" "invalid"; do
   2         adduser "$UNAME"
   3         ### DETERMINE USERHOME
   4         UHOME="$(getent passwd "$UNAME" |cut -d: -f6)"
   5         ### SET USERHOME READONLY
   6         if [ "$UHOME" ]; then
   7                 chown root:"$UNAME" "$UHOME"
   8                 chmod 0750 "$UHOME"
   9         fi
  10 done
  11 
  12 ls -lRa /home/*valid
  13 
  14 ### ADD USER TO POSITIVE LIST
  15 echo "valid" >> /etc/vsftpd.user_list

Remember to the test users afterwards

   1 for UNAME in "valid" "invalid"; do
   2         deluser --remove-home "$UNAME"
   3 done

Create a test script locally ftp_testscript

   1 ls -la
   2 open "REMOTE_HOST"
   3 ls -la
   4 open -u unknown --env-password "REMOTE_HOST"
   5 ls -la
   6 open -u invalid --env-password "REMOTE_HOST"
   7 ls -la
   8 open -u valid --env-password "REMOTE_HOST"
   9 ls -la

Test the server automatically, again and again

   1 ### STORE THE PASSWORD IN THE VARIABLE 'LFTP_PASSWORD'
   2 pask LFTP_PASSWORD
   3 ### EXPORT THE VARIABLE TO SUB-PROCESSES
   4 export LFTP_PASSWORD
   5 LANG=C lftp -df <(sed -e 's/REMOTE_HOST/static1.rockstable.it/' ftp_testscript)

And the actual connection result

   1 ls: ls -la: Not connected
   2 ---- Resolving host address...
   3 ---- 1 address found: 178.63.149.235
   4 ---- Connecting to static1.rockstable.it (178.63.149.235) port 21
   5 <--- 220-###                   
   6 <--- 220-# Rockstable VSFTPD
   7 <--- 220-#
   8 <--- 220-# If you are not authorized to utilize this FTP service,
   9 <--- 220-# disconnect immediately. Any malicous usage will be persecuted.
  10 <--- 220-###
  11 <--- 220 
  12 ---> FEAT
  13 <--- 211-Features:                   
  14 <---  AUTH TLS
  15 <---  EPRT
  16 <---  EPSV
  17 <---  MDTM
  18 <---  PASV
  19 <---  PBSZ
  20 <---  PROT
  21 <---  REST STREAM
  22 <---  SIZE
  23 <---  TVFS
  24 <--- 211 End
  25 ---> USER anonymous
  26 <--- 530 Anonymous sessions must use encryption.
  27 ---> QUIT
  28 ls: ls -la: Login failed: 530 Anonymous sessions must use encryption.
  29 ---- Connecting to static1.rockstable.it (178.63.149.235) port 21
  30 ---- Closing control socket
  31 <--- 220-###                   
  32 <--- 220-# Rockstable VSFTPD
  33 <--- 220-#
  34 <--- 220-# If you are not authorized to utilize this FTP service,
  35 <--- 220-# disconnect immediately. Any malicous usage will be persecuted.
  36 <--- 220-###
  37 <--- 220 
  38 ---> FEAT
  39 <--- 211-Features:                   
  40 <---  AUTH TLS
  41 <---  EPRT
  42 <---  EPSV
  43 <---  MDTM
  44 <---  PASV
  45 <---  PBSZ
  46 <---  PROT
  47 <---  REST STREAM
  48 <---  SIZE
  49 <---  TVFS
  50 <--- 211 End
  51 ---> AUTH TLS
  52 <--- 234 Proceed with negotiation.  
  53 Loaded 152 CAs
  54 Loaded 0 CRLs
  55 ---> USER unknown
  56 <--- 530 Permission denied.    
  57 ---> QUIT
  58 ls: ls -la: Login failed: 530 Permission denied.
  59 ---- Connecting to static1.rockstable.it (178.63.149.235) port 21
  60 <--- 221 Goodbye.
  61 ---- Closing control socket
  62 <--- 220-###                         
  63 <--- 220-# Rockstable VSFTPD
  64 <--- 220-#
  65 <--- 220-# If you are not authorized to utilize this FTP service,
  66 <--- 220-# disconnect immediately. Any malicous usage will be persecuted.
  67 <--- 220-###
  68 <--- 220 
  69 ---> FEAT
  70 <--- 211-Features:                   
  71 <---  AUTH TLS
  72 <---  EPRT
  73 <---  EPSV
  74 <---  MDTM
  75 <---  PASV
  76 <---  PBSZ
  77 <---  PROT
  78 <---  REST STREAM
  79 <---  SIZE
  80 <---  TVFS
  81 <--- 211 End
  82 ---> AUTH TLS
  83 <--- 234 Proceed with negotiation.  
  84 Loaded 152 CAs
  85 Loaded 0 CRLs
  86 ---> USER invalid
  87 <--- 530 Permission denied.    
  88 ---> QUIT
  89 ls: ls -la: Login failed: 530 Permission denied.
  90 ---- Connecting to static1.rockstable.it (178.63.149.235) port 21
  91 <--- 221 Goodbye.              
  92 ---- Closing control socket
  93 <--- 220-###                         
  94 <--- 220-# Rockstable VSFTPD
  95 <--- 220-#
  96 <--- 220-# If you are not authorized to utilize this FTP service,
  97 <--- 220-# disconnect immediately. Any malicous usage will be persecuted.
  98 <--- 220-###
  99 <--- 220 
 100 ---> FEAT
 101 <--- 211-Features:                   
 102 <---  AUTH TLS
 103 <---  EPRT
 104 <---  EPSV
 105 <---  MDTM
 106 <---  PASV
 107 <---  PBSZ
 108 <---  PROT
 109 <---  REST STREAM
 110 <---  SIZE
 111 <---  TVFS
 112 <--- 211 End
 113 ---> AUTH TLS
 114 <--- 234 Proceed with negotiation.  
 115 Loaded 152 CAs
 116 Loaded 0 CRLs
 117 ---> USER valid
 118 <--- 331 Please specify the password.
 119 ---> PASS XXXX
 120 <--- 230 Login successful.           
 121 ---> PWD
 122 <--- 257 "/" is the current directory
 123 ---> PBSZ 0
 124 <--- 200 PBSZ set to 0.              
 125 ---> PROT P
 126 <--- 200 PROT now Private.               
 127 ---> PASV
 128 <--- 227 Entering Passive Mode (178,63,149,235,197,194).
 129 ---- Connecting data socket to (178.63.149.235) port 50626
 130 ---- Data connection established           
 131 ---> LIST -la
 132 <--- 150 Here comes the directory listing.
 133 Loaded 152 CAs
 134 Loaded 0 CRLs
 135 ---- Got EOF on data connection     
 136 ---- Closing data socket
 137 drwxr-xr-x    1 0        0              60 May 27 17:20 .
 138 drwxr-xr-x    1 0        0              60 May 27 17:20 ..
 139 -rw-r--r--    1 1011     1011          220 May 27 15:08 .bash_logout
 140 -rw-r--r--    1 1011     1011         3526 May 27 15:08 .bashrc
 141 -rw-r--r--    1 1011     1011          807 May 27 15:08 .profile
 142 drwxr-x---    1 1011     1011            0 May 27 17:20 www
 143 <--- 226 Directory send OK.
 144 ---> QUIT
 145 <--- 221 Goodbye.
 146 ---- Closing control socket

Looks fine.

Troubleshooting

Fatal error: gnutls_record_recv: An unexpected TLS packet was received.

If you receive the following error on connection.

   1 **** gnutls_record_recv: An unexpected TLS packet was received.
   2 ---- Closing control socket
   3 ls: Fatal error: gnutls_record_recv: An unexpected TLS packet was received.

That error is a bit miss-leading, I guess. It probably denotes, that vsftpd has a problem with the chroot directory.

either it's writable by the login user
or it's not readable at all

You can allow add the undocumented option to /etc/vsftpd.conf

   1 allow_writeable_chroot=YES

Writeable Chroot

The dot-files of the user need to be protected.
- Otherwise an attacker may place code which is executed, when a user logs in the next time via shell.
- Please do not run su or sudo with an interactive/login shell.
There is an attack which "Roaring Beast" attack.
- Exploits lazy loading of dynamic libraries in /etc or /lib
- Malicious libraries could have been placed there by an attacker.
- The attacker than issues an ftp command to the server, that triggers loading the libraries.
- The ftp-daemon is running under root privileges, than allows full privilege escalation.

426 Failure reading network stream.

If you receive the following error when uploading multiple files

   1 ---- Connecting to static1.rockstable.it (178.63.149.235) port 21
   2 <--- 220-###
   3 <--- 220-# Rockstable VSFTPD
   4 <--- 220-#
   5 <--- 220-# If you are not authorized to utilize this FTP service,
   6 <--- 220-# disconnect immediately. Any malicious usage will be persecuted.
   7 <--- 220-###
   8 <--- 220 
   9 ---> FEAT
  10 <--- 211-Features:
  11 <---  EPRT
  12 <---  EPSV
  13 <---  MDTM
  14 <---  PASV
  15 <---  PBSZ
  16 <---  PROT
  17 <---  REST STREAM
  18 <---  SIZE
  19 <---  TVFS
  20 <--- 211 End
  21 ---> AUTH TLS
  22 <--- 234 Proceed with negotiation.
  23 ---> USER username
  24 Certificate depth: 2; subject: /C=US/O=Internet Security Research Group/CN=ISRG Root X1; issuer: /C=US/O=Internet Security Research Group/CN=ISRG Root X1
  25 Certificate depth: 1; subject: /C=US/O=Let's Encrypt/CN=R10; issuer: /C=US/O=Internet Security Research Group/CN=ISRG Root X1
  26 Certificate depth: 0; subject: /CN=static1.rockstable.it; issuer: /C=US/O=Let's Encrypt/CN=R10
  27 Certificate verification: subjectAltName: ‘static1.rockstable.it’ matched
  28 <--- 331 Please specify the password.
  29 ---> PASS XXXX
  30 <--- 230 Login successful.
  31 ---> PBSZ 0
  32 <--- 200 PBSZ set to 0.
  33 ---> PROT P
  34 <--- 200 PROT now Private.
  35 ---- CWD path to be sent is `/html'
  36 ---> CWD /html
  37 <--- 250 Directory successfully changed.
  38 ---> TYPE I
  39 <--- 200 Switching to Binary mode.
  40 ---> PASV
  41 <--- 227 Entering Passive Mode (178,63,149,235,196,87).
  42 ---- Connecting data socket to (178.63.149.235) port 50263
  43 ---- Data connection established
  44 ---> STOR file.name
  45 <--- 150 Ok to send data.
  46 Certificate verification: subjectAltName: ‘static1.rockstable.it’ matched
  47 ---- Closing data socket
  48 <--- 426 Failure reading network stream.
  49 ---> QUIT
  50 <--- 221 Goodbye.
  51 ---- Closing control socket
  52 copy: put rolled back to 0, seeking get accordingly

Your client probably does not well terminate the TLS connection. Unfortunately modern ciphers require this.

This was detected with lftp 4.9.2-2+b1. This issue is already known, but the new version has not hit the repositories, yet. Update your client to a more recent version.
https://github.com/lavv17/lftp/issues/753

You may try to set, but it won't help.
/etc/vsftpd.conf

   1 ### FOR UPLOADS
   2 #If enabled, SSL data uploads are required to terminate via SSL, not an EOF on the socket.
   3 #This option is required to be sure
   4 #that an attacker did not terminate an upload prematurely with a faked TCP FIN.
   5 #Unfortunately, it is not enabled by default because so few clients get it right.
   6 #(New in v2.0.7).
   7 #Default: NO
   8 strict_ssl_read_eof=NO
   9                                                                                                                                                                                                                                      
  10 #If enabled, SSL data downloads are required to terminate via SSL, not an EOF on the socket.
  11 #This is off by default as I was unable to find a single FTP client that does this.
  12 #It is minor.
  13 #All it affects is our ability to tell
  14 #whether the client confirmed full receipt of the file.
  15 #Even without this option, the client is able to check the integrity of the download.
  16 #(New in v2.0.7).
  17 #Default: NO
  18 strict_ssl_write_shutdown=NO

Lftp in the distribution repos does not yet contain a fix. So the only workaround currently is to subsititute lftp, that has several drawbacks.
Options

sitecopy
wput
ftp-ssl
curl
…

Here's a solution with curl

   1 LFTP_PROTOCOL="ftp"
   2 LFTP_HOST="remote-host.example.com"
   3 LFTP_PATH_LOCAL="./public"
   4 LFTP_PATH_REMOTE="./remote/path"
   5 LFTP_USER="username"
   6 LFTP_PASSWORD="__secure_long_password"
   7 ### SIMPLE AND BAD SUBSTITUTION FOR LFTP
   8 ### NO DRY-RUN, NO DELETION
   9 find "${LFTP_PATH_LOCAL:=./public}" -type f \
  10         | sed "s#${LFTP_PATH_LOCAL}/##" \
  11         | xargs -P 2 -tI{} -- \
  12                 curl --ssl-reqd \
  13                         -u "$LFTP_USER:$LFTP_PASSWORD" \
  14                         --ftp-create-dirs \
  15                         --upload-file "${LFTP_PATH_LOCAL}/{}" \
  16                         "${LFTP_PROTOCOL}://${LFTP_HOST}${LFTP_PATH_REMOTE}/{}";

Protocols

Technologies

Configurations

Services

Misc

Navigation