Installing and configuring vsftpd on FreeBSD

In this handbook we will see how to install and configure the Very Secure FTP Daemon - vsftpd

As the official website states, vsftpd is a fast and secure FTP server and is used by a lot of big projects and companies.

Please read more about it, on the official site of vsftpd.

In this documentation we will be creating a vsftpd installation using virtual users, meaning that we will have one UNIX account named virtual, and all our FTP accounts will be mapped to that UNIX account, so in fact we won’t be creating any local accounts on the machine the FTP server will be running on.

During the preparation of this handbook I needed a private, shared, non-anonymous FTP server, which allows download/upload capabilities to my FTP users from a single location.

If you need to create an anonymous read-only FTP server, please refer to the official site of vsftpd, which contains a lot of examples of how to create different setups for your vsftpd installation.

The official website also contains examples on how to create virtual users setup, which allows different users to have their own home folders.

In this document we will cover only how to create a private shared FTP server, which requires authentication in order to download/upload files.

This setup has been tested and works fine on FreeBSD 8.1 and vsftpd version 2.3.2


  • root access or sudo rights


In order to install vsftpd, we will be using the FreeBSD Ports Collection.

To install vsftpd from ports, execute the following command:

$ cd /usr/ports/ftp/vsftp && sudo make install clean

When you execute the above command you should see the following screen, allowing you to select additional options for vsftpd.

You can safely leave the options as they are and continue with the installation.


Once the installation is over you should see something similar:

===> Installing rc.d startup script(s)
===>   Compressing manual pages for vsftpd-2.3.2
===>   Registering installation for vsftpd-2.3.2
      This port has installed the following files which may act as network
      servers and may therefore pose a remote security risk to the system.

      This port has installed the following startup scripts which may cause
      these network services to be started at boot time.

      If there are vulnerabilities in these programs there may be a security
      risk to the system. FreeBSD makes no guarantee about the security of
      ports included in the Ports Collection. Please type 'make deinstall'
      to deinstall the port if this is a concern.

      For more information, and contact details about the security
      status of this software, see the following webpage:
===>  Cleaning for vsftpd-2.3.2

In FreeBSD in order to be able to authenticate FTP users properly, we also need the security/pam_pwdfile port to be installed, so let’s install it too:

$ cd /usr/ports/security/pam_pwdfile && sudo make install clean

The installation of pam_pwdfile is pretty straightforward and should take a couple of seconds to complete.

Once the installation is over you should see something similar:

===>  Installing for pam_pwdfile-0.99_1
===>   Generating temporary packing list
===>  Checking if security/pam_pwdfile already installed
install -s -o root -g wheel -m 444 /usr/local/lib
===>   Registering installation for pam_pwdfile-0.99_1
===>  Cleaning for pam_pwdfile-0.99_1

We are now ready with the installation, so let’s go ahead and configure vsftpd.

Configuration of vsftpd

First we will configure vsftpd, so it is able to authenticate our FTP users - the information about the FTP users will be stored in the /usr/local/etc/vsftpd_login.db file, which we will later populate with some user accounts.

Now, create the /etc/pam.d/vsftpd file, which contains the following lines:

auth required /usr/local/lib/ pwdfile /usr/local/etc/vsftpd_login.db
account required /usr/lib/

Let’s create the virtual user for our vsftpd setup:

$ sudo adduser -v
Username: virtual
Full name: Virtual FTP user
Uid (Leave empty for default):
Login group [virtual]:
Login group is virtual. Invite virtual into other groups? []:
Login class [default]:
Shell (sh csh tcsh bash rbash nologin) [sh]: nologin
Home directory [/home/virtual]:
Use password-based authentication? [yes]:
Use an empty password? (yes/no) [no]:
Use a random password? (yes/no) [no]:
Enter password:
Enter password again:
Lock out the account after creation? [no]:
Username   : virtual
Password   : *****
Full Name  : Virtual FTP user
Uid        : 1007
Class      :
Groups     : virtual
Home       : /home/virtual
Shell      : /usr/sbin/nologin
Locked     : no
OK? (yes/no): yes
adduser: INFO: Successfully added (virtual) to the user database.
Add another user? (yes/no): no

We can now configure vsftpd, which keeps it’s configuration data in the /usr/local/etc/vsftpd.conf file.

NOTE: Below is just a sample configuration file that I’ve used for my private FTP server. Please refer to the manual pages of vsftpd(8) and vsftpd.conf(5) for more information about the configuration options that you might want to include.


listen_address=x.x.x.x # change this to the IP address vsftpd will be listening on
listen_port=21 # change this to whatever port you wish

max_clients=200 # change these to whatever you wish


pasv_min_port=50000 # change these too if you have a firewall running





Adding users to vsftpd

In order to create a user for our vsftp setup we will use the htpasswd tool, and we will keep the user details in the /usr/local/etc/vsftpd_login.db file.

In order to create the password database and create a user, use the following command:

$ sudo htpasswd -c -b /usr/local/etc/vsftpd_login.db USERNAME PASSWORD

Secure the password file:

$ sudo chmod 0600 /usr/local/etc/vsftpd_login.db

In order to add new users, after you’ve created the password database, use the following command:

$ sudo htpasswd -b /usr/local/etc/vsftpd_login.db USERNAME PASSWORD

Starting vsftpd

In order to start vsftpd, execute the following command:

$ sudo /usr/local/etc/rc.d/vsftpd start

If you want to start vsftpd during boot-time, add the following line to your /etc/rc.conf file:


Allowing FTP traffic through your firewall

Even though vsftpd is secure enough, just like any other service I wish to enable on my network, I prefer to isolate it in a jail environment.

It might not be your case, but in most of the cases your FTP server will be running on a machine behind a firewall, and if this is the case you need to enable the FTP traffic through your firewall to the internal FTP server.

Below you can find sample PF rules that you can use in order to pass traffic to and from your firewall to the internal FTP server.

# --- redirect ftp traffic to the internal ftp server ---
rdr on $ext_if proto tcp from any to $ext_if port $FTP_PORT -> $FTP_SERVER port $FTP_PORT
rdr on $ext_if proto tcp from any to $ext_if port 50000:50999 -> $FTP_SERVER port 50000:50999

# --- pass incoming ftp traffic ---
pass in quick on $ext_if inet proto tcp from any to $FTP_SERVER port $FTP_PORT keep state
pass in quick on $ext_if inet proto tcp from any to $FTP_SERVER port 50000:50999 keep state

While keeping in mind that you need to set in your /etc/pf.conf file the following macros:

  • ext_if - the external interface
  • FTP_PORT - the FTP port number your vsftpd server is listening on
  • FTP_SERVER - the IP address of the ftp server in your internal network<
  • 50000:50999 - this is the range of ports for passive FTP connections, that you set in your vsftpd.conf file
Written on January 13, 2011