CentOS FTP Server Port Setting Guide

This guide provides step-by-step instructions for configuring FTP server ports on CentOS, focusing on vsftpd (the most commonly used FTP server in CentOS). The process includes modifying the configuration file, adjusting firewall rules, and testing the connection.

1. Install vsftpd

If vsftpd is not already installed, use the following command to install it:

sudo yum install vsftpd -y

2. Start and Enable vsftpd Service

Start the vsftpd service and configure it to start automatically on system boot:

sudo systemctl start vsftpd
sudo systemctl enable vsftpd

3. Modify vsftpd Configuration File

Edit the vsftpd main configuration file (/etc/vsftpd/vsftpd.conf) using a text editor (e.g., vi or nano):

sudo vi /etc/vsftpd/vsftpd.conf

Key Port-Related Configurations

• Set the Command Port (Default: 21):
  Locate the listen_port parameter (or add it if absent) and specify your desired port (e.g., 2121). This is the port clients will use to connect to the FTP server.

  listen_port=2121
  

• Configure Passive Mode Ports (Required for Active FTP):
  Passive mode allows clients to initiate data connections. Define a port range for passive mode to avoid firewall issues:

  pasv_enable=YES
  pasv_min_port=2122  # Start of the passive mode port range
  pasv_max_port=2123  # End of the passive mode port range
  

• Enable Listening Mode:
  Ensure listen=YES is set to enable IPv4 listening (required for FTP connections).

  listen=YES
  

4. Restart vsftpd Service

Apply the configuration changes by restarting the vsftpd service:

sudo systemctl restart vsftpd

5. Configure Firewall

Allow the new FTP command port and passive mode port range through the firewall (using firewalld, the default firewall tool in CentOS):

For firewalld

• Permanent Rule for Command Port:

  sudo firewall-cmd --permanent --add-port=2121/tcp  # Replace 2121 with your custom port
  

• Permanent Rule for Passive Mode Port Range:

  sudo firewall-cmd --permanent --add-port=2122-2123/tcp  # Replace with your pasv_min/max ports
  

• Reload Firewall:

  sudo firewall-cmd --reload
  

6. Test FTP Connection

Verify the FTP server is accessible on the new port using an FTP client (e.g., ftp command-line tool or FileZilla):

ftp localhost 2121  # Replace 2121 with your custom port

Enter your FTP username and password when prompted. If the connection succeeds, the port configuration is correct.

Optional: Disable SELinux (if applicable)

If SELinux is enforcing, it may block FTP connections. To temporarily disable SELinux (not recommended for production):

sudo setenforce 0

To permanently disable SELinux, edit /etc/selinux/config and set SELINUX=disabled, then reboot the server.

Security Recommendations

• Use Strong Passwords: Ensure FTP users have complex passwords to prevent unauthorized access.
• Limit User Access: Use the user_list file to restrict which users can log in to the FTP server.
• Consider SFTP: For encrypted file transfers, use SFTP (SSH File Transfer Protocol) instead of FTP. SFTP uses port 22 by default and provides better security.