You may want to prevent users from downloading files while allowing uploads or other operations:
Here we present 15 Interview Questions based on VsFTP (Very Secure File Transfer Protocol) running on Linux servers, explained in a simple and beginner-friendly way.
To support firewalls, define the passive mode port range using pasv_min_port and pasv_max_port in vsftpd.conf.
1. What is the difference between TFTP and FTP Server?
Virtual users let you create FTP-only accounts without giving system user privileges:
- TFTP uses UDP (User Datagram Protocol), which is connectionless and does not guarantee delivery of packets, as it is mostly used for transferring small files like firmware updates or boot files.
- FTP uses TCP (Transmission Control Protocol), which is connection-oriented and ensures reliable delivery of data.
- FTP uses two ports: port 21 for control commands and port 20 for data transfer, while TFTP uses only port 69.
- FTP supports authentication (username/password), while TFTP typically does not, making FTP more secure and flexible for general use.
2. How to restrict users and disallow browsing beyond their home directories?
FTP stands for File Transfer Protocol and is one of the most widely used and standard protocols over the Internet, which works on a client-server model and is used to transfer files between a client and a server.
- In VsFTP, set the parameter
chroot_local_user=YESin thevsftpd.conffile. - This confines users to their home directories, improving security by preventing them from browsing or modifying files elsewhere on the server.
- Without this, users could potentially navigate to sensitive system files or other user directories.
3. How do you manage the number of FTP clients that can connect simultaneously?
pasv_max_port=50000
Passive mode is used when clients are behind firewalls or NAT:
4. How to limit FTP login attempts to prevent botnet or illegal access attempts?
Managing how many clients can connect simultaneously helps prevent server overload:
- Use the
max_login_failsparameter. - This sets the maximum allowed failed login attempts before the session is terminated.
To show a banner message when clients connect, use the ftpd_banner parameter pointing to a file with the desired message, for example, ftpd_banner=/etc/vsftpd/banner.txt, which can include warnings, legal notices, or instructions; this message appears before user authentication and connection.
5. How to enable file uploads for anonymous users?
local_max_rate=51200
Conclusion
anonymous_enable=NO
By default, anonymous users cannot upload files for security reasons.
- Set
local_enable=YESinvsftpd.conf. - By default, this is disabled
(NO), preventing local user logins. - When enabled, local users can authenticate with their Linux system username and password.
- This is important for allowing internal users to upload/download files securely.
8. Is it possible to maintain logs of FTP requests and responses?
Local system users can be allowed to log in via FTP:
- Enable
log_ftp_protocol=YESto log detailed FTP commands and responses. - Also, enable
xferlog_std_format=YESfor standard transfer log formatting. - Logs help track user activity, detect suspicious behavior, and troubleshoot issues.
- By default, detailed logging is disabled for performance reasons.
9. How to disable login temporarily after failed attempts?
To prevent users from accessing directories outside their home folders, the chroot (change root) feature is used.
- Use
delay_failed_loginparameter to specify seconds to pause before allowing another login attempt after failure. - The default delay is
1second. - Increasing this delay makes brute-force attacks slower and less effective.
10. How to display a welcome or warning message before clients connect?
If you’re looking to go beyond the basics, don’t forget to check out our follow-up article:
11. How do you enable or disable Passive Mode in VsFTP?
To slow down brute-force attacks, you can delay login responses after failures:
- Enable passive mode with
pasv_enable=YES. - If disabled (NO), only active mode is allowed.
- Passive mode lets clients initiate both control and data connections, easing firewall traversal.
- Passive mode requires configuring allowed port ranges for data connections.
12. How to configure a specific port range for Passive Mode?
Use the following parameters in the vsftpd.conf file:
Logging is essential for security monitoring and debugging.
13. How to disable anonymous FTP access completely?
TFTP (Trivial File Transfer Protocol) and FTP are both used for transferring files, but they differ significantly:
For better security, you may want to block anonymous users by setting the following parameter in vsftpd.conf
14. How to use virtual users instead of system users in VsFTP?
The default value is 3, meaning after three failed tries, the server disconnects the client, which helps secure the server from unauthorized access by bots or attackers.
- VsFTP supports authentication through PAM (Pluggable Authentication Modules).
- You can configure PAM to authenticate virtual users stored in a separate database (like a file or SQL).
For example:
15. How to limit upload and download speeds for FTP users?
To protect against brute-force attacks, you can limit failed login attempts:
Limiting bandwidth usage per user is a great way to manage server load and prevent any single client from consuming too much network capacity.
local_max_rate– limits both upload and download speeds for local (system) users.anon_max_rate– limits upload and download speeds for anonymous users.
This improves security by isolating FTP users from Linux system users, giving virtual users their own directories and access restrictions.
For example, max_clients=50 restricts the server to 50 active FTP clients at once, which is useful for maintaining performance and preventing DoS (Denial of Service) attacks.
Originally, FTP clients were command-line based, but now most platforms come with FTP clients and servers built-in, and many third-party FTP client/server programs are available.
