vsftpd - Secure, fast FTP server for UNIX-like systems

News

Other links you may be looking for

• Project Zero, probably the best technical security blog around: Project Zero blog
• Follow me on Twitter for vsftpd / security news: scarybeasts
• My security blog: http://scarybeastsecurity.blogspot.com/
• My security advisories: https://security.appspot.com/security/index.html

Aug 2021 - vsftpd-3.0.4 / vsftpd-3.0.5 released with build, seccomp and SSL modernizations

• vsftpd-3.0.5 fixes the new ALPN selection, so it works again with the latest FileZilla client.
• vsftpd-3.0.4 is released, 6 years after the previous release! This now builds and runs again on a modern system such as Fedora 33 -- a few things had broken over the years. A few SSL modernizations have been applied, such as requiring TLSv1.2+ by default, supporting ALPN, and optionally supporting an SNI check. See the Changelog and vsftpd FAQ (frequently asked questions) for a list of common questions!
• This release is signed with my new RSA4096 scarybeasts@gmail.com GPG key (67A2 AB4F 41F9 972C 21F6 BF66 7B89 011B CAE1 CFEA): public key file
• The release is also signed with my old chris@scary.beasts.org key for a cross check: release signature with old key
• Here's a signature for my new GPG key, signed by my old key: signature for new public key, signed by old key

Jul 2015 - vsftpd-3.0.3 released with SSL fixes and security improvements

• vsftpd-3.0.3 is released - with most of the changes being SSL related. Other than that, there some seccomp policy fixes and minor compatability fixes. Somes notes on the SSL fixes will be put on my blog shortly. See the Changelog and vsftpd FAQ (frequently asked questions) for a list of common questions!

Sep 2012 - vsftpd-3.0.2 released with seccomp sandbox fixes

• vsftpd-3.0.2 is released - the only noteworthy fixes are two seccomp sandbox policy tweaks which stops session crashes when listing large directories. See the Changelog and vsftpd FAQ (frequently asked questions) for a list of common questions!

Apr 2012 - vsftpd-3.0.0 released with a seccomp filter sandbox

• vsftpd-3.0.0 is released - with a new highly restrictive seccomp filter sandbox. It activates automatically on 64-bit bit binaries on Ubuntu 12.04+. In addition, there's a fix for passive mode connections under high loads and a few timeout fixes, particularly if you're using SSL. See the Changelog and vsftpd FAQ (frequently asked questions) for a list of common questions!

Dec 2011 - vsftpd-2.3.5 released

• vsftpd-2.3.5 is released - with a fix for active mode connection error handling and a workaround for a glibc vulnerability that may affect unusual configurations. See the Changelog and vsftpd FAQ (frequently asked questions) for a list of common questions!
• Older:
• After numerous requests, I now have a PayPal button for donations. If you use vsftpd, like it, and think it's worthy of a donation, then click on the Paypal button on the left of the page.
• ftp.freebsd.org switched to vsftpd.
• vsftpd tarballs are now GPG signed by me (8660 FD32 91B1 84CD BC2F 6418 AA62 EC46 3C0E 751C)

Nov 2011 - Is any server other than vsftpd safe?

• ProFTPd suffers serious security hole - Nov 2011
• ProFTPd suffers serious security hole - Sep 2003
• wu-ftpd suffers serious security hole - Jul 2003.
• lukemftpd (as a random example from many), via trust of realpath(), suffers serious security hole - Aug 2003.

ftp.redhat.com is powered by vsftpd for performance reasons - see below

Someone sent me this green lizard.. (ftp.suse.com)

About vsftpd

vsftpd is a GPL licensed FTP server for UNIX systems, including Linux. It is secure and extremely fast. It is stable. Don't take my word for it, though. Below, we will see evidence supporting all three assertions. We will also see a list of a few important sites which are happily using vsftpd. This demonstrates vsftpd is a mature and trusted solution.

Features

Despite being small for purposes of speed and security, many more complicated FTP setups are achievable with vsftpd! By no means an exclusive list, vsftpd will handle:

• Virtual IP configurations
• Virtual users
• Standalone or inetd operation
• Powerful per-user configurability
• Bandwidth throttling
• Per-source-IP configurability
• Per-source-IP limits
• IPv6
• Encryption support through SSL integration
• etc...

Online source / docs

Browse vsftpd's online source tree - including documentation. In particular, note the content of the EXAMPLE subdirectory. Also, here is an HTML version of the manual page which lists all vsftpd config options.

Download / support

The latest vsftpd release is v3.0.5, currently at https://security.appspot.com/downloads/vsftpd-3.0.5.tar.gz
When downloading, always check the GPG signatures, of course! https://security.appspot.com/downloads/vsftpd-3.0.5.tar.gz.asc
Releases are infrequent since bug reports are infrequent at this time. Also, the FTP protocol is sunsetting, which is probably not a terrible thing.

Is vsftpd the right server for me?

If your main requirement from an FTP server is one of the following things then yes, vsftpd is probably the FTP server you are looking for.

• Security
• Performance
• Stability

The only reason you might prefer a different FTP server to vsftpd is if you really need the configurability of one of the more bloated FTP servers. Having said this, note that vsftpd caters for the vast majority of use cases. Even if vsftpd appears to be missing a feature, it is often satisfied by an external component such as PAM or xinetd / tcp_wrappers. In this regard, vsftpd is being a small modular component in the proper spirit of UNIX. Finally, consider moving to vsftpd even if it means sacrificing some whacky feature of your current FTP server. The security, performance and stability gains are waiting for you.

What are people saying about vsftpd?

• The SAC team from SANS recommend vsftpd as the preferred secure FTP server: "For those of you looking for a secure FTP daemon alternative, the SAC team recommends vsftpd".
• IBM recommend vsftpd in their paper "Securing Linux Servers for Service Providers". It is top in a section entitled "Recommended FTP servers".
• RedHat praises the performance and scalability of vsftpd in a press release: "Individual servers handled more than 2,500 concurrent downloads"... "The other change was to use a very lightweight FTP daemon, vsftpd, designed for the demands placed on a server under this level of load".

What large sites are trusting vsftpd?

NOTE!! The following list is accurate as of Jun 2004 (things may change over time of course). This is just a small sample of lots of critical internet sites which use vsftpd.

• ftp.redhat.com
• ftp.suse.com
• ftp.debian.org
• ftp.freebsd.org
• ftp.gnu.org
• ftp.gnome.org
• ftp.kde.org
• ftp.kernel.org
• rpmfind.net
• ftp.linux.org.uk
• ftp.gimp.org
• ftp-stud.fht-esslingen.de
• gd.tuwien.ac.at
• ftp.sunet.se
• ftp.ximian.com
• ftp.engardelinux.org
• ftp.sunsite.org.uk
• ftp.isc.org

Please sell me more on vsftpd security!

Certainly. vsftpd was designed and implemented from the ground up with security in mind.

1. It fixes fundamental design flaws present in most installations of wu-ftpd, proftpd and even bsd-ftpd by not over-using the dangerous root user.
2. It makes use of powerful security facilities such as capabilities and chroot.
3. It employs secure coding techniques to make buffer overflows a solved problem.
4. It is written by someone who is a vulnerability researcher.

For more details on why vsftpd is secure, see the distributed documentation files: Online copies are here:

• Overview
• Design
• Implementation
• Trust

Please sell me more on vsftpd performance!

Of course.

• A usenet poster finds vsftpd twice as fast as BSD-ftpd (which is itself no slouch, unlike wu-ftpd).
• Someone benchmarking vsftpd over localhost shifts 70Mbyte/sec, which in their case was more than the awesome TUX (55Mbyte/sec). (link lost)
• Someone bechmarking Linux's networking over gigabit ethernet is using vsftpd, and vsftpd scores 86Mbyte/sec. (link lost)
• Referring to RedHat's use of vsftpd, Alan Cox in his diary says " finally we have a scalable ftpd for Linux".

Here are a couple of graphs sent in by a satisfied user, running a large internet site with vsftpd.

Over the 24 hours, vsftpd has served 2.6TB (yes, terabytes) with a concurrent user count often over 1,500. This is on a single machine.

Contact

NEW! There's a #vsftpd IRC channel at irc.freenode.net. People there may be able to answer questions.

I'm buried alive in vsftpd mail :-( You could try mailing me: Chris Evans, scarybeasts@gmail.com (try and read the FAQ first)! Please don't be disappointed if your vsftpd mail does not get answered; I can only answer a small percentage.