Articles

Configure FTP Anonymous Access Securely (2026)

April 18, 2026 4 min read

FTP anonymous access is a surprisingly powerful tool for distributing files, but it’s also a notorious security black hole.

Let’s watch an anonymous FTP server in action. Imagine a public directory /srv/ftp/pub containing a few files: release-notes.txt and latest.tar.gz. A user on the internet, running an FTP client like lftp, can connect to your server, navigate to /pub, and download these files without ever providing credentials.

# On the client machine
lftp ftp.yourdomain.com
cd pub
ls
get latest.tar.gz
quit

The magic happens in vsftpd, a popular FTP server. When a client connects and doesn’t provide a username, vsftpd treats it as an anonymous login. It then maps this "anonymous" user to a specific system user (often ftp or nobody) and restricts its actions based on that user’s permissions and vsftpd’s configuration. The goal of secure anonymous access is to let users download files while preventing them from uploading, deleting, or accessing sensitive system directories.

The core of vsftpd’s configuration for anonymous access lies in /etc/vsftpd.conf.

# /etc/vsftpd.conf
anonymous_enable=YES
anon_root=/srv/ftp/pub
no_anon_password=YES
anon_world_readable_only=YES
anon_upload_enable=NO
anon_mkdir_write_enable=NO
hide_ids=YES

Here’s how each directive shapes the experience:

  • anonymous_enable=YES: This is the obvious one. It tells vsftpd to allow anonymous connections.
  • anon_root=/srv/ftp/pub: This is crucial. It defines the only directory anonymous users can access. Everything else on the server is invisible. This directory must be created and owned by the user vsftpd runs as (e.g., ftp or nobody).
  • no_anon_password=YES: For true anonymous access, you don’t want users prompted for a password. This bypasses that. If set to NO, they’d be prompted for an email address (which vsftpd historically used as a "password").
  • anon_world_readable_only=YES: This is a vital security measure. It ensures that anonymous users can only download files that are world-readable (i.e., readable by the "other" permission category in Linux file permissions). This prevents them from accessing files that are intended only for the FTP user or other system users.
  • anon_upload_enable=NO: Absolutely essential. This prevents anonymous users from uploading any files, which would be a massive security risk.
  • anon_mkdir_write_enable=NO: Equally important. This prevents anonymous users from creating directories, which could be used to organize malicious uploads if anon_upload_enable were also on.
  • hide_ids=YES: This makes anonymous users appear as the ftp user (or whatever user vsftpd is configured to run as) rather than their actual system UID/GID. This adds a layer of obscurity.

To set this up on a fresh system, you’d typically:

  1. Install vsftpd:

    sudo apt update && sudo apt install vsftpd
# or
sudo yum install vsftpd

  2. Create the anonymous root directory and populate it:

    sudo mkdir -p /srv/ftp/pub
sudo chown ftp:ftp /srv/ftp/pub  # Or nobody:nogroup depending on your system
sudo chmod 755 /srv/ftp/pub
sudo touch /srv/ftp/pub/release-notes.txt
sudo touch /srv/ftp/pub/latest.tar.gz
sudo chmod 644 /srv/ftp/pub/*  # Ensure files are world-readable

  3. Configure vsftpd: Edit /etc/vsftpd.conf with the directives above.

  4. Restart vsftpd:

    sudo systemctl restart vsftpd
sudo systemctl enable vsftpd

  5. Configure Firewall: Allow FTP traffic (port 21, and passive mode ports if configured).

The most surprising aspect of vsftpd’s anonymous access is how deeply it can be locked down, even down to requiring files to be world-readable. If you don’t set anon_world_readable_only=YES, an anonymous user could potentially download files from the anon_root directory that are only readable by the ftp user itself, which might be unintended data leakage, albeit limited. This directive is a strong guarantee that only files explicitly made public can be retrieved.

One often overlooked detail is the local_umask setting in vsftpd.conf. While it primarily affects local users, it can indirectly influence what permissions anonymous users see if they were ever granted write access (which you shouldn’t do for anonymous). The umask determines the default permissions of newly created files and directories. If local_umask were set to 022, new files would be 644 and new directories 755. If it were 077, new files would be 600 and directories 700, making them inaccessible to anonymous users even if other settings were lax. For secure anonymous access, you want to ensure that any files you place in anon_root are explicitly set to be world-readable (e.g., 644 for files, 755 for directories) regardless of local_umask.

Once you have anonymous access configured, the next logical step is to secure the login process for your legitimate users, which involves exploring TLS/SSL encryption for FTP.

Want structured learning?

Take the full Ftp course →