FTP servers often become bottlenecks, and controlling bandwidth per user or connection is key to keeping them responsive for everyone.
Let’s see how vsftpd handles this. Imagine you’re running a busy FTP server, and one user is hogging all the bandwidth with a massive download. This can cripple performance for other users. vsftpd allows you to fine-tune this with a few configuration options.
Here’s a sample vsftpd.conf that implements per-user and per-connection bandwidth limits:
# Global settings
listen=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
chroot_local_user=YES
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.pem
# Per-connection bandwidth limit (e.g., 100 KB/s)
anon_max_rate=100000
local_max_rate=100000
# Per-user bandwidth limits (define in user_config_dir)
user_config_dir=/etc/vsftpd/user_conf
In this setup:
anon_max_rate=100000: This sets the maximum download rate for anonymous users to 100,000 bytes per second (100 KB/s).local_max_rate=100000: This sets the maximum download rate for all local (authenticated) users to 100,000 bytes per second.
Now, for per-user specific limits, we use user_config_dir. Create this directory if it doesn’t exist:
sudo mkdir -p /etc/vsftpd/user_conf
Inside /etc/vsftpd/user_conf, you’ll create files named after the users you want to apply specific limits to. For example, to limit the user alice to 50 KB/s and the user bob to 200 KB/s:
/etc/vsftpd/user_conf/alice:
local_max_rate=50000
/etc/vsftpd/user_conf/bob:
local_max_rate=200000
When vsftpd starts, it reads these files. If a user is found in the user_config_dir and has a local_max_rate defined, that specific limit overrides the global local_max_rate.
The local_max_rate and anon_max_rate settings control the download speed. To limit upload speed, you’d use anon_upload_rate and local_upload_rate respectively. However, these are less commonly used as upload bandwidth is usually less of a concern for server performance.
The beauty of vsftpd’s rate limiting is its simplicity. It uses a token bucket algorithm internally. When a connection is made, it’s given a certain number of "tokens" representing bandwidth. As data is transferred, tokens are consumed. If a user tries to transfer data faster than they have tokens, their transfer is throttled until more tokens are available. This ensures a smooth distribution of bandwidth without complex QoS rules.
It’s important to note that these limits are applied on a per-connection basis. If a user opens multiple FTP connections simultaneously, each connection will be subject to the limit. This can sometimes be a way around a single-connection limit, but for most practical purposes, it provides effective control.
When you restart vsftpd after making these configuration changes, the new limits will be enforced:
sudo systemctl restart vsftpd
You can monitor bandwidth usage using tools like iftop or nload on the server to see the effect of these limits in action. For instance, iftop -i eth0 (replace eth0 with your network interface) will show real-time bandwidth usage per connection.
One subtlety is how these rates are interpreted. The values are in bytes per second. So, 100000 is 100 KB/s, and 1000000 is 1 MB/s. Make sure your calculations are correct when setting these values.
The next step after implementing bandwidth limits is often dealing with disk I/O bottlenecks, which can become apparent once network bandwidth is no longer the primary constraint.