Saturday, October 31, 2009

VSFTPD Chroot Jail for FTP

Chroot Jail for FTP Users
One concern when users FTP into your server, is that by default users who have accounts can roam your server to view contents of files.

VSFTPD by default does not allow user logins, it allows anonymous by default. Anonymous users by default are locked into the directory that they login to.

This is exactly what you would want. However, if you set up user FTP accounts you will probably want to limit those users so they can only access their own files and not other users. In order to achieve this you must place them in a chroot jail.

ftp_jail


Jail All Users
In order to jail all users, keep them in their home directories, use these settings in the /etc/vsftpd.conf.


chroot_local_user=YES

Add these settings to allow anonymous logins using regular FTP and allow users to login using SSL.


anonymous_enable=YES
local_enable=YES
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
ssl_enable=YES
force_local_logins_ssl=YES
force_local_data_ssl=YES

This creates a very useful and secure set up.


Allow Some Users to Roam the Server


You also have the option to allow special users to login and be able to move around the server. This means that these will not be jailed.


chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list

Now edit the /etc/vsftpd.chroot_list file and enter the users you want to allow to roam the server in this file. Enter one user at a time in this list.


Add these settings to allow anonymous logins using regular FTP and allow users to login using SSL.


anonymous_enable=YES
local_enable=YES
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
ssl_enable=YES
force_local_logins_ssl=YES
force_local_data_ssl=YES

No comments:

Post a Comment