Chroot Jail for FTP Users
One concern when users FTP into your server, is that by default users who have accounts can roam your server to view contents of files. VSFTPD by default does not allow user logins, it allows anonymous by default. Anonymous users by default are locked into the directory that they login to. This is exactly what you would want. However, if you set up user FTP accounts you will probably want to limit those users so they can only access their own files and not other users. In order to achieve this you must place them in a chroot jail.
Jail All Users
In order to jail all users, keep them in their home directories, use these settings in the /etc/vsftpd.conf.
chroot_local_user=YES
Add these settings to allow anonymous logins using regular FTP and allow users to login using SSL.
anonymous_enable=YES
local_enable=YES
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
ssl_enable=YES
force_local_logins_ssl=YES
force_local_data_ssl=YES
This creates a very useful and secure set up.
Allow Some Users to Roam the Server
You also have the option to allow special users to login and be able to move around the server. This means that these will not be jailed.
chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list
Now edit the /etc/vsftpd.chroot_list file and enter the users you want to allow to roam the server in this file. Enter one user at a time in this list.
Add these settings to allow anonymous logins using regular FTP and allow users to login using SSL.
anonymous_enable=YES
local_enable=YES
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
ssl_enable=YES
force_local_logins_ssl=YES
force_local_data_ssl=YES
{ 4 comments }
Well, ok, but just in case someone had missed it:
do NOT use ssl-cert-snakeoil
This certificate is for testing purposes and the private key publicly available…
Why do people still use FTP? Having a password in the clear isn’t very smart, even with internal networking.
sFTP, scp, and all sorts of other encrypted file transfer methods exist.
We all need to stop enabling FTP anywhere unless it is pull and doesn’t use a password – basically use FTP like an anonymous web site.
You are right about the FTP security. However, many people use it regardless. If you use SSL to protect FTP it can be a useful tool.
Heh, okay, my main concern is setting up users though. Like if i wanted to create a user Anne, and then only allow this user to access /home/Annefolder I am not sure how i would go about doing this
{ 1 trackback }