{"id":1148,"date":"2014-09-03T16:27:11","date_gmt":"2014-09-03T23:27:11","guid":{"rendered":"http:\/\/jim-zimmerman.com\/?p=1148"},"modified":"2019-03-20T10:12:45","modified_gmt":"2019-03-20T17:12:45","slug":"chroot-vsftpd-if-you-must","status":"publish","type":"post","link":"https:\/\/jim-zimmerman.com\/?p=1148","title":{"rendered":"Chroot vsftpd &#8211; if you must."},"content":{"rendered":"<p>Tested on Ubuntu 12.04 LTS.<\/p>\n<p>This should be used only for an account for ftp only, because filesystem write access will be removed.<\/p>\n<p>Install vsftp:<\/p>\n<blockquote><p>$ sudo apt-get install vsftpd<\/p><\/blockquote>\n<p>Edit \/etc\/vsftpd.conf:<\/p>\n<blockquote><p>$ sudo cp -p \/etc\/vsftpd.conf \/etc\/vsftpd.conf.orig<br \/>\n$ sudo vi \/etc\/vsftpd.conf<\/p>\n<p>&#8230;<br \/>\n# JGZ 9\/3\/2014 &#8211; disable anonymous<br \/>\n#anonymous_enable=YES<br \/>\nanonymous_enable=NO<br \/>\n&#8230;<br \/>\n# JGZ 9\/3\/2014 &#8211; use local accounts<br \/>\nlocal_enable=YES<br \/>\n#<br \/>\n&#8230;<br \/>\n# JGZ 9\/3\/2014 &#8211; allow writing<br \/>\nwrite_enable=YES<br \/>\n#<br \/>\n&#8230;<br \/>\n# JGZ 9\/3\/2014 &#8211; jail local user accounts in their home directory<br \/>\nchroot_local_user=YES<br \/>\n#<br \/>\n&#8230;<br \/>\n# JGZ 9\/3\/2014 &#8211; don&#8217;t allow list<br \/>\nchroot_list_enable=NO<br \/>\n&#8230;<br \/>\n# JGZ 9\/3\/2014 &#8211; list permission if in the file<br \/>\nchroot_list_file=\/etc\/vsftpd.chroot_list<br \/>\n&#8230;<\/p><\/blockquote>\n<p>Edit\/create chroot list file:<\/p>\n<blockquote><p>$ sudo vi \/etc\/vsftpd.chroot_list<br \/>\n&#8230;<br \/>\nlocalusername<br \/>\n&#8230;<\/p><\/blockquote>\n<p>Remove write access from the localusername directory:<\/p>\n<blockquote><p>$ sudo chmod a-w \/home\/localusername<\/p><\/blockquote>\n<p>Note: If you use the command above, you will need to create a subdirectory in the home that the localusername can write in.  If you want to restrict the ftp user to their home directory, omit the chroot_list_enable and chroot_list_file options specified in the config.<\/p>\n<p>The following will change the log location from \/var\/log\/xferlog to \/var\/log\/vsftpd.log, however it will give you much more useful information.  To enable verbose logging add the following:<\/p>\n<blockquote><p>&#8230;<br \/>\n# JGZ 3\/2\/2015 &#8211; verbose logging<br \/>\n#xferlog_std_format=YES<br \/>\nxferlog_std_format=NO<br \/>\n&#8230;<br \/>\n# JGZ 3\/2\/2015 &#8211; enable verbose logging<br \/>\nlog_ftp_protocol=YES<br \/>\n&#8230;<\/p><\/blockquote>\n<p>This will not allow the ftp user to delete files for directories.  To restrict the ftp user command set:<\/p>\n<blockquote><p>&#8230;<br \/>\n# JGZ 3\/2\/2015 &#8211; deny delete and rm<br \/>\ncmds_denied=DELE,RMD<br \/>\n&#8230;<\/p><\/blockquote>\n<p>To restrict FTP access to a set of I.P. Addresses (CentOS 7):<br \/>\nUse TCP wrappers:<\/p>\n<blockquote><p>\n# vi \/etc\/vsftpd\/vsftpd.conf<br \/>\n&#8230;<br \/>\ntcp_wrappers=YES<br \/>\n&#8230;<\/p><\/blockquote>\n<p>Restart vsftpd:<\/p>\n<blockquote><p>\n# systemctl restart vsftpd<\/p><\/blockquote>\n<p>Deny all access:<\/p>\n<blockquote><p>\n# vi \/etc\/hosts.deny<br \/>\n&#8230;<br \/>\nvsftpd: ALL<br \/>\n&#8230;<\/p><\/blockquote>\n<p>Create exceptions:<\/p>\n<blockquote><p>\n# vi \/etc\/hosts.allow<br \/>\n&#8230;<br \/>\nvsftpd:aaa.bbb.ccc.ddd www.xxx.yyy.zzz<br \/>\n&#8230;<\/p><\/blockquote>\n","protected":false},"excerpt":{"rendered":"<p>Tested on Ubuntu 12.04 LTS. This should be used only for an account for ftp only, because filesystem write access will be removed. Install vsftp: $ sudo apt-get install vsftpd Edit \/etc\/vsftpd.conf: $ sudo cp -p \/etc\/vsftpd.conf \/etc\/vsftpd.conf.orig $ sudo vi \/etc\/vsftpd.conf &#8230; # JGZ 9\/3\/2014 &#8211; disable anonymous #anonymous_enable=YES anonymous_enable=NO &#8230; # JGZ 9\/3\/2014 [&#038;hellip<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[383,132,185],"class_list":["post-1148","post","type-post","status-publish","format-standard","hentry","category-documentation","tag-chroot","tag-ubuntu","tag-vsftpd"],"share_on_mastodon":{"url":"","error":""},"_links":{"self":[{"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=\/wp\/v2\/posts\/1148","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1148"}],"version-history":[{"count":6,"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=\/wp\/v2\/posts\/1148\/revisions"}],"predecessor-version":[{"id":1725,"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=\/wp\/v2\/posts\/1148\/revisions\/1725"}],"wp:attachment":[{"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1148"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1148"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1148"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}