How to jail / chroot users in FTP / SFTPPublished Tuesday, 11th of June 2013Overview
We can block access to ftp and sftp to use only the home folders of the users. At the same time we block any other access via ssh, but granting sftp access. Configuring permissions, the user can serve web pages from home folder. The installation was performed on Debian 7.0, using ProFTP 1.3.4a and OpenSSH 6.0p1Steps to follow Installation
- The ftp server ProFTP is included in the debian distribution, so install it with apt-get:
apt-get install proftpd During the installation, you must choose between install from inetd or as independent server. Supposed that you are installing a dedicated server or at least a busy server, so choose independent, inetd otherwise.
- For SFTP we will need also to install ssh (client and server):
apt-get install openssh-client
apt-get install openssh-server
- We will create the user that we are trying to configure. In case that you already have the user, you can ignore the next two lines, otherwise create it with default parameters and assign a password to restrict access:
useradd -m -N ochounos
- We need to change the group of the user (new created or old one). We will assign the www-data group which is the group that can execute apache. Doing that, we will allow that the user can serve web pages from a folder under his/her home folder:
usermod -g www-data ochounos
- Now we create the folder where the user will store the web pages:
- The new folder must be configured to be used by the user and by apache at the same time, and also limiting the permissions over parent folders:
chown root:root /home/ochounos We must assign root user as user and group propietary of the /home folder of the user. In case of the public_html folder, the propietary will be the user, but the group will be the group than can manage apache. Finally, assign permissions as read and execute in the folder (-R recursively in case that there is already content in the folder). In that way, we allow to execute scripts as php i.e. and even assigning write permission for the group we allow to php scripts create folders and files. (Note that php scripts could access to another user home directories because all of them are contained in the www-data group. Consider using suexec and creating one group per user and assign it as we assigned www-data to these folders).
chown ochounos:www-data /home/ochounos/public_html
chmod 0755 /home/ochounos -R
- We are ready to configure the server to jail users to their home folders. We need to edit the configuration file:
Open it and uncomment the next line: With this, we have already jail users to navigate only in their home folders. But this is only for ftp access, it's not affecting sftp access, so let's configure sftp access too.
- The access via SFTP is a bit different because SFTP means SSH + FTP so the access is granted via ssh. We need to configure ssh editing the next file: Open it and uncomment one line and add a new one. The final file will be like this:
We force that all the access to sftp will be managed by internal-sftp and not by the default script.
Subsystem sftp internal-sftp
Also, we need to configure how the users from group www-data will access to the ssh server. Add also in the same configuration file the next lines:
Now we have jailed into their /home/%u (%u means the name of the user). With the ForceCommand, we forced to use internal-sftp. It blocks also any access to ssh to the user, for example, using putty. So, SSH access only is blocked for the users, only granting SFTP access.
Match Group www-data
- To apply changes, we need to restart both servers, as we have modified both configurations:
- And now, finally, we are ready to open our server to ftp and sftp access properly configured:
iptables -I INPUT -p tcp -m tcp --dport 20:22 -j ACCEPT Note that we are opening three ports, from 20 to 22, so we are opening port 20 (data ftp), 21 (control ftp) and 22 (ssh). In case that you use passive connections, you need to open some ports over the 1023 port and configure it in your proftpd.conf file. In that case, you don't need to open the 20 port.
http://www.openssh.org/Back to the list of entries