Creating a Chroot Jail Enabled FTP Service

Published December 10th, 2008

Problem Statement

We really dislike plain-old FTP service for its lack of security. Unfortunately, there are still brain-dead (windows) programs out there that will not work with Secure FTP (SFTP) via SSH. When your users just cannot live without such brain-dead programs and you are tired of chasing down the vendors for a reasonable explanation for not using SFTP, you are forced to enable FTP service. Here we will discuss how you can make this ungodly act of enabling FTP service a bit more secure.

Time Estimate (10 ~ 15 min)

We estimate that the entire process to create a chrooted jail using vsftpd daemon might take anywhere from ten to fifteen minutes.

Step 1: Discourage users from using FTP service all together

Yes, try to talk the users out of using the FTP service all together! Show them the following flash video that our User Interface team put together up in a zippy to let (thick) people see the difference between SFTP and plain-old FTP.

Step 2: (Reluctantly) Use vsFTPD FTP Server

If you fail in step 1, install VSFTPD using yum -y install vsftpd. Once installed you will need to add the following line in your /etc/modprove.conf file:

alias ip_conntrack ip_conntract_ftp ip_nat_ftp

Now load the ip_conntrack module by running the following command as root:

modprobe ip_conntrack

Next update your /etc/sysconfig/iptables-config and modify the IPTABLES_MODULES line to include
“ip_nat_ftp” as shown below:

IPTABLES_MODULES ="ip_nat_ftp"

Restart iptables using service iptables restart.

Consider one or more of the security options:

• Use chroot jail concept so that each user who uses FTP can only see her home directory. You can always point her home directory to the directory where she likes to work
• Use IP based access control using iptables so that FTP is not available from anywhere in the world.

We will discuss both techniques here.

Step 3: Lock’em Up in Chroot Jail

The chroot jail concept is simple — user connects to your FTP server and gets locked into the home directory and cannot go outside the home directory as the home directory becomes the root (/) for the session. This forbids nosy users from browsing files and directories that have nothing to do with their work.

To enable chroot jail for vsftp daemon, do the following:

• Edit the /etc/vsftpd/vsftpd.conf file and add or uncomment the following line:

  chroot_local_user=YES

• Now restart vsftpd daemon using service vsftpd restart

Now test your setup by FTPing into the server using an user account and see if you can browse files and directories outside the home directory or not. If your setup is correctly configured, you won’t be able to get outside the home directory, which appears as / (root).

Step 4: Use FTP only accounts

When creating FTP service on a CentOS server, consider making FTP-only users by setting the user’s shell to /sbin/nologin.

Step 5: Restrict incoming FTP access only to known IP addresses

If you know that your users access the FTP service from a known IP address list, you should consider locking up the FTP service to only work for those IP addresses. You can restrict this by creating iptable rules.

For example, to restrict FTP access to an IP address — 1.2.3.4 — you can change your FTP rule in the /etc/sysconfig/iptables file as follows:

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 1.2.3.4 --dport ftp -j ACCEPT

After restarting iptables using service iptables restart you should be able to test if FTP connection is restricted to the named IP address or not by making an FTP request from that IP and also from an IP that is not listed in the iptables rules file for FTP.

Category: Remove Access, Security | Tags: