chroot

chroot ftp user outside plesk

To chroot ftp user outside of plesk, add the user belonging to psacln group.

usemod -g psacln <username>

Setup secure ProFTPd

Ftp can be secured using ftps to connect. Below outlines a configuration to support such a setup using TLS/SSL.

I usually use the epel repository to install proftpd:

yum --enablerepo=epel install proftpd

Configure for tls/ssl connection:


<IfModule mod_tls.c>
TLSEngine   &nbsp;    &nbsp;    &nbsp;    &nbsp;    on
TLSRequired   ;     ;     ;     ;   off
TLSRSACertificateFile &nbsp;    &nbsp;    /etc/pki/tls/proftpd/server.cert.pem
TLSRSACertificateKeyFile&nbsp;    &nbsp;  /etc/pki/tls/proftpd/server.key.pem
TLSVerifyClient  &nbsp;    &nbsp;    &nbsp;    off
TLSRenegotiate  &nbsp;    &nbsp;    &nbsp;     required off
TLSLog   &nbsp;    &nbsp;    &nbsp;    &nbsp;    &nbsp;  /var/log/proftpd/tls.log
</IfModule>

chroot and bindsocket to listen to single IP:


SocketBindTight  &nbsp;    &nbsp;    &nbsp;    on
DefaultRoot   ;     ;     ;     ;   ~

Setup passive ftp ports:

</Global>
...
...
PassivePorts 50000 51000
</Global>

Create the certs:

mkdir -p /etc/pki/tls/proftpd
cd /etc/pki/tls/proftpd
openssl req -new -x509 -days 9999 -nodes -out server.cert.pem -keyout server.key.pem

Create /etc/pam.d/ftp so PAM can authenticate for proftpd:

#%PAM-1.0
auth    required   &nbsp;    pam_unix.so   &nbsp; nullok
account required   &nbsp;    pam_unix.so
session required   &nbsp;    pam_unix.so

Add "/bin/false" to "/etc/shells" file and use it as the shell type when creating new users:

useradd -s /bin/false <ftp_user>

SSH Chroot in ISPConfig Centos-4.6

Below is reference of how I have setup chroot SSH jail for users in CentOS-4.6 with ISPConfig installed replacing the openssh rpm with the one from chrootssh.sourceforge.net .

It's easy on ISPConfig as support for chroot SSH is now built in with the control panel, you simply need to get chrootSSH installed and then enable the ssh option located in the config file at "/home/admispconfig/ispconfig/lib/config.inc.php":

$go_info["server"][&quot;ssh_chroot"] = 1;

If you need for the ssh chroot to access additional application, the file "/root/ispconfig/scripts/shell/create_chroot_env.sh" which builds the chroot needs to be edited. Also, check and edit the location of mysql socket file.

Comment