[FrontPage] [TitleIndex] [WordIndex

This is a read-only archived version of wiki.centos.org

Chroot vsftpd with non-system users

A quick and easy way to setup a chroot Vsftpd with non-system users.

Here you can:

  1. Configure vsftpd to use ftp virtual users.
  2. Administer your ftp virtual users through some bash scripts.

ArtWork/WikiDesign/alert.png

Warning:
Do not name your virtual users the same as your system users.
These scripts will delete your system users' accounts if you do so!

1. Installation

yum -y vsftpd db4-utils

2. Configuration

2.1. Server

Just after install vsftpd package, run one of the following scripts to configure your ftp server.

Script

Description

vsftpd_virtual_config.sh

Do a basic ftp virtual user configuration without TLS. Here USER and PASS go readable over the wire.

vsftpd_virtual_config_withTLS.sh

Do a basic ftp virtual user configuration with TLS. Here USER and PASS go unreadable over the wire.

If you are offering ftp service across Internet you probably want to try the vsftpd_virtual_config_withTLS.sh script. Don't you ? :)

2.2. Users

Once your vsftpd is configured you can use the following scripts to administer the ftp virtual users:

Script

Description

vsftpd_virtualuser_add.sh

Add a new ftp virtual user ( requires vsftpd_virtualuser_config.tpl ).

vsftpd_virtualuser_update.sh

Update ftp virtual user information.

vsftpd_virtualuser_remove.sh

Remove ftp virtual user (CAUTION!: and all its related data).

vsftpd_virtualuser_info.sh

Retrieve ftp virtual user information.

Additionally, you can prevent an ftp virtual user from login to the vsftpd by denying its account. You can do this when you create a new ftp virtual user or when you update an existent one.

3. Firewall

In order for this configuration to work, you'll need to open, in the server side, the ftp command port:

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT

and if you can't transfer data with default configuration rules, then the ftp data transfer range of ports should be opened, in the server side, too:

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 64000:65535 -j ACCEPT


NOTE: This work is based on HowTos/Chroot_Vsftpd_with_non-system_users


2023-09-11 07:22