Company dedicated to web development, graphic design, photography and web hosting.

How to jail / chroot users in FTP / SFTP
Published Wednesday, 12th of June 2013
Overview We can block access to ftp and sftp to use only the home folders of the users. At the same time we block any other access via ssh, but granting sftp access. Configuring permissions, the user can serve web pages from home folder. The installation was performed on Debian 7.0, using ProFTP 1.3.4a and OpenSSH 6.0p1Steps to follow Installation
  1. The ftp server ProFTP is included in the debian distribution, so install it with apt-get:
    apt-get install proftpd
    During the installation, you must choose between install from inetd or as independent server. Supposed that you are installing a dedicated server or at least a busy server, so choose independent, inetd otherwise.

  2. For SFTP we will need also to install ssh (client and server):
    apt-get install openssh-client
    apt-get install openssh-server
User creation
  1. We will create the user that we are trying to configure. In case that you already have the user, you can ignore the next two lines, otherwise create it with default parameters and assign a password to restrict access:
    useradd -m -N ochounos
    passwd ochounos

  2. We need to change the group of the user (new created or old one). We will assign the www-data group which is the group that can execute apache. Doing that, we will allow that the user can serve web pages from a folder under his/her home folder:
    usermod -g www-data ochounos
Folder configuration
  1. Now we create the folder where the user will store the web pages:
    mkdir /home/ochounos/public_html

  2. The new folder must be configured to be used by the user and by apache at the same time, and also limiting the permissions over parent folders:
    chown root:root /home/ochounos
    chown ochounos:www-data /home/ochounos/public_html
    chmod 0755 /home/ochounos -R
    We must assign root user as user and group propietary of the /home folder of the user. In case of the public_html folder, the propietary will be the user, but the group will be the group than can manage apache. Finally, assign permissions as read and execute in the folder (-R recursively in case that there is already content in the folder). In that way, we allow to execute scripts as php i.e. and even assigning write permission for the group we allow to php scripts create folders and files. (Note that php scripts could access to another user home directories because all of them are contained in the www-data group. Consider using suexec and creating one group per user and assign it as we assigned www-data to these folders).
FTP jail
  1. We are ready to configure the server to jail users to their home folders. We need to edit the configuration file:
    • /etc/proftpd/proftpd.conf
    Open it and uncomment the next line:
    DocumentRoot ~
    With this, we have already jail users to navigate only in their home folders. But this is only for ftp access, it's not affecting sftp access, so let's configure sftp access too.
SFTP jail
  1. The access via SFTP is a bit different because SFTP means SSH + FTP so the access is granted via ssh. We need to configure ssh editing the next file:
    • /etc/ssh/sshd_config
    Open it and uncomment one line and add a new one. The final file will be like this:
    #Subsystem sftp /usr/libexec/openssh/sftp-server
    Subsystem sftp internal-sftp
    We force that all the access to sftp will be managed by internal-sftp and not by the default script.
    Also, we need to configure how the users from group www-data will access to the ssh server. Add also in the same configuration file the next lines:
    Match Group www-data
        ChrootDirectory /home/%u
        ForceCommand internal-sftp
    Now we have jailed into their /home/%u (%u means the name of the user). With the ForceCommand, we forced to use internal-sftp. It blocks also any access to ssh to the user, for example, using putty. So, SSH access only is blocked for the users, only granting SFTP access.
Restart servers
  1. To apply changes, we need to restart both servers, as we have modified both configurations:
    /etc/init.d/proftpd restart
    /etc/init.d/ssh restart
  2. And now, finally, we are ready to open our server to ftp and sftp access properly configured:
    iptables -I INPUT -p tcp -m tcp --dport 20:22 -j ACCEPT
    Note that we are opening three ports, from 20 to 22, so we are opening port 20 (data ftp), 21 (control ftp) and 22 (ssh). In case that you use passive connections, you need to open some ports over the 1023 port and configure it in your proftpd.conf file. In that case, you don't need to open the 20 port.

Back to the list of entries