Home

chroot

chroot ftp user outside plesk

Submitted by sandip on Fri, 06/03/2011 - 15:49

To chroot ftp user outside of plesk, add the user belonging to psacln group.

usemod -g psacln <username>

»

Setup secure ProFTPd

Submitted by sandip on Fri, 06/12/2009 - 14:42

Ftp can be secured using ftps to connect. Below outlines a configuration to support such a setup using TLS/SSL.

I usually use the epel repository to install proftpd:

yum --enablerepo=epel install proftpd

Configure for tls/ssl connection:


<IfModule mod_tls.c>
TLSEngine                       on
TLSRequired                     off
TLSRSACertificateFile           /etc/pki/tls/proftpd/server.cert.pem
TLSRSACertificateKeyFile        /etc/pki/tls/proftpd/server.key.pem
TLSVerifyClient                 off
TLSRenegotiate                  required off
TLSLog                          /var/log/proftpd/tls.log
</IfModule>

chroot and bindsocket to listen to single IP:


SocketBindTight                 on
DefaultRoot                     ~

Setup passive ftp ports:

</Global>
...
...
PassivePorts 50000 51000
</Global>

Create the certs:

mkdir -p /etc/pki/tls/proftpd
cd /etc/pki/tls/proftpd
openssl req -new -x509 -days 9999 -nodes -out server.cert.pem -keyout server.key.pem

Create /etc/pam.d/ftp so PAM can authenticate for proftpd:

#%PAM-1.0
auth    required        pam_unix.so     nullok
account required        pam_unix.so
session required        pam_unix.so

Add "/bin/false" to "/etc/shells" file and use it as the shell type when creating new users:

useradd -s /bin/false <ftp_user>

»

SSH Chroot in ISPConfig Centos-4.6

Submitted by sandip on Thu, 02/28/2008 - 00:58

Below is reference of how I have setup chroot SSH jail for users in CentOS-4.6 with ISPConfig installed replacing the openssh rpm with the one from chrootssh.sourceforge.net .

It's easy on ISPConfig as support for chroot SSH is now built in with the control panel, you simply need to get chrootSSH installed and then enable the ssh option located in the config file at "/home/admispconfig/ispconfig/lib/config.inc.php":

$go_info["server"]["ssh_chroot"] = 1;

If you need for the ssh chroot to access additional application, the file "/root/ispconfig/scripts/shell/create_chroot_env.sh" which builds the chroot needs to be edited. Also, check and edit the location of mysql socket file.

»

Syndicate content
Comment