Disable general FTP access while allowing chrooted TLS FTP for specific users
Issue
This solution will assume you already have a working vsftpd server and a SSL certificate. The certificate can be self-signed or issued by a certificate authority.
The first thing you'll need to do is create the chroot subdirectory for the users that will be granted ftp access.
In this example I'll create a chroot directory named FTP for a user called user.
# mkdir /home/user/FTP
Create the ftp home sub-directory for the user. In this example I'll also name it FTP.
# mkdir /home/user/FTP/FTP
Change the ownership of this sub-directory to the user.
# chown user:user /home/user/FTP/FTP
We'll move on to the /etc/vsftpd/vsftpd.conf file.
You need to add the following to specify the location of your SSL certificate and key:
rsa_cert_file=
rsa_private_key_file=
Add these:
chroot_local_user=YES
local_enable=YES
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=NO
ssl_ciphers=HIGH
You will want to specify a passive port range. This range limits the number of concurrent FTP connections.
pasv_max_port=10091
pasv_min_port=10090
For example this would allow two FTP connections over port 10,090 through 10,991.
You will also need to open these ports on your internal firewall as well.
The next two lines set up the chroot. In the following example the chroot user would land into the FTP home directory that was previously created.
user_sub_token=$USER
local_root=/home/$USER/FTP/
The next two lines allow and specify the list of users that will be able to use FTP.
userlist_enable=YES
userlist_file=/etc/vsftpd/vsftpd.userlist
And to finish your vsftpd.conf file
userlist_deny=NO
The meaning of this setting can be confusing. If you set this setting to NO, then users will be denied ftp access unless they are explicitly listed in the file specified by the userlist_file. Obviously this is what we are trying to accomplish.
Restart vsftpd.
Create the /etc/vsftpd/vsftpd.userlist file.
# touch /etc/vsftpd/vsftpd.userlist file
Edit the file to add the users you wish to grant FTP access to one line per user. Here's what the file would look like after editing it to add the user.
# cat /etc/vsftpd/vsftpd.userlist
user
This means only the user called user will be granted ftp access.
Finishing touches
SELinux
You need to check to see which SELinux options you have on your system for FTP.
getsebool -a | grep ftp
If you have ftp_home_dir listed.
setsebool -P ftp_home_dir on
if you have ftpd_full_access listed.
setsebool -P ftpd_full_access on
If you have ftpd_use_passive_mode listed.
setsebool -P ftpd_use_passive_mode on
Firewall
You will also need to make the appropriate firewalld or IP Tables changes to allow ftp traffic over the passive ports that you previously configured.
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.