Disable general FTP access while allowing chrooted TLS FTP for specific users

Issue

This solution will assume you already have a working vsftpd server and a SSL certificate. The certificate can be self-signed or issued by a certificate authority.

The first thing you'll need to do is create the chroot subdirectory for the users that will be granted ftp access.

In this example I'll create a chroot directory named FTP for a user called user.

# mkdir /home/user/FTP

Create the ftp home sub-directory for the user. In this example I'll also name it FTP.

# mkdir /home/user/FTP/FTP

Change the ownership of this sub-directory to the user.

# chown user:user /home/user/FTP/FTP

We'll move on to the /etc/vsftpd/vsftpd.conf file.

You need to add the following to specify the location of your SSL certificate and key:

rsa_cert_file=
rsa_private_key_file=

Add these:

chroot_local_user=YES
local_enable=YES
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=NO
ssl_ciphers=HIGH

You will want to specify a passive port range. This range limits the number of concurrent FTP connections.

pasv_max_port=10091
pasv_min_port=10090

For example this would allow two FTP connections over port 10,090 through 10,991.
You will also need to open these ports on your internal firewall as well.

The next two lines set up the chroot. In the following example the chroot user would land into the FTP home directory that was previously created.

user_sub_token=$USER
local_root=/home/$USER/FTP/

The next two lines allow and specify the list of users that will be able to use FTP.

userlist_enable=YES
userlist_file=/etc/vsftpd/vsftpd.userlist

And to finish your vsftpd.conf file

userlist_deny=NO

The meaning of this setting can be confusing. If you set this setting to NO, then users will be denied ftp access unless they are explicitly listed in the file specified by the userlist_file. Obviously this is what we are trying to accomplish.

Restart vsftpd.

Create the /etc/vsftpd/vsftpd.userlist file.

# touch /etc/vsftpd/vsftpd.userlist file

Edit the file to add the users you wish to grant FTP access to one line per user. Here's what the file would look like after editing it to add the user.

# cat /etc/vsftpd/vsftpd.userlist 
user

This means only the user called user will be granted ftp access.

Finishing touches

SELinux

You need to check to see which SELinux options you have on your system for FTP.

getsebool -a | grep ftp

If you have ftp_home_dir listed.

setsebool -P ftp_home_dir on

if you have ftpd_full_access listed.

setsebool -P ftpd_full_access on

If you have ftpd_use_passive_mode listed.

setsebool -P ftpd_use_passive_mode on

Firewall

You will also need to make the appropriate firewalld or IP Tables changes to allow ftp traffic over the passive ports that you previously configured.