Usually SFTP will allow a system user to access their home directory to upload and download files with their account. The SFTP user can navigate anywhere in the server some times can download files it will produce security vulnerability.
The Chroot for SFTP will be denied to access the rest of the system as they will be chrooted to the user home directory. Thus users will not be able to snoop around the system to /etc or application directories. User login to a shell account will also be denied.
I the below procedures will allowed me to enable SFTP security,
1, Add a new group
2, Create a Chroot dir for launch the logins, which should owned by root
3, Modify sftp-internal for forcing chroot dir
4, reload the configuration
Create Chroot launch directory with other have no previlege
mkdir /opt/chroot chown root:root /opt/chroot chmod 700 /opt/chroot
Create a common group for the chrooted users , SSH rule will work for the group
groupadd sftpgroup useradd -g sftpgroup -s /sbin/nologin -d /opt/chroot/planetuser planetuser passwd planetuser
Modify ssh configuration
Comment the general sftp subsubsystem and add new rule
#Subsystem sftp /usr/lib/openssh/sftp-server #Add the line Subsystem sftp internal-sftp # Rules for sftp group Match group sftpgroup ChrootDirectory %h X11Forwarding no AllowTcpForwarding no ForceCommand internal-sftp
Then restart SSH service
service sshd restart
Each time while am installing VSFTPD on ubuntu and enable chroot for the users it will refuse to login to the home directory because of write permission in its parent dir, to fix this I used the command
chmod a-w /path/to/the/ftp/home
but is was most annoying and frustrating problem. I supposed to update the vsftpd package with security fix. the steps are below.
wget http://ftp.us.debian.org/debian/pool/main/v/vsftpd/vsftpd_3.0.2-3_amd64.deb dpkg -i vsftpd_3.0.2-3_amd64.deb echo "allow_writeable_chroot=YES" >> /etc/vsftpd.conf echo "seccomp_sandbox=NO" >> /etc/vsftpd.conf service vsftpd reload
now the FTP service will work calm in my server.